Nginx10 is a security issue for 10 Nginx security questions. Nginx has 10 security questions. Nginx is one of the most popular Web servers today. It provides services for 7% of the world's web traffic and is growing at an astonishing rate. Nginx10 security issues reported by Nginx
Nginx is one of the most popular Web servers today.
It provides services for 7% of the world's web traffic and is growing at an astonishing rate. It is an amazing server. I am willing to deploy it. Below is a list of common security traps and solutions. it can help ensure that your Nginx deployment is secure. 1. use "if" in the configuration file ". It is part of the rewrite module and should not be used anywhere. The "if" statement is mandatory for the rewrite module evaluation instruction. In other words, Nginx configuration is declarative in general. In some cases, due to user requirements, they try to use "if" in some non-rewrite commands, which leads to the situation we are currently encountering. It works normally in most cases,... Refer to the above mentioned. It seems that the only correct solution is to completely disable "if" in a non-override command ". This will change many existing configurations, so they are not completed yet. Source: ifisedevil 2. set each ~ The. php $ Request is forwarded to PHP. Last week, we introduced the potential security vulnerabilities of this popular command. The ghost file is named hello.php.jpeg. It will also match ~ . Php $ this regular expression executes the file. There are two good solutions to the above problems. I think it is necessary to make sure that you do not easily execute any mixed methods of code. 1. if the file is not found, use try_files and only (note all the dynamic execution cases) to forward it to the FCGI process running PHP. 2. check that cgi. fix_pathinfo in the php. ini file is set to 0 (cgi. fix_pathinfo = 0 ). In this way, make sure that PHP checks the full name of the file (when it does not find. php at the end of the file, it will ignore it) 3. fixed the problem of incorrect file matching by regular expressions. Now the regular expression assumes that any file contains ". php ". Add "if" after the site to ensure that only the correct file can run. Change/location ~ . Php $ and location ~ . */. *. Php $ is set to return 403; 3. disable the autoindex module. This may have been changed in your Nginx version. if not, you only need to add autoindex off in the location block of the configuration file. 4. disable ssi (server-side reference) on the server ). You can add ssi off in the location block ;. (Script school www.jbxue.com) 5. disable the server tag. If it is enabled (by default), all error pages will display the server version and information. Add the server_tokens off; declaration to the Nginx configuration file to solve this problem. 6. set custom cache in the configuration file to limit the possibility of buffer overflow attacks.
client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k;
7. set the timeout to a lower value to prevent DOS attacks. All these declarations can be placed in the main configuration file.
client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10;
8. restrict the number of user connections to prevent DOS attacks.
limit_zone slimits $binary_remote_addr 5m; limit_conn slimits 5;
9. try to avoid using HTTP authentication. Crypt is used for HTTP authentication by default, and its hash is not secure. If you want to use it, use MD5 (this is not a good choice but better load than crypt ). 10. maintain the latest Nginx security updates.
Ingress Nginx is one of the most popular Web servers today. It provides services for 7% of the world's web traffic and is growing at an astonishing rate ....