Nginx Security Configuration

0x00 test Environment

Operating system: Centos6.5web server: nginx1.4.6php version: Php5.4.26

0x01 Nginx Introduction

Nginx itself cannot handle PHP, it is just a Web server, when the request is received, if it is a PHP request, then sent to the PHP interpreter processing, and return the results to the client. Nginx is generally the request to send fastcgi management process processing, FASTCGI management process Select CGI subprocess processing results and return to Nginx.

Nginx involves two accounts, one is Nginx running account, one is PHP-FPM's running account. If the access is a static file, you only need to run an account with Nginx read access to the file, and if the access is a PHP file, the first need to run an Nginx account to read the file permissions, read to the file found to be a PHP file, then forwarded to PHP-FPM, At this point you need to have read access to the PHP-FPM account for the file.

Findings from the 0X02 study

Security configuration involved in 0x03 nginx server

0x04 Common How-to-configure how-to 1. Prohibit access to a directory

Example: Disable access to the path directory

You can change path to the directory you actually need, and if the directory path has "/" followed by "/", you will be prevented from accessing the directory and all files in that directory. Without the "/" situation is somewhat complicated, as long as the directory at the beginning of the match on the keyword will be banned, note to be placed before the fastcgi configuration.

2. Prohibit access and execution of PHP files

Example: removing PHP execution permissions for a single directory

Example: removing PHP execution permissions from multiple directories

Location ~  

3. Prohibit access to IP

Example: Disable the wording of an IP segment:

Example: Only one IP or one IP segment user is allowed access, and all other users are forbidden

Allow  x.x.x.x;  Allow 10.0.0.0/24;  

Frequently asked questions to be addressed by 0x05 1. The wood can not be executed immediately after transmission

For the upload directory, the Nginx configuration file is added to the configuration, so that the directory cannot parse PHP.

2. Make the Trojan do not see the non-site directory files

Cancels the Read permission of the PHP-FPM running account for other directories.

3. After the Trojan executes the command cannot execute

Cancels the PHP-FPM account's execution permission for Sh.

4. Permissions cannot be too high after command execution

PHP-FPM account do not use root or join the root group.

0X06 nginx Security Configuration scheme 1. Modify the Site directory owner to a non-php-fpm running account, where the owner is changed to root.

Command:

1	chown-R root:root html/

2. Modify the Operation account and group of Nginx and PHP-FPM for nobody

Nginx.conf

Php-fpm.conf

3. Nobody read permissions on all directories, and then add Read permissions to the Site Directory

Command:

12	chmodo-r –R  /chmodo+r –R html/

4. Cancel nobody for/bin/sh execution rights

chmod 776/bin/sh

5. Verify that the permissions for the site directory for nobody are readable and executable, and the permissions on the Web site files are 6 readable. Add nobody Write permission 7 for directories that are uploaded or written to the write file. Configure nginx.conf to upload directory without PHP execution permission 8. Configure Nginx.conf to disable access to folders, such as the background, or restrict access to IP9. Configure nginx.conf file types that are forbidden, such as some txt log files

Nginx Security Configuration