10 Nginx security tips

Nginx is one of the most popular Web servers today. It provides services for 7% of the world's web traffic and is growing at an astonishing rate. It is an amazing server. I am willing to deploy it.
The following is a list of common security traps and solutions, which can help ensure that your Nginx deployment is secure.
1.Use "if" in the configuration file". It is part of the rewrite module and should not be used anywhere.
The "if" statement is mandatory for the rewrite module evaluation instruction. In other words, Nginx configuration is declarative in general. In some cases, due to user requirements, they try to use "if" in some non-Rewrite commands, which leads to the situation we are currently encountering. It works normally in most cases,... Refer to the above mentioned.
It seems that the only correct solution is to completely disable "if" in a non-override command ". This will change many existing configurations, so they are not completed yet.
2.Set each ~ . Php $ transfer request to PHP. We introduced the potential security vulnerabilities of this popular command last week. The ghost file is named hello.php.jpeg. It will also match ~ . Php $ this regular expression executes the file.
There are two good solutions to the above problems. I think it is necessary to make sure that you do not easily execute any mixed methods of code.

1. Use try_files andOnly(Pay attention to all the dynamic execution cases) transfer it to the FCGI process running PHP.
2. Check whether cgi. fix_pathinfo in the php. ini file is set to 0 (cgi. fix_pathinfo = 0 ). This ensures that PHP checks the full name of the file (it will be ignored when it does not find. php at the end of the file)
3. Fixed the problem of incorrect Regular Expression matching files. Now the regular expression assumes that any file contains". Php". Add "if" after the site to ensure that only the correct file can run. Set/Location ~ . Php $ and location ~ .. */. *. Php $SetReturn 403;

3. DisableAutoindexModule. This may have been changed in your Nginx version. If not, you only need to add it in the location block of the configuration file. Autoindex off;Declare it.
4. Disable ssi on the server (server reference). You can add Ssi off;.
5. Disable server flag. If it is enabled (by default), all error pages will display the server version and information. Set Server_tokens off;Add the declaration to the Nginx configuration file to solve this problem.

6. Set custom cache in the configuration file to limit the possibility of buffer overflow attacks.

• Client_body_buffer_size 1 K;
• Client_header_buffer_size 1 k;
• Client_max_body_size 1 k;
• Large_client_header_buffers 2 1 k;

7. Reduce timeout to prevent DOS attacks. All these declarations can be placed in the main configuration file..
· Client_body_timeout 10;
· Client_header_timeout 10;
· Keepalive_timeout 5 5;
· Send_timeout 10;
8. Restrict the number of user connections to prevent DOS Attacks.
· Limit_zone slimits $ binary_remote_addr 5 m;
· Limit_conn slimits 5;
9. Try to avoid using HTTP Authentication. Crypt is used for HTTP authentication by default, and its hash is not secure. If you want to use it, use MD5 (this is not a good choice but better load than crypt ).
10. Keep up with the latest Nginx Security Update.