Nginx Server base Security configuration and some security usage tips _nginx

Security Configuration
1. Nginx
Nginx itself does not handle PHP, it is just a Web server, when a request is received, if it is a PHP request, then sent to the PHP interpreter to process and return the results to the client. Nginx is generally the request to send fastcgi management process processing, FASTCGI management process Select the CGI subprocess processing results and return to be nginx.
Nginx involves two accounts, one is Nginx's running account, and the other is PHP-FPM's running account. If you are accessing a static file, you only need the Nginx run account to have read access to the file, and if you are accessing a PHP file, you first need to nginx the running account to have read access to the file, read to the file after the discovery is a PHP file, then forwarded to PHP-FPM, At this point, you need the PHP-FPM account to have read access to the file.
2. Some empirical conclusions
2.1. Linux, to read a file, you first need to have execute permissions on the folder where the file resides, and then you need to read permissions on the file. The execution of the
2.2. php file does not require permission to execute the file, and only the read permissions of the Nginx and php-fpm running accounts are required.
2.3. After uploading the Trojan, can not list the contents of a folder, with php-fpm running account of the folder Read permissions.
2.4. The permission of the Trojan to execute the command is related to the PHP-FPM's account permissions.
2.5. If the Trojan is to execute the order, the PHP-FPM account needs to have executive authority over the corresponding SH.
2.6. To read a file in a folder, you do not need to have Read permissions on the folder, you need only execute permissions on the folder.
3. Nginx server-related security configuration
3.1  nginx.conf configuration
3.2  php-fpm.conf configuration
3.3  Nginx and PHP-FPM Run account permissions on the disk configuration
3.4  php.ini configuration
4. Common Configuration
4.1 prohibit access to a directory
Example: Disable access to the path directory

Location ^~/path {
deny all;
}

You can change the path to the directory you actually need, whether it has a "/" after the directory path, and a "/" that disables access to the directory and all files in that directory. Without the "/" situation is a bit more complicated, as long as the directory at the beginning of the match that keyword will be prohibited; Note that you want to put it before the fastcgi configuration.
4.2 Prohibit the access and execution of PHP files
Example: removing PHP execution permissions for a single directory

Location ~/attachments/.*\. (PHP|PHP5)? $ {
deny all;
}

Example: removing PHP execution permissions from multiple directories

Location ~/(attachments|upload)/.*\. (PHP|PHP5)? $ {
deny all;
}

4.3 Prohibit IP access
Example: Prohibit the writing of IP segments:

Deny 10.0.0.0/24;

Example: Only one IP or one IP segment user is allowed to access, all other users are prohibited

Allow
x.x.x.x;
Allow 10.0.0.0/24;
Deny all;

5. Frequently Asked Questions
5.1 Let the wood pass immediately after can't carry out
For the upload directory, add the configuration to the Nginx configuration file so that the directory cannot parse PHP.
5.2 Do not see the non-web directory files after the Trojan is executed
Cancels the Read permission for the PHP-FPM run account for other directories.
5.3 Trojan Horse after execution command cannot be executed
Cancel PHP-FPM account for SH's execution rights.
5.4 Command cannot be too high after execution
PHP-FPM account do not use root or join root group.
6. Nginx Security Configuration
6.1 Modify the Site Directory owner for a php-fpm run account, where the owner is modified to root.

Chown-r Root:root html/

6.2 Modify Nginx and PHP-FPM operating account and group for nobody
6.3 Cancels nobody read access to all directories, and then adds read permissions to the Site Directory

chmod o-r–r/
chmod o+r–r html/

6.4 Cancellation of Nobody for/bin/sh execution rights

chmod 776/bin/sh

6.5 Confirm the Web site directory for nobody permissions are readable executable, the Web site file permissions are readable
6.6 Add nobody write permission to the directory where you upload or write files
6.7 Configuration nginx.conf for upload directory without PHP execute permission
6.8 Configure nginx.conf inaccessible folders, such as the background, or restrict access to IP
6.9 Configure nginx.conf blocked access to file types, such as some txt log files

10 Nginx security prompts
1. Use "if" carefully in the configuration file. It is part of the rewrite module and should not be used anywhere. An
If "declaration is a mandatory part of overriding module evaluation directives. In other words, Nginx's configuration is generally declarative. In some cases, they are trying to use "if" within some non-rewrite instructions because of the user's needs, which leads us to the situation we are experiencing. In most cases it works, but ... Look at the above mentioned.
The only solution that seems to be the right one is to completely disable "if" within a directive that is not overridden. This will change many of the existing configurations, so it is not done yet.
2. Transmit each ~. php$ request to PHP. We released a potential security vulnerability description for this popular directive last week. Even if the file name is Hello.php.jpeg it will match ~. php$ this regular and execute the file.
There are now two good ways to solve these problems. I think it's necessary to make sure that you don't easily execute a hybrid method of arbitrary code.
If the file is not found using try_files and only (should be noted in all dynamic execution cases), it is forwarded to the FCGI process running PHP. The
confirms that Cgi.fix_pathinfo is set to 0 (cgi.fix_pathinfo=0) in the php.ini file. This ensures that PHP checks the full name of the file (when it is not found at the end of the file. PHP it will ignore)
fix the problem of a regular expression matching an incorrect file. The regular expression now considers any file to contain ". php". Add "If" after the site to ensure that only the correct files are available to run. Will/location ~. php$ and Location ~ ... */.*.php$ are set to return 403;
3. Disables the AutoIndex module. This may have been changed in the Nginx version you are using, and if not, add autoindex off only in the location block of the configuration file.
4. To disable SSI (server-side references) on the server. This can be done by adding an SSI off in the location block;.
5. Turn off the server tag. If turned on (by default) all error pages will display the server version and information. To resolve this issue, add the Server_tokens off declaration to the Nginx configuration file.
6. Set the custom cache in the configuration file to limit the possibility of buffer overflow attacks.

Client_body_buffer_size 1K;
Client_header_buffer_size 1k;
Client_max_body_size 1k;
Large_client_header_buffers 2 1k;

7. Set the timeout low to prevent Dos attacks. All of these declarations can be placed in the master configuration file.

Client_body_timeout  ;
Client_header_timeout;
Keepalive_timeout   5 5;
Send_timeout     10;

8. Limit the number of user connections to prevent Dos attacks.

Limit_zone slimits $binary _remote_addr 5m;
Limit_conn Slimits 5;

9. Try to avoid using HTTP authentication. HTTP authentication uses crypt by default, and its hash is not secure. Use MD5 if you want to use it (this is not a good choice but the load is better than crypt).
10. Keep up-to-date with the latest Nginx security updates.