Nginx is a lightweight Web/reverse proxy server and E-mail (IMAP/POP3) proxy server distributed under a BSD-like protocol. It is characterized by less memory and strong concurrency. In fact, Nginx’s concurrency does perform better in the same type of web server. In Mainland China, nginx website users include baidu, JINGdong, Sina, NetEase, Tencent, Taobao and so on. Maybe you’ve heard all the wonderful things about Nginx, maybe you already love it, are thinking about improving the security and stability of your Nginx server, or maybe you’re considering replacing Apache with Nginx, then this article is perfect for you to continue reading.
This article describes 12 actions you can take to improve security, stability, and performance of your Nginx server.
1: Keep Nginx updated
The current stable version of Nginx is 1.14.0. It is best to upgrade to the latest version. If you look at the official release note, you will find that they have fixed many bugs, and no production environment wants to run under the risk of such bugs. Also, while installation packages are easier to install than compiled from source code, the latter option has two advantages:
-
1) It allows you to add additional modules to Nginx (such as more_header, mod_security),
-
2) It always provides a newer version than the installation package, see Release Note on the Nginx website.
2: Remove unused Nginx modules
When compiling and installing, execute the./configure method with the following configuration directives to explicitly remove unused modules:
./configure --without-module1 --without-module2 --without-module3 /configure --without-http_dav_module -- withouthttP_spdy_module # Make sure the module you disable does not contain the instructions you need to use! Before deciding to disable modules, you should check the list of instructions available for each module in the Nginx documentation.
Copy the code
3: Disable server_TOKENS in Nginx configuration
Server_tokens causes the 404 page to display the current version number of Nginx when turned on. This is obviously not secure, since hackers can use this information to try out vulnerabilities in the corresponding version of Nginx. Conf with HTTP server_tokens off.
Server {listen 192.168.0.25:80; Server_tokens off; server_name tecmintlovesnginx.com www.tecmintlovesnginx.com; access_log /var/www/logs/tecmintlovesnginx.access.log; error_log /var/www/logs/tecmintlovesnginx.error.log error; root /var/www/tecmintlovesnginx.com/public_html; index index.html index.htm; }# restart Nginx to take effect:
Copy the code
4: Disable illegal HTTP User Agents
User Agent is a kind of identification of browser in HTTP protocol. Prohibiting illegal User Agent can prevent some crawler and scanner requests, and prevent these requests from consuming a lot of Nginx server resources. In order to better maintenance, best to create a file, containing don’t expect the user agent list for example/etc/nginx/blockuseragents rules include the following:
map $http_user_agent $blockedagent { default 0; ~*malicious 1; ~*bot 1; ~*backdoor 1; ~*crawler 1; ~*bandit 1; } and then put the following statement in a configuration file server module, include/etc/nginx/blockuseragents rules; And add if statement to set block to enter the page:
Copy the code
5: Disable HTTP methods that are not needed
Some Web sites and applications, for example, can support only GET, POST, and HEAD methods. Adding the following method to the server module in the configuration file can prevent some spoofing attacks
if ($request_method ! ~ ^(GET|HEAD|POST)$) {return 444; }
Copy the code
6: Sets the upper limit of buffer capacity
This setting prevents buffer overflow attacks (also for Server modules)
client_body_buffer_size 1k; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; No amount of HTTP requests will overflow the server buffer.
Copy the code
7: Limits the maximum number of connections
-
In the HTTP module, set limit_conn_zone outside the server module, and you can set the IP address for connection
-
Set limit_conn in HTTP, server, or location module. You can set the maximum number of connections for an IP address.
limit_conn_zone $binary_remote_addr zone=addr:5m; limit_conn addr 1;
Copy the code
8: Enables log monitoring
How to set up nginx logs
You may want to grab a log of access failures due to the Settings in point 7
grep addr /var/www/logs/tecmintlovesnginx.error.log --color=auto
Copy the code
You can also filter the following in the log:
-
The client IP
-
Browser Type
-
HTTP request methods
-
Request content
-
Server correspondence
9: Prevent pictures from linking to your server
Doing so obviously increases the bandwidth strain on your server. Assuming you have an IMG directory for storing images and your own IP address is 192.168.0.25, add the following configuration to prevent external linking
Location /img/ {valid_referers none blocked 192.168.0.25; if ($invalid_referer) { return 403; }}
Copy the code
10: Disable SSL and enable only TLS
Avoid using SSL whenever possible and use TLS instead. The following Settings can be placed in the Server module:
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Copy the code
11: Encrypt the certificate (HTTPS)
First generate the key and the integer, using either of the following:
# openssl genrsa -aes256 -out tecmintlovesnginx.key 1024# openssl req -new -key tecmintlovesnginx.key -out tecmintlovesnginx.csr# cp tecmintlovesnginx.key tecmintlovesnginx.key.org# openssl rsa -in tecmintlovesnginx.key.org -out tecmintlovesnginx.key# openssl x509 -req -days 365 -in tecmintlovesnginx.csr -signkey tecmintlovesnginx.key -out Tecmintlovesnginx. crt# then configure the Server module Server {listen 192.168.0.25:443 SSL; server_tokens off; server_name tecmintlovesnginx.com www.tecmintlovesnginx.com; root /var/www/tecmintlovesnginx.com/public_html; ssl_certificate /etc/nginx/sites-enabled/certs/tecmintlovesnginx.crt; ssl_certificate_key /etc/nginx/sites-enabled/certs/tecmintlovesnginx.key; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; }
Copy the code
12: redirects the HTTP request to HTTPS
Add return 301 https://$server_name$request_uri;
Copy the code
conclusion
This article shares some tips for securing Nginx Web servers. I’d love to hear what you think, and if you have any other suggestions, feel free to comment and share your experiences. Original: https://www.toutiao.com/i6567445684394394115/
, end,
— Writing is not easy, your forwarding is the biggest support for me —
Click on the menu “wechat group” to join the group and communicate with your partners!