Of Stack

Nginx server based security configuration with some security usage tips

  • 2020-05-10 23:30:22
  • OfStack

Security configuration
1. nginx is introduced
nginx itself cannot handle PHP, it is just an web server. When a request is received, if it is an php request, it is sent to the php interpreter for processing and the result is returned to the client. nginx1 generally sends the request to fastcgi management process for processing, and fastcgi management process selects cgi child process to process the result and return it to nginx.
nginx involves two accounts, one for the nginx running account and one for the php-fpm running account. If you are accessing a static file, you only need the nginx running account to have access to the file. If an php file is accessed, nginx's running account first needs to have access to the file. If it is found to be an php file after reading the file, it will be forwarded to php-fpm, and then the php-fpm account needs to have access to the file.
2.1 some empirical conclusions
Under 2.1.linux, to read a file, you first need to have execute permissions on the folder where the file is located, and then you need read permissions on the file.
2.2. The execution of the php file does not require the execution permissions of the file, only the read permissions of the nginx and php-fpm running accounts.
2.3. After uploading the Trojan, can you list the contents of a folder? It is related to the access of php-fpm's running account to the folder.
2.4. The permission of the Trojan to execute the command is related to the account permission of php-fpm.
2.5. If the Trojan wants to execute a command, the account of php-fpm needs to have execution permission for the corresponding sh.
2.6. To read files in a folder, you do not need to have read permissions on the folder, only need to have execute permissions on the folder.
3. Security configuration involved in Nginx server
3.1 configuration of   Nginx.conf
3.2 configuration of   php-fpm.conf
3.3 permissions configuration for   nginx and php-fpm running accounts to disk
3.4 configuration of   Php
4. Common configuration
4.1 disable 1 directory access
Example: access to the path directory is disabled 


location ^~ /path {
deny all;
}

You can replace path with the directory you actually want. If the directory path is followed by "/" or not, the use of "/" will disable access to this directory and all files in it. The situation is a little more complicated without the "/", as long as the directory begins to match that keyword, it will be disabled; Note that it comes before the fastcgi configuration.
4.2 access and enforcement of php files are prohibited
Example: remove PHP execution permissions for a single directory 


location ~ /attachments/.*\.(php|php5)?$ {
deny all;
}

Example: remove PHP execution permissions for multiple directories 


location ~ /(attachments|upload)/.*\.(php|php5)?$ {
deny all;
}

4.3 access to IP is disabled
Example: block IP: 


deny 10.0.0.0/24;

Example: only one IP or one IP segment is allowed to access. All other users are banned 


allow
x.x.x.x;
allow 10.0.0.0/24;
deny all;

Frequently asked questions
5.1   makes the Trojan unable to execute after uploading
For the uploaded directory, add the configuration to the nginx configuration file so that this directory cannot resolve php.
5. 2 after the Trojan implementation can not see the non-site directory files
Unsubscribe the php-fpm run account from other directories.
5.3 command cannot be executed after execution of Trojan horse
Cancel the php-fpm account for the execution of sh.
5.4 after the execution of the command, the authority should not be too high
Php-fpm account do not use root or join the root group.
6. nginx security configuration
6.1 change the website directory owner to a non-php-fpm running account, here change the owner to root. 


chown -R root:root html/

6.2 modification of nginx and php-fpm operating accounts and groups to nobody
6.3 cancel the read permissions of nobody on all directories, and then add the read permissions on the website directory 


chmod o-r  � R /
chmod o+r  � R html/

6.4 cancel the execution permission of nobody for /bin/sh 


chmod 776 /bin/sh

6.5 confirm that the permissions of the website directory for nobody are readable and executable, and the permissions for the website files are readable
6.6 add write permissions for nobody to the upload directory or to the directory where write files are written
6.7 configure nginx.conf has no php execution rights for the uploaded directory
6.8 configure nginx.conf to exclude folders, such as background, or restrict access to ip
6.9 configure the file types that nginx.conf is not allowed to access, such as some txt log files

10 safety tips for Nginx
1. Use "if" carefully in configuration files. It is part 1 of the rewrite module and should not be used anywhere.
The "if" declaration is a mandatory part of the rewrite module evaluation directive. To put it another way, configuration 1 for Nginx is generally declarative. In some cases, due to user requirements, they try to use "if" in some non-rewrite instructions, which leads to the situation we are now in. It works most of the time, but... Look at what was mentioned above.
It seems that the only correct solution for 1 is to disable "if" completely in non-overridden instructions. This will change many existing configurations, so it is not yet complete.
2. Forward each ~.php$request to PHP. We published a potential security vulnerability for this popular directive last week. Even if the file name is hello.php.jpeg it will match ~.php $which is a regular executable file.
There are two good ways to solve these problems. I think it's important to make sure you don't execute arbitrary code in a hybrid way.
If the file is not found, pass it to the FCGI process running PHP using try_files and only(which should be noted in all dynamic execution cases).
Verify that cgi.fix_pathinfo is set to 0 in the php.ini file (cgi.fix_pathinfo =0). This ensures that PHP checks the full name of the file (if it is not found at the end of the file.php will be ignored)
Fixed problem with regular expression matching incorrect files. The regular expression now assumes that any file contains ".php ". Add "if" to the end of the site to ensure that only the correct files will run. Will /location ~.php$and location ~.. */.*.php$is set to return 403;
3. Disable the autoindex module. This may have changed in the version of Nginx you are using, if not, just add autoindex off to the location block in the configuration file; Just declare it.
4. Disable ssi (server-side reference) on the server. This can be done by adding ssi off to the location block; .
5. Turn off server tags. If enabled (by default) all error pages will display the server version and information. Will server_tokens off; The declaration was added to the Nginx configuration file to resolve this issue.
6. Set up a custom cache in the configuration file to limit the possibility of buffer overflow attacks. 


client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;

7. Set timeout low to prevent DOS attacks. All of these declarations can be placed in the master configuration file. 


client_body_timeout  10;
client_header_timeout 10;
keepalive_timeout   5 5;
send_timeout     10;

8. Limit the number of user connections to prevent DOS attacks. 


location ~ /attachments/.*\.(php|php5)?$ {
deny all;
}
0

9. Try to avoid using the HTTP certification. HTTP authentication USES crypt by default, and its hash is not secure. Use MD5 if you want to use it (it's not a good option either but it's better than crypt in terms of load).
10. Keep up to date with Nginx security updates.

Related articles: