This is a quick brief listing of suggestions for Nginx web server hardening or security items to check.
Firstly, lots of this is mentioned in the Nginx instance of the ‘Awesome’ series of sites
on GitHub specifically on Nginx Security.
See https://github.com/wallarm/awesome-nginx-security
a) Disable Nginx server_tokens
– set “server_tokens off” in nginx.conf
b) Minimal error pages
– add “error_page 401 403 404 /404.html;” to sites-enabled/ files and “server” config sections
c) Settings to control Buffer Overflow Attacks
Note: Both client_header_buffer_size & large_client_header_buffers will need to be higher than suggested below if your site uses very long URLs.
client_body_buffer_size – default is 8 or 16k, can probably be much lower.
eg: client_body_buffer_size 1k
client_header_buffer_size – again, 1k is usually sufficient:
eg: client_header_buffer_size 1k
client_max_body_size – controls clients throwing too much data at the web server in
sessions.
Needs to be more if the site uses the POST HTTP method for file uploads or such.
eg: client_max_body_size 1k
large_client_header_buffers – related to larger client_header_buffer_size if needed.
eg: large_client_header_buffers 2 1k
d) Disable any unwanted HTTP methods, relevant conf items eg: in nginx.conf or a sites-enabled/ file for this are:
eg: To ensure HEAD, DELETE, SEARCH, TRACE methods won’t work
# Only GET, Post, PUT are allowed
if ($request_method !~ ^(GET|PUT|POST)$ ) {
return 444;
}
e) Ensure no PHP or JVM version or path etc information is passed back to Nginx. ie: Don’t send out X-Powered-By & Server headers to clients
f) Check SSL Ciphers, Protocol & other SSL specific settings
(i) set ssl_ciphers to:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
(ii) set: ssl_protocols TLSv1.3;
Other good suggestions for Nginx at https://cipherli.st/
(iii) set:
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
(iv) create & use a strong DH Parameters file with: (takes some time to run)
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
(v) configure above .pem file, set:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
(vi) ensure you’re using valid/correct X-Frame-Options,
Strict-Transport-Security and other ‘secure’ headers
eg:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
add_header Strict-Transport-Security “max-age=31536000; includeSubdomains;”;
(vii) consider whether or not to implement OSCP Stapling, see https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
g) Do “apt-get update && apt-get upgrade” and see what new Linux Packages are available for the Distro.
h) Work through the checklist of https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
i) Check on backend server or content generation (PHP, Tomcat, JVM, etc etc) settings, outside of Nginx itself.
FYI,
Richard.