First, the purpose
This standard is part of the Information system security technology standard, the main purpose is to provide security standards for our "Nginx Web server" configuration according to the Information security management policy requirements.
Second, scope
This specification applies to all our Nginx Web servers.
Third, the contentVersion 3.1
Use a newer stable version
3.2 Activate your account
Start with a non-root account
User www wwww, or user nginx nginx;
3.3 Log records
Log access Log
3.4 Preventing PHP fastcgi file name Parsing vulnerability
If the PHP fastcgi feature is enabled for Nginx, you must add the following configuration to prevent file name parsing vulnerabilities:
server {.... $fastcgi _script_name ~ \.. *\/.*php) {return 403; } ....}
The above configuration will intercept a request like this:
/1.jpg/x.php/my.dir/x.php
3.5 Web Directory permission settings
Nginx startup account should not write permissions on all files and subdirectories in the Web directory, if the Web application needs to write log files, should not be placed in the Web directory.
Assuming the web directory is/var/www/html, the correct permission settings should be:
Chown-r root:root/var/www/html && chmod-r 0755/var/www/html
That is, the master is root, the permissions are 0755, and the subdirectory permissions are exactly the same as the parent directory.
3.6 Writable Directories prohibit execution
If the Web application does need to support file upload function, or for other reasons need to write to the Web directory, you should restrict the writable directory without script execution permissions in Nginx. Suppose the writable directory is "/upload" and the configuration example is as follows:
server {.... location ~ ^/upload/.*\.php {return 403; } .... location ~ \.php$ {Fastcgi_pass *; }}
Note 1: "Location ~ ^/upload/.*\.php" must be written in front! For the location of the regular expression, Nginx is in order to match, specifically see Http://wiki.nginx.org/HttpCoreModule#location
Note 2: Assume that the Web service startup account is nobody, the writable directory is/var/www/html/upload, and the correct permission settings should be:
Chown-r nobody:nobody/var/www/html/upload && chmod-r 0755/var/www/html/upload
The owner of the writable directory should be the Web launch account, the permissions should be 0755, the permissions of the subdirectory should be exactly the same as the parent directory.
Note 3: This refers not to the removal of x in the file system rwx permission, the x in the file system permission can be preserved, no harm. 3.7 Prohibit column directories
Nginx default is not allowed to list the entire directory, if the nginx.conf file, in the location server or HTTP segment manually set the AutoIndex on;, remove disable this feature.
Nginx Security Configuration standard (for Web server)