How to secure NGINX - Securitricks

#security #linux #nginx #hardening ## What is NGINX ? NGINX is a powerful, high-performance web server and reverse proxy. Securing your NGINX server is crucial to ensure the safety and integrity of your web applications. This guide provides detailed steps to enhance the security of your NGINX installation. ## Prerequisites - Basic knowledge of NGINX and Linux command line. - An NGINX server installed and running. ## Step-by-Step Guide ### 1. Keep NGINX Updated Ensure your NGINX server is always up-to-date to protect against the latest vulnerabilities. ```bash sudo apt update sudo apt upgrade nginx ``` ### 2. Use Strong Permissions and Ownership Ensure that your NGINX configuration files and directories have the appropriate permissions. ```bash sudo chown -R root:root /etc/nginx sudo chmod -R 644 /etc/nginx/nginx.conf sudo chmod -R 755 /etc/nginx/sites-available/ sudo chmod -R 755 /etc/nginx/sites-enabled/ ``` ### 3. Disable Server Tokens Disabling server tokens prevents NGINX from disclosing its version number, which can be useful information for attackers. Edit the main configuration file: ```bash sudo nano /etc/nginx/nginx.conf ``` Add or modify the following line: ```nginx server_tokens off; ``` ### 4. Use a Strong Diffie-Hellman Group Generate a strong Diffie-Hellman group for enhanced security in SSL/TLS connections. ```bash sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096 ``` Then, add this to your NGINX configuration: ```nginx ssl_dhparam /etc/nginx/dhparam.pem; ``` ### 5. Enable HTTP Strict Transport Security (HSTS) HSTS enforces the use of HTTPS and prevents protocol downgrade attacks. Edit your server block configuration: ```bash sudo nano /etc/nginx/sites-available/your_site ``` Add the following line: ```nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ``` ### 6. Configure SSL/TLS Use strong SSL/TLS protocols and ciphers. Modify your SSL configuration: ```nginx ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers on; ``` ### 7. Implement Rate Limiting Rate limiting helps mitigate brute force attacks. Add the following to your server block: ```nginx limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s; limit_req zone=mylimit burst=20; ``` ### 8. Enable Access Logs Monitor access logs to detect suspicious activities. Edit your server block configuration: ```nginx access_log /var/log/nginx/access.log; ``` ### 9. Use a Web Application Firewall (WAF) Install and configure a WAF like ModSecurity to protect against common web attacks. First, install ModSecurity: ```bash sudo apt install libnginx-mod-security ``` Then, enable it in your NGINX configuration: ```nginx modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; ``` ### 10. Restrict Access to Sensitive Files Prevent access to sensitive files like configuration files and git repositories. Add the following to your server block: ```nginx location ~ /\.ht { deny all; } location ~ /\.(git|svn|hg) { deny all; } ``` ### Conclusion By following these steps, you can significantly enhance the security of your NGINX server. Regularly review and update your configurations and stay informed about the latest security practices. For more detailed information, refer to the [NGINX security documentation](https://nginx.org/en/docs/security.html). ---