Nginx is one of the most popular Web servers today.
It serves 7% of the world's web traffic and is growing at an alarming rate. It's a surprising server, and I'm willing to deploy it. Below is a list of common security traps and solutions that can assist in ensuring that your Nginx deployment is secure. 1. Use "if" carefully in the configuration file. It is part of the rewrite module and should not be used anywhere. The "If" declaration is a mandatory part of the Rewrite module evaluation directive. In other words, nginx configuration is generally declarative. In some cases, because of the user's needs, they try to use "if" within some non-rewrite instructions, which leads us to the situation we are experiencing. In most cases, it works, but ... Look at the above mentioned. seems the only correct solution is to completely disable the "if" within the non-overridden instruction. This will change many of the existing configurations, so it's not done yet. Source: ifisevil 2. Forward each ~. php$ request to PHP. A potential security vulnerability presentation for this popular directive was released last week. Even if the file name is Hello.php.jpeg it will match ~. Php$ this regular and executes the file. There are now two good ways to solve these problems. I think it is necessary to ensure that you do not easily execute arbitrary code blending methods. 1. If the file is not found, use Try_files and only (which should be noted in all dynamic execution scenarios) to forward it to the fcgi process running PHP. 2. Confirm that the Cgi.fix_pathinfo setting in the php.ini file is set to 0 (cgi.fix_pathinfo=0). This ensures that PHP checks the full file name (when it is not found at the end of the file. PHP it will ignore) 3. Fix a regular expression that matches an incorrect file. Now the regular expression thinks that any file contains ". php". Add "If" after the site to ensure that only the correct files are available to run. Will/location ~. php$ and location ~. */.*.php$ are set to return 403; 3. Disables the AutoIndex module. This may have changed in the Nginx version you used, and if not, simply add autoindex off in the location block of the configuration file. 4. Disable SSI (server-side reference) on the server. This can be done by adding SSI off in the location block;. (Script Academy www.jbxue.com) 5. Close the server tag. If turned on (by default) all error pages will display the server's version and information. The Server_tokens oFF; Declare add to Nginx Config file to resolve this problem. 6. Set the custom cache in the configuration file to limit the likelihood of a buffer overflow attack.
Client_body_buffer_size
7. Set the timeout to be low to prevent Dos attacks. All of these declarations can be placed in the master configuration file.
Client_body_timeout, client_header_timeout, Keepalive_timeout 5 5; send_timeout
8. Limit the number of user connections to prevent Dos attacks.
Limit_zone slimits $binary _remote_addr 5m; Limit_conn Slimits 5;
9. Try to avoid using HTTP authentication. HTTP authentication uses crypt by default, and its hash is not secure. Use MD5 if you want to use it (this is not a good choice but the load is better than crypt). 10. Keep up with the latest Nginx security updates.
10 Security question tips under Nginx
