7 top Nginx web server security best practices

Nginx represents a lightweight, extremely efficient web server or reverse proxy and e-mail proxy. It functions on UNIX, Linux, BSD, Mac OS X, Solaris, and Microsoft Windows. At the same time, it allows several security practices, as revealed up next.

1 Activate SELinux

SELinux is one of the best security measures for Nginx. It can prevent several attacks prior to your system being rooted.

2 Permit as few privileges as possible

To manage all the privileges on the Nginx server you can use Mount options.

3 Use Linux hardening practices

You can setup Linux kernel and networking with the command /etc/sysctl.conf.

4 Uninstall all Nginx Modules that you don’t use

A good security practice for Nginx is to remove any module that it is not useful. This decreases the risk of intrusions, while you can setup the server specifically to suit your requirements.

5 For Apache, use the mod_security

If you are on an Apache server, you can use the firewall protection offered by the mod_security app.

6 Use SELinux policy to better the Nginx server

Even though SELinux doesn’t shield by default a Nginx server, it can be prompted to do so.

7 Use iptables to restrict access

Iptables are great for improving security, as they managed restrictively both incoming and outgoing connections.

8 Manage overflow intrusions

You can create in place a buffer with several restrictions for clients via a command similar to:

1
vi /usr/local/nginx/conf/nginx.conf

9 Manage simultaneous connections

The NginxHttpLimitZone module allows you to manage and set up a restriction concerning simultaneous connections permitted to a session or to an IP address.

10 Permit access to only one domain

It is best to permit access only to the configured virtual domain. Also, you can opt for reversing proxy requests.

11 Restrict access to several methods

The most popular methods online are GET and POST. A server method is RFC 2616. Therefore, if you are not in need of all the methods for configuration purposes, they need to be disabled. You can keep in place only GET, HEAD and POST methods with this command:

1
2
3
4
5
## Only allow these request methods ##
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
## Do not accept DELETE, SEARCH and other methods ##

12 Block specific users

Nginx Web Server applications allow you to set up in place several restrictions, especially for users. You can block scanners, bots, or anyone else that might try abuse your server.

13 Block spam sources

Referral spammers are quite frequent nowadays, but those can be prevented from a server via the following command:

1
2
3
4
5
6
7
## Deny certain Referers ###
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex) )
{
# return 404;
return 403;
}
##

14 Block hotlinking

HTML hotlinking refers to a user that redirects a link to one of the images present on your website. This impacts negatively your site’s stats, while making your content appear untrustworthy. Thus, it is best to block hotlinking.

15 Limiting access to specific files

Another great security practice for Nginx server is to create directory restrictions.

16 Encrypt with SSL

SSL configuration is useful for encrypting specific content, which will prevent unauthorised users from accessing it.

17 Use PHP security tools

PHP is a script language that permits easy access and configuration to several security tools.

18 Use Nginx in a Chroot Jail

If you are allowed, use Chroot Jail to better manage Nginx. It can minimize a potential intrusion by redirecting it to a smaller area on the web server.

19 Set up the operating system

Configuration actions can protect the web server with additional default security tools.

20 Limit outgoing Nginx connections

With the aid of iptables, you can restrict outgoing connections from a web server, which will transmit only the data allowed in the preconfigured OUTPUT chain.