This is a quick brief listing of suggestions for Nginx web server hardening or security items to check.<\/p>\n
Firstly, lots of this is mentioned in the Nginx instance of the ‘Awesome’ series of sites
\non GitHub specifically on Nginx Security.
\nSee https:\/\/github.com\/wallarm\/awesome-nginx-security<\/p>\n
a) Disable Nginx server_tokens
\n– set “server_tokens off” in nginx.conf<\/p>\n
b) Minimal error pages
\n– add “error_page 401 403 404 \/404.html;” to sites-enabled\/ files and “server” config sections<\/p>\n
c) Settings to control Buffer Overflow Attacks<\/p>\n
Note: Both client_header_buffer_size & large_client_header_buffers will need to be higher than suggested below if your site uses very long URLs.<\/p>\n
client_body_buffer_size – default is 8 or 16k, can probably be much lower.
\neg: client_body_buffer_size 1k<\/p>\n
client_header_buffer_size – again, 1k is usually sufficient:
\neg: client_header_buffer_size 1k<\/p>\n
client_max_body_size – controls clients throwing too much data at the web server in
\n sessions.
\nNeeds to be more if the site uses the POST HTTP method for file uploads or such.
\neg: client_max_body_size 1k<\/p>\n
large_client_header_buffers – related to larger client_header_buffer_size if needed.
\neg: large_client_header_buffers 2 1k<\/p>\n
d) Disable any unwanted HTTP methods, relevant conf items eg: in nginx.conf or a sites-enabled\/ file for this are:
\neg: To ensure HEAD, DELETE, SEARCH, TRACE methods won’t work
\n# Only GET, Post, PUT are allowed
\n if ($request_method !~ ^(GET|PUT|POST)$ ) {
\n return 444;
\n }<\/p>\n
e) Ensure no PHP or JVM version or path etc information is passed back to Nginx. ie: Don’t send out X-Powered-By & Server headers to clients<\/p>\n
f) Check SSL Ciphers, Protocol & other SSL specific settings
\n(i) set ssl_ciphers to:
\nssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;<\/p>\n
(ii) set: ssl_protocols TLSv1.3;<\/p>\n
Other good suggestions for Nginx at https:\/\/cipherli.st\/
\n(iii) set:
\nssl_prefer_server_ciphers on;
\nssl_session_cache shared:SSL:10m;<\/p>\n
(iv) create & use a strong DH Parameters file with: (takes some time to run)
\nopenssl dhparam -out \/etc\/nginx\/ssl\/dhparam.pem 4096<\/p>\n
(v) configure above .pem file, set:
\nssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;<\/p>\n
(vi) ensure you’re using valid\/correct X-Frame-Options,
\nStrict-Transport-Security and other ‘secure’ headers
\neg:
\nadd_header X-Frame-Options SAMEORIGIN;
\nadd_header X-Content-Type-Options nosniff;
\nadd_header X-XSS-Protection “1; mode=block”;
\nadd_header Strict-Transport-Security “max-age=31536000; includeSubdomains;”;<\/p>\n
(vii) consider whether or not to implement OSCP Stapling, see https:\/\/raymii.org\/s\/tutorials\/OCSP_Stapling_on_nginx.html<\/p>\n
g) Do “apt-get update && apt-get upgrade” and see what new Linux Packages are available for the Distro.<\/p>\n
h) Work through the checklist of https:\/\/www.nginx.com\/resources\/wiki\/start\/topics\/tutorials\/config_pitfalls\/<\/p>\n
i) Check on backend server or content generation (PHP, Tomcat, JVM, etc etc) settings, outside of Nginx itself.<\/p>\n
FYI,
\nRichard.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is a quick brief listing of suggestions for Nginx web server hardening or security items to check. Firstly, lots of this is mentioned in the Nginx instance of the ‘Awesome’ series of sites on GitHub specifically on Nginx Security. … Continue reading