Best security practices for 20 Nginx Web Servers
Nginx is a lightweight, high-performance Web server/reverse proxy and email proxy (IMAP/POP3) that can run on UNIX, GNU/Linux, BSD variants, mac OS X, on Solaris and Microsoft Windows. According to the Netcraft survey, 6% of domain names on the Internet use Nginx Web servers. Nginx is one of the servers that solve the C10K problem. Unlike traditional servers, Nginx does not rely on threads to process requests. On the contrary, it uses a more scalable event-driven (asynchronous) architecture. Nginx has been applied to many high-traffic websites, such as WordPress, Hulu, Github, and SourceForge.
This document describes how to improve the security of Nginx Web servers running on Linux or UNIX operating systems.
Nginx default configuration file and default port
◆/Usr/local/nginx/conf/-Nginx server configuration directory./usr/local/nginx/conf/nginx. conf is the main configuration file.
◆/Usr/local/nginx/html/-default document location
◆/Usr/local/nginx/logs/-default Log File Location
◆ Nginx HTTP default port: TCP 80
◆ Nginx HTTPS default port: TCP 443
Run the following command to test whether the Nginx configuration is correct:
#/Usr/local/nginx/sbin/nginx-t
Output example:
The configuration file/usr/local/nginx/conf/nginx. conf syntax is OK
Configuration file/usr/local/nginx/conf/nginx. conf test is successful
To make the modified configuration take effect, run the following command:
#/Usr/local/nginx/sbin/nginx-s reload
To stop the server, run:
#/Usr/local/nginx/sbin/nginx-s stop
1. Enable SELinux
SELinux (Security-enhanced Linux) is a Linux kernel function. It provides a mechanism to support access control security policies and provides huge security protection capabilities. It can prevent root-level attacks on most systems, see how to enable SELinux (http://www.cyberciti.biz/faq/rhel-fedora-redhat-selinux-protection/) on CentOS/Red Hat systems ).
Run the getsebool-a command to view SELinux settings:
Getsebool-a | less
Getsebool-a | grep off
Getsebool-a | grep o
Use the setsebool command to enable the required configuration items. Note: After SELinux is enabled, the system overhead is increased by 2-8% on RHEL or CentOS.
2. Provide the minimum permission through the mount Parameter
Create independent partitions for your/html/PHP files. For example, create a/dev/sda5 partition and mount it on/ngnix. Make sure/ngnix uses noexec, nodev, and nosetuid permissions for mounting. Below is a mount instance of mine:
LABEL =/nginx
/Nginx
Ext3
Defaults, nosuid, noexec, nodev 1 2
Note that you need to use the fdisk and mkfs. ext3 commands to create a new partition.
3. Use/etc/sysctl. conf for reinforcement
You can control and configure Linux kernel and network settings through/etc/sysctl. conf.
For more information, see:
# Avoid amplification attacks
Net. ipv4.icmp _ echo_ignore_broadcasts = 1
# Enable malicious icmp error message protection
Net. ipv4.icmp _ ignore_bogus_error_responses = 1
# Enable SYN Flood Protection
Net. ipv4.tcp _ syncookies = 1
# Enable and record spoofing, source routing, and redirection packets
Net. ipv4.conf. all. log_martians = 1
Net. ipv4.conf. default. log_martians = 1
# Handling passive Route packets
Net. ipv4.conf. all. accept_source_route = 0
Net. ipv4.conf. default. accept_source_route = 0 # enable reverse path Filtering
Net. ipv4.conf. all. rp_filter = 1
Net. ipv4.conf. default. rp_filter = 1
# Ensure that no one can modify the route table
Net. ipv4.conf. all. accept_redirects = 0
Net. ipv4.conf. default. accept_redirects = 0
Net. ipv4.conf. all. secure_redirects = 0
Net. ipv4.conf. default. secure_redirects = 0
# Do not act as a router
Net. ipv4.ip _ forward = 0
Net. ipv4.conf. all. send_redirects = 0
Net. ipv4.conf. default. send_redirects = 0
# Enable execshild
Kernel.exe c-shield = 1
Kernel. randomize_va_space = 1
# IPv6 settings
Net. ipv6.conf. default. router_solicitations = 0
Net. ipv6.conf. default. accept_ra_rtr_pref = 0
Net. ipv6.conf. default. accept_ra_pinfo = 0
Net. ipv6.conf. default. accept_ra_defrtr = 0
Net. ipv6.conf. default. autoconf = 0
Net. ipv6.conf. default. dad_transmits = 0
Net. ipv6.conf. default. max_addresses = 1
# Optimizing the ports used by LB
# Added system file descriptor restrictions
Fs. file-max = 65535
# Allow more PIDs (reduce rolling flip issues); may break some programs 32768
Kernel. pid_max = 65536
# Adding system IP port restrictions
Net. ipv4.ip _ local_port_range = 2000 65000
# Increase the maximum TCP buffer size
Net. ipv4.tcp _ rmem = 4096 87380 8388608
Net. ipv4.tcp _ wmem = 4096 87380 8388608
# Added the limit for automatically adjusting TCP buffer in Linux.
# Minimum, default, and maximum number of bytes available
# The maximum value is no less than 4 MB. If you use a very high BDP path, you can set a higher value.
# Tcp Window
Net. core. rmem_max = 8388608
Net. core. wmem_max = 8388608
Net. core. netdev_max_backlog = 5000
Net. ipv4.tcp _ window_scaling = 1
◆ Linux VM tuning (memory) subsystem (http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem)
◆ Linux network stack tuning (buffer size) improve network performance (http://www.cyberciti.biz/faq/linux-tcp-tuning)
4. Remove all unwanted Nginx modules
You need to minimize the number of modules loaded by Nginx to the maximum extent. I mean it is enough to meet the needs of the Web server. No additional modules are left. For example, the command to disable the SSI and autoindex modules is as follows:
#./Configure -- without-http_autoindex_module -- without-http_ssi_module
# Make
# Make install
When compiling the Nginx server, run the following command to check which modules should be enabled and which modules should be disabled:
#./Configure -- help | less
Disable the Nginx module that you do not need.
Modify the Nginx version header (optional) and edit src/http/ngx_http_header_filter_module.c:
# Vi + 48 src/http/ngx_http_header_filter_module.c
Find the following two rows:
Static char ngx_http_server_string [] = "Server: nginx" CRLF;
Static char ngx_http_server_full_string [] = "Server:" NGINX_VER CRLF;
Modify it:
Static char ngx_http_server_string [] = "Server: Ninja Web Server" CRLF;
Static char ngx_http_server_full_string [] = "Server: Ninja Web Server" CRLF;
Save and close the file. Now you can start to compile the server. Add the following configuration code to nginx. conf. Do not display the Nginx version number on all automatically generated error pages:
Server_tokens off
5. Use mod_security (applicable only to backend Apache servers)
Mod_security provides an application-level firewall for Apache and installs the mod_security module on all backend Apache Web servers to prevent many injection attacks.
6. Configure SELinux policy to reinforce Nginx
By default, SELinux does not protect the Nginx Web server. You can manually configure SELinux to protect it. First, install the support package required for SELinux Compilation:
# Yum-y install selinux-policy-targeted selinux-policy-devel
Download SELinux policies from the project home page (http://sourceforge.net/projects/selinuxnginx:
# Cd/opt
# Wget http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.
Gz? Use_mirror = nchc
Decompress:
# Tar-zxvf se-ngix_1_0_10.tar.gz
Compile:
# Cd se-ngix_1_0_10/nginx
# Make
Output example:
Compiling targeted nginx module
/Usr/bin/checkmodule: loading policy configuration from tmp/nginx. tmp
/Usr/bin/checkmodule: policy configuration loaded
/Usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx. mod
Creating targeted nginx. pp policy package
Rm tmp/nginx. mod. fc tmp/nginx. mod
Install the generated nginx. pp SELinux module:
#/Usr/sbin/semodule-I nginx. pp
7. Set limits through iptables Firewall
The following firewall script can block all requests and only allow:
◆ Inbound HTTP Request (TCP port 80)
◆ Inbound ICMP ping request
◆ Outbound NTP request (Port 123)
◆ Outbound SMTP request (TCP port 25)
#! /Bin/bash
EPT = "/sbin/iptables"
#### IPS ######
# Obtain the public IP address of the server
SERVER_IP = $ (ifconfig eth0 | grep inet addr: | awk-Finet addr: {print $2} | awk {print $1 })
LB1_IP = "204.54.1.1"