Some security configuration recommendations for Nginx servers

  Nginx is one of the most popular Web servers today. It serves 7% of the world's web traffic and is growing at an alarming rate. It's an amazing server, and I'd like to deploy it.

Below is a list of common security pitfalls and solutions that can be used to help ensure that your Nginx deployment is secure.

1. Be careful about using "if" in configuration files. It is part 1 of the rewrite module and should not be used anywhere.

The       "if" declaration is a mandatory part of the rewrite module evaluation directive. To put it another way, configuration 1 for Nginx is generally declarative. In some cases, due to user requirements, they tried to use "if" in some non-rewrite instructions, which led to the situation we are now facing. It works most of the time, but... Look at what was mentioned above.

It seems that the only correct solution for       is to disable "if" completely in non-overridden instructions. This will change many existing configurations, so it is not yet complete.

2. Forward each ~.php$request to PHP. We published a potential security vulnerability for this popular directive last week. Even if the file name is hello.php.jpeg it will match ~.php $in this regular executable.

There are two good ways to solve these problems. I think it's important to make sure you don't execute arbitrary code in a hybrid way.

If the file is not found,       USES try_files and only(which should be noted in all dynamic execution cases) to forward it to the FCGI process running PHP.       confirms that cgi.fix_pathinfo is set to 0 (cgi.fix_pathinfo =0) in the php.ini file. This ensures that PHP checks the full name of the file (if it is not found at the end of the file.php will be ignored)       fix regular expression match incorrect file. The regular expression now assumes that any file contains ".php ". Add "if" to the end of the site to ensure that only the correct files will run. Will /location ~.php $and location ~.. */.*.php$is set to return 403;

3. Disable the autoindex module. This may have been changed in the Nginx version you are using, if not, just add autoindex off to the location block in the configuration file; Just declare it.

4. Disable ssi (server-side reference) on the server. This can be done by adding ssi off to the location block; .

5. Turn off server tags. If enabled (by default) all error pages will display the server version and information. Will server_tokens off; The declaration was added to the Nginx configuration file to solve this problem.

6. Set up a custom cache in the configuration file to limit the possibility of buffer overflow attacks.

             

client_body_buffer_size  1K;

        client_header_buffer_size 1k;

        client_max_body_size 1k;

        large_client_header_buffers 2 1k;

7. Set timeout low to prevent DOS attacks. All of these declarations can be placed in the master configuration file.

             

 client_body_timeout   10;

        client_header_timeout 10;

        keepalive_timeout     5 5;

        send_timeout          10;

8. Limit the number of user connections to prevent an DOS attack.

             

limit_zone slimits $binary_remote_addr 5m;

        limit_conn slimits 5;

9. Try to avoid HTTP certification. HTTP authentication USES crypt by default, and its hash is not secure. Use MD5 if you want to use it (it's not a good option either but it's better loaded than crypt).

10. Keep up with the latest Nginx security updates.