The Ultimate Guide to Configuration: Harden Your NGINX Configuration
As a web server administrator, configuring your NGINX setup is crucial for security and performance. In this comprehensive guide, we’ll walk you through the essential steps to harden your NGINX configuration.
Why Harden Your NGINX Configuration?
NGINX is an incredibly popular web server due to its high performance, stability, and scalability. However, a poorly configured setup can lead to security vulnerabilities and performance issues. Hardening your NGINX configuration ensures:
- Security: Protect against common attacks like SQL injection, cross-site scripting (XSS), and file inclusion.
- Performance: Optimize server resources and improve page load times.
Step 1: Set Up a Secure Directory Structure
By default, NGINX stores its configuration files in /etc/nginx. To improve security, create separate directories for your configurations:
bash
sudo mkdir /etc/nginx/conf.d
sudo mkdir /etc/nginx/sites-available
Move the original nginx.conf file to /etc/nginx and create a symbolic link to /etc/nginx/conf.d/default.conf.
Step 2: Configure User and Group
NGINX should run as a non-root user. Create a new user and group for NGINX:
bash
sudo useradd -r -s /usr/sbin/nologin nginxuser
sudo groupadd nginxgroup
Set the ownership of the /var/www directory to nginxuser:nginxgroup.
Step 3: Secure User Authentication
Restrict access to sensitive areas by configuring user authentication:
bash
sudo apt-get install libpam-ldapd
Configure PAM (Pluggable Authentication Modules) to use LDAP or Active Directory for authentication.
Step 4: Set Up Rate Limiting and IP Blocking
Protect against brute-force attacks using rate limiting and IP blocking:
“`bash
http {
…
http { # rate limiting and ip blocking
limit_req_zone $binary_remote_addr zone=rate:10m rate=10r/m;
limit_conn_rate 5;
limit_req_burst 5;
limit_conn_max 5;
limit_conn rate $binary_remote_addr;
limit_conn rate 50;
}
}
“`
Step 5: Secure Uploads
Protect against upload vulnerabilities by configuring secure uploads:
“`bash
sudo apt-get install libgd2-xpm-dev
http {
…
server {
# secure uploads
client_max_body_size 1m;
location /upload {
autoindex on;
types { # Allow specific file extensions
application/octet-stream .zip;
application/x-tar .tar;
}
alias /path/to/uploads; # Upload directory
if ($request_method = PUT) {
return 403;
}
}
# restrict access to upload directory
location /uploads {
internal;
}
}
}
“`
Step 6: Enable HTTPS and HSTS
Secure your website using HTTPS and HTTP Strict Transport Security (HSTS):
“`bash
sudo apt-get install openssl libssl-dev
http {
…
server {
# enable https
ssl_certificate /path/to/your/cert.crt;
ssl_certificate_key /path/to/your/key.key;
ssl_protocols TLSv1.2 TLSv1.3; # Enable modern SSL/TLS protocols
# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000";
}
}
“`
Conclusion
By following these steps, you’ve successfully hardened your NGINX configuration for security and performance. Remember to review and update your setup regularly to ensure the highest level of protection.
Note: This guide assumes a basic understanding of NGINX configuration. If you’re new to NGINX, consider exploring the official documentation or seeking guidance from experienced administrators.
