Best Security Practices for NGINX Webserver

August 27, 2021   Linux Tips & Tutorials

Nginx is a lightweight, high-performance web server/reverse proxy and e-mail (IMAP/POP3) proxy. It runs on UNIX, GNU/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows.

It  is the fastest growing web server in the industry, and currently, it holds number two position in market share. It was initially released in 2004, and since then it has earned an excellent reputation and used in top million busiest sites. Unlike traditional servers, Nginx doesn’t rely on threads to handle requests. Instead, it uses a much more scalable event-driven (asynchronous) architecture.It is the web server of choice for Netflix, WordPress.com, and other high traffic sites.

This article will guide you to secure your Nginx webserver :-

1. Controlling Buffer Overflow Attacks. 

A buffer overflow occurs when a program tries to write too much data in a fixed length block of memory (a buffer). Buffer overflows can be used by attackers to crash a web-server or execute malicious code. If your web-server is vulnerable to buffer overflow attacks, it is only a matter of time until a hacker injects code and takes control of our system.

Therefore, We can set the buffer size limitations in nginx.conf or our site’s Virtual Host.

For controlling Buffer overflow attacks dd the following in our nginx.conf or virtual Host:

## Start: Size Limits & Buffer Overflows ##
  client_body_buffer_size  1K;
  client_header_buffer_size 1k;
  client_max_body_size 1k;
  large_client_header_buffers 2 1k;
 ## END: Size Limits & Buffer Overflows ##

## Start: Timeouts ##
  client_body_timeout   10;
  client_header_timeout 10;
  keepalive_timeout     5 5;
  send_timeout          10;
## End: Timeouts ##

2. Allow Access To Our Domain Only.

If bot is just making random server scan for all domains, just deny it. We must only allow configured virtual domain or reverse proxy requests. We may need to block IP addresses to protect our website from malicious attacks such as DOS & DDOS.

To all access to our domain only, We can add the following in our nginx.conf or virtual Host:

## Only requests to our Host are allowed 
      if ($host !~ ^(garudabooks.com|www.garudabooks.com|)$ ) {
         return 444;
      }

3. Limit Available Methods.

GET and POST are the most common methods on the Internet.A usual Website just needs 3 HTTP Methods: GET, HEAD and POST.Thus, we should block all other Methods.

To limit available, we can add the following in our nginx.conf or virtual domain:

## Only allow these request methods ## 
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }

4. Deny Certain User-Agents 

You can easily block user-agents i.e. scanners, bots, and spammers who may be abusing your server. We can also block robots called msnbot and scrapbot.

Append the following in your nginx.conf or virtual Host to deny certain User-Agents.

## Block download agents ##
     if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
            return 403;
     }

## Block some robots ##
     if ($http_user_agent ~* msnbot|scrapbot) {
            return 403;
     }

5. Block Referrer Spam.

Referrer spam is dangerous. It can harm your SEO ranking via web-logs (if published) as referrer field refer to their spammy site. Thus, we can block access to referrer spammers.

We can add the following in our nginx.conf or virtual Host to block referrer spam:

## Deny certain Referrers ###
     if ( $http_referer ~* (|forsale|jewellry|organic|) )
     {
         # return 404;
         return 403;
     }

6. Stop Image Hotlinking. 

Image or HTML hotlinking means someone makes a link to our site to one of our images, but displays it on their own site. The end result we will end up paying for bandwidth bills and make the content look like part of the hijacker’s site. This is usually done on forums and blogs. It is strongly suggested, we should block and stop image hotlinking at ourserver level itself.

Image hotlinking can be stopped by appending the following line to nginx.conf or virtual host.

# Stop deep linking or hot linking
location /images/ {
  valid_referers none blocked www.example.com example.com;
   if ($invalid_referer) {
     return   403;
   }
}

7. Avoid clickjacking 

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

We can add the following in our nginx.conf or virtual domain to avoid clickjacking:

add_header X-Frame-Options SAMEORIGIN;

8. Enable the Cross-site scripting (XSS) filter 

Cross-site scripting (XSS) is a computer security vulnerability that allows malicious attackers to inject client-side script into web pages viewed by other users. The Cross-site Scripting Filter setting enables basic filtering of common attacks by forcing the injection of HTTP  headers with X-XSS protection.

Enable the Cross-site scripting (XSS) filter by adding the following in our nginx.conf or virtual Host: 

add_header X-XSS-Protection "1; mode=block";

9 . Install SELinux Policy To Harden The Nginx Webserver 

By default SELinux will not protect the nginx web server. However, we can install and compile protection by installing these additional packages selinux-policy-targeted selinux-policy-devel.

yum install selinux-policy-targeted selinux-policy-devel

10. Disable Weak SSL/TLS Protocols

The default configuration of nginx allows you to use insecure old versions of the TLS protocol (according to the official documentation: ssl_protocols TLSv1 TLSv1.1 TLSv1.2). This may lead to attacks such as the BEAST attack. Therefore, we recommend that you do not use old TLS protocols and change your configuration to support only newer, secure TLS versions.

We can avoid using weak SSL protocolos i.e TLS 1.0 and TLS 1.1. And It is advised to use TLSv1.2 TLSv1.3;

Add the following in our nginx.conf or virtual Host:

ssl_protocols TLSv1.2 TLSv1.3;

11. Disable nginx server_tokens

By default, the server_tokens directive in nginx displays the nginx version number. It is directly visible in all automatically generated error pages but also present in all HTTP responses in the Server header.

This could lead to information disclosure – an unauthorized user could gain knowledge about the version of nginx that we use. we should disable the server_tokens directive in the nginx configuration file by setting server_tokens off.

To disable nginx tokens, first we will have to install “nginx-extras” package then add the following in nginx.conf or Virtual Host:

server_tokens off;

12. Strict-Transport-Security

HTTP Strict Transport Security (HSTS) is a method used by websites to declare that they should only be accessed using asecure connection (HTTPS). If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates.

To enable Strict-Transport-Security, Add the following to nginx.conf or Virtual Host:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

13. Disable Weak Cipher Suites

Additionally, you should specify cipher suites to make sure that no vulnerable suites are supported.We can disable weakCipher Suites as weak cipher suites may lead to vulnerabilities, and as a secure practice, we must make sure that only strong ciphers are allowed.

To Disable old versions of the TLS protocol. Add these to nginx.conf or Virtual Host:

ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

Click here for Best security practices for PHP & MySQL

Leave a Reply

Your email address will not be published. Required fields are marked *