Nginx server-related security configuration recommendations _nginx

Nginx is one of the most popular Web servers today. It provides services to 7% of the world's web traffic and is growing at an alarming rate. It's a surprising server and I'm willing to deploy it.

Here is a list of common security traps and solutions that can be used to help ensure that your Nginx deployment is secure.

1. Use "if" carefully in the configuration file. It is part of the rewrite module and should not be used anywhere.

An "if" declaration is a mandatory part of an override module evaluation directive. In other words, Nginx's configuration is generally declarative. In some cases, they are trying to use "if" within some non-rewrite instructions because of the user's needs, which leads us to the situation we are experiencing. In most cases it works, but ... Look at the above mentioned.

The only solution that seems to be the right one is to completely disable "if" within a directive that is not overridden. This will change many of the existing configurations, so it is not done yet.

2. Transmit each ~. php$ request to PHP. We released a potential security vulnerability description for this popular directive last week. Even if the file name is Hello.php.jpeg it will match ~. php$ this regular and execute the file.

There are now two good ways to solve these problems. I think it's necessary to make sure that you don't easily execute a hybrid method of arbitrary code.

• If the file is not found using try_files and only (should be noted in all dynamic execution cases), it is forwarded to the FCGI process running PHP.
• Confirm that Cgi.fix_pathinfo is set to 0 (cgi.fix_pathinfo=0) in the php.ini file. This ensures that PHP checks the full name of the file (when it is not found at the end of the file. PHP it will ignore)
• Fixes a problem where a regular expression matches an incorrect file. The regular expression now considers any file to contain ". php". Add "If" after the site to ensure that only the correct files are available to run. Will/location ~. php$ and Location ~ ... */.*.php$ are set to return 403;

3. Disable the AutoIndex module. This may have been changed in the Nginx version you are using, and if not, add autoindex off only in the location block of the configuration file.

4. Disable SSI (server-side references) on the server. This can be done by adding an SSI off in the location block;.

5. Turn off the server tag. If turned on (by default) all error pages will display the server version and information. To resolve this issue, add the Server_tokens off declaration to the Nginx configuration file.

6. Set the custom cache in the configuration file to limit the possibility of buffer overflow attacks.

Copy Code code as follows:

Client_body_buffer_size 1K;
Client_header_buffer_size 1k;
Client_max_body_size 1k;
Large_client_header_buffers 2 1k;

7. Set the timeout low to prevent Dos attacks. All of these declarations can be placed in the master configuration file.

Copy Code code as follows:

Client_body_timeout 10;
Client_header_timeout 10;
Keepalive_timeout 5 5;
Send_timeout 10;

8. Limit the number of user connections to prevent Dos attacks.

Copy Code code as follows:

Limit_zone slimits $binary _remote_addr 5m;
Limit_conn Slimits 5;

9. Try to avoid using HTTP authentication. HTTP authentication uses crypt by default, and its hash is not secure. Use MD5 if you want to use it (this is not a good choice but the load is better than crypt).

10. Keep up-to-date with the latest Nginx security updates.