The following 10 common security problems and solutions can make your Nginx more secure.
1. Use "if" in the configuration file ". It is part of the rewrite module and should not be used anywhere.
The "if" statement is mandatory for the rewrite module evaluation instruction. In other words, Nginx configuration is declarative in general. In some cases, due to user requirements, they try to use "if" in some non-rewrite commands, which leads to the situation we are currently encountering. It works normally in most cases,... Refer to the above mentioned.
It seems that the only correct solution is to completely disable "if" in a non-override command ". This will change many existing configurations, so they are not completed yet.
2. Set each ~ The. php $ Request is forwarded to PHP.We introduced the potential security vulnerabilities of this popular command last week. The ghost file is named hello.php.jpeg. It will also match ~ . Php $ this regular expression executes the file.
There are two good solutions to the above problems. I think it is necessary to make sure that you do not easily execute any mixed methods of code.
If the file is not found, use try_files and only (note all the dynamic execution cases) to forward it to the FCGI process running PHP.
Check whether cgi. fix_pathinfo in the php. Ini file is set to 0 (cgi. fix_pathinfo = 0 ). This ensures that PHP checks the full name of the file (it will be ignored when it does not find. php at the end of the file)
Fixed the problem of incorrect regular expression matching files. Now the regular expression assumes that any file contains ". php ". Add "if" after the site to ensure that only the correct file can run. Change/location ~ . Php $ and location ~ . */. *. Php $ is set to return 403;
3. Disable the autoindex module.This may have been changed in your Nginx version. If not, you only need to add autoindex off in the location block of the configuration file.
4. Disable ssi (server-side reference) on the server ).You can add ssi off in the location block ;.
5. Disable the server tag.If it is enabled (by default), all error pages will display the server version and information. Add the server_tokens off; declaration to the Nginx configuration file to solve this problem.
6. Set custom cache in the configuration file to limit the possibility of buffer overflow attacks.
Client_body_buffer_size 1 K;
Client_header_buffer_size 1 k;
Client_max_body_size 1 k;
Large_client_header_buffers 2 1 k;
7. Set the timeout to a lower value to prevent DOS attacks.All these declarations can be placed in the main configuration file.
Client_body_timeout 10;
Client_header_timeout 10;
Keepalive_timeout 5 5;
Send_timeout 10;
8. Restrict the number of user connections to prevent DOS attacks.
Limit_zone slimits $ binary_remote_addr 5 m;
Limit_conn slimits 5;
9. Try to avoid using HTTP authentication.Crypt is used for HTTP authentication by default, and its hash is not secure. If you want to use it, use MD5 (this is not a good choice but better load than crypt ).
10. Maintain the latest Nginx security updates.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
