Security is no small matter, security prevention starts from nGINx configuration

I received good feedback on my previous article, “Some common configurations and Tips for Nginx,” so here are some security-related configurations for Nginx

Hidden version number

http {
    server_tokens off;
}
Copy the code

There are often security vulnerabilities for a certain version of Nginx. Hiding the version number of NginX is one of the main security optimization methods. Of course, the most important is to update the vulnerability in time

Open the HTTPS

server { listen 443; server_name ops-coffee.cn; ssl on; ssl_certificate /etc/nginx/server.crt; ssl_certificate_key /etc/nginx/server.key; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:! aNULL:! MD5; }Copy the code

SSL on: HTTPS is enabled

Ssl_certificate: Specifies the path of the Nginx SSL certificate

Ssl_certificate_key: Specifies the key path of the Nginx SSL certificate

Ssl_protocols: Specifies the SSL protocol version used by clients to establish connections. If TSLv1 compatibility is not required, delete this protocol

Ssl_ciphers: specifies the encryption algorithm used for client connections. You can configure a more secure algorithm here

Adding a blacklist or whitelist

Whitelist Configuration

Location /admin/ {allow 192.168.1.0/24; deny all; }Copy the code

Only hosts in the 192.168.1.0/24 network segment are allowed to access the network

It can also be written as a blacklist to prohibit access to some addresses and allow all others, for example

Location /ops-coffee/ {deny 192.168.1.0/24; allow all; }Copy the code

More often than not, the client request will pass through multiple layers of proxies, which can be restricted by $http_x_forwarded_for

set $allow false;
if ($http_x_forwarded_for = "211.144.204.2") { set $allow true; }
if ($http_x_forwarded_for ~ "108.2.66. [89]") { set $allow true; }
if ($allow = false) { return 404; }
Copy the code

Adding Account Authentication

server {
    location / {
        auth_basic "please input user&passwd"; auth_basic_user_file key/auth.key; }}Copy the code

Nginx has already introduced some common configurations and techniques for account authentication

Limit request method

if ($request_method! ~ ^(GET|POST)$ ) {return 405;
}
Copy the code

$request_method gets the method that requested nginx

The configuration allows access only to GET\POST methods. Other methods return 405

Reject the user-agent

if ($http_user_agent ~* LWP::Simple|BBBike|wget|curl) {
    return 444;
}
Copy the code

There may be some bad actors using wget/curl or other tools to scan our website. We can prevent this simply by disabling the corresponding User-agent

Nginx has a special 444 state. If you return 444, the client will not receive the message from the server, as if the web site was disconnected

Picture anti-theft chain

location /images/ {
    valid_referers none blocked www.ops-coffee.cn ops-coffee.cn;
    if ($invalid_referer) {
        return403; }}Copy the code

Valid_referers: Verify the referer, where None allows the referer to be empty and Blocked allows requests without a protocol. In addition to the above two categories, only access to image resources under images when the referer is www.ops-coffee.cn or OPs-coffee.cn is allowed, otherwise 403 is returned

You can also redirect requests that do not comply with the referer rule to a default image, as shown below

location /images/ {
    valid_referers blocked www.ops-coffee.cn ops-coffee.cn
    if ($invalid_referer) { rewrite ^/images/.*\.(gif|jpg|jpeg|png)$ /static/qrcode.jpg last; }}Copy the code

Control the number of concurrent connections

You can limit the number of concurrent connections to an IP address using the ngx_HTTP_limit_conn_module module

http {
    limit_conn_zone $binary_remote_addrzone=ops:10m; server { listen 80; server_name ops-coffee.cn; root /home/project/webapp; index index.html; location / { limit_conn ops 10; } access_log /tmp/nginx_access.log main; }}Copy the code

Limit_conn_zone: set the parameter of the shared memory space that stores the status of each key (for example, $binary_remote_ADDR), zone= Space name: size

For example, the size of the $binary_remote_ADDR variable is fixed at 4 bytes for IPV4 addresses and 16 bytes for IPV6 addresses. The storage state takes up 32 or 64 bytes on 32-bit platforms. 64 bytes on 64-bit platforms. The 1MB shared memory space can hold about 32,000 32-bit states and 16,000 64-bit states

Limit_conn: Specifies a set shared memory space (for example, the space whose name is OPS) and the maximum number of connections for each given key value

The above example indicates that only 10 connections are allowed on the same IP address at one time

All connection limits take effect when multiple limit_CONN directives are configured

http {
    limit_conn_zone $binary_remote_addr zone=ops:10m;
    limit_conn_zone $server_namezone=coffee:10m; server { listen 80; server_name ops-coffee.cn; root /home/project/webapp; index index.html; location / { limit_conn ops 10; limit_conn coffee 2000; }}}Copy the code

The above configuration limits not only the number of connections from a single IP source to 10, but also the total number of connections from a single virtual server to 2000

Buffer overflow attack

Buffer overflow attacks are implemented by writing data to the buffer beyond the buffer boundary and overwriting memory fragments. Limiting the buffer size can be effectively prevented

client_body_buffer_size  1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
Copy the code

Client_body_buffer_size: the default size is 8K or 16K, which indicates the buffer size occupied by the body requested by the client. If the connection request exceeds the value specified by the cache, the whole or part of the request entity will attempt to write to a temporary file.

Client_header_buffer_size: Specifies the buffer size of the client request header. Most of the time a request header will not be larger than 1K, but if there is a large cookie from a WAP client that may be larger than 1K, Nginx will allocate it a larger buffer, which can be set in large_client_header_buffers

Client_max_body_size: Represents the maximum acceptable body size for a client Request. It appears in the Content-Length field in the Request header. If the Request is larger than the specified value, the client will receive a “Request Entity Too Large” (413) error, which is usually limited when uploading files to the server

Large_client_header_buffers Specifies the number and size of buffers used by some large request headers. By default, a buffer is the size of a paging file in the operating system, usually 4k or 8K. The request field cannot be larger than a buffer size. Nginx will return “Request URI too large” (414). The longest field in the header of the Request must not be larger than a buffer, otherwise the server will return “Bad Request “(400).

Several timeout Settings need to be modified

client_body_timeout   10;
client_header_timeout 10;
keepalive_timeout     5 5;
send_timeout          10;
Copy the code

Client_body_timeout: Specifies the timeout for reading the body of a Request. If the connection exceeds this timeout without any response from the client, Nginx will return a “Request timeout “(408) error

Client_header_timeout: Specifies the timeout period for reading the client Request header. If the connection exceeds this time without any response from the client, Nginx will return a “Request timeout “(408) error

Keepalive_timeout: The first value of the keepalive_timeout parameter indicates the timeout period for the long connection between the client and the server. After this timeout, the server will close the connection. The optional second parameter indicates the keep-alive parameter in the Response header. Timeout =time the time value that allows some browsers to know when to close a connection so that the server does not have to close it again. If this parameter is not specified, nginx will not send keep-alive messages in the Response header

Send_timeout: Indicates the Timeout period after sending the reply to the client. Timeout means that the complete ESTABLISHED state is not entered, and only two handshakes are completed. If there is no response from the client after this time, nginx closes the connection

The Header head set

You can set the following parameters to effectively prevent XSS attacks

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
Copy the code

X-frame-options: the response header indicates whether the browser is allowed to load Frame and other attributes. There are three Settings DENY that prohibit any web pages FROM being embedded. SAMEORIGIN only allows nesting of this site, and allow-from allows nesting of specific addresses

X-xss-protection: indicates that XSS filtering is enabled (x-xSS-protection: 0 is disabled). Mode =block indicates that the page rendering is stopped if XSS attacks are detected

X-content-type-options: The response header is used to identify guesses about the true Type of unspecified or incorrectly specified content-type resources. Nosniffing indicates that no guesses are allowed

In a typical request response, the browser will identify the response Type based on the Content-Type, but when the response Type is not specified or incorrectly specified, the browser will try to enable MIME-Sniffing to guess the response Type of the resource, which can be dangerous

For example, a.jpg image file is maliciously embedded with executable JS code. With resource type guessing turned on, the browser will execute the embedded JS code, possibly with unintended consequences

There are also a few other security configurations for request headers that need to be noted

Content-security-policy: defines which resources a page can load,

add_header Content-Security-Policy "default-src 'self'";
Copy the code

The above configuration restricts all external resources to be loaded from the current domain name, where default-src defines the default loading policy for all types of resources and self allows content from the same source

Strict-transport-security: tells the browser to use HTTPS instead of HTTP to access the destination site

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
Copy the code

The above configuration indicates that when the user accesses the site for the first time, a field containing the strict-transport-Security response header is returned. This field tells the browser that for the next 31536,000 seconds, all requests to the current site are accessed using HTTPS. Parameters includeSubDomains are optional, indicating that the same rules will apply to all subdomains


Related articles recommended reading:

  • The Devops tools we developed ourselves
  • Several common configurations and techniques for Nginx