It is important to secure NGINX server to protect itself from malicious attacks. Here’s how to harden NGINX server so that your websites and apps run well. You can use them for NGINX server hardening and for hardening NGINX reverse proxy.
How to Harden NGINX Server
Here are the steps to harden NGINX server.
1. Disable Server Tokens
Server token is server signature information that is displayed on error pages such as 404 response pages. It allows attackers to figure out your NGINX server version and exploit its vulnerabilities.
So you need to disable server tokens in NGINX server by adding server_tokens directive inside a server block as shown.
server{
...
server_tokens off;
...
}
Restart NGINX to apply changes.
Bonus Read : How to Implement NGINX Reverse Proxy
2. Block HTTP User Agents
Certain user agent bots are malicious and can waste your system resources with slow and data heavy requests. So it is important to block them upfront.
Create a black list file /etc/nginx/blockuseragents.rules with the following information about common malicious bots
$ sudo vi /etc/nginx/blockuseragents.rules
Add the following configuration
map $http_user_agent $blockedagent {
default 0;
~*malicious 1;
~*bot 1;
~*backdoor 1;
~*crawler 1;
~*bandit 1;
}
Save & Exit the file.
Next, include this file in your NGINX server configuration and place it before the server block
include /etc/nginx/blockuseragents.rules;
Now these bots will get a 403 : Access Forbidden response when they access your website.
Bonus Read : How to Block IP Address in NGINX
3. Disable unnecessary HTTP methods
Most websites use GET, POST and HEAD request methods. However, malicious attackers can send DELETE requests to try and exploit your server vulnerabilities.
So it is important to allow only GET, POST and HEAD requests and disable all other requests. Add the following lines in your server block to send an empty response code 444 to any request other than GET, POST and HEAD.
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}
Restart NGINX server to apply changes. Now if you try sending a DELETE request to NGINX server, you will get an empty response.
# curl -X DELETE http://192.168.0.25/index.html curl(52) : Empty response from server
4. Prevent Image Hotlinking
Image hotlinking is when other websites link to images on your website from their domain. So every time their page is loaded, then image is served from your server, and costs you unnecessary data bandwidth.
Let’s say your website images are stored at /images subfolder. To prevent others from hotlinking these images, add the following location block to your NGINX configuration or virtual host configuration file.
location /images/ {
valid_referers none blocked 243.34.54.65;
if ($invalid_referer) {
return 403;
}
}
The above code will return 403 response code for all requests except the ones sent from IP 243.34.54.65. You can replace this IP with your IP or domain name.
5. Use SSL certificates
One of the most important tips to harden NGINX server is to use SSL certificates. First, generate a key and certificate using openSSH or any other encryption tool.
# openssl genrsa -aes256 -out nginx.key 1024 # openssl req -new -key nginx.key -out nginx.csr # cp nginx.key nginx.key.org # openssl rsa -in nginx.key.org -out nginx.key # openssl x509 -req -days 365 -in nginx.csr -signkey nginx.key -out nginx.crt
The above commands will create key and certificate. Add their paths to your server block that listens to port 443 (SSL port).
server {
listen 443 ssl;
...
ssl_certificate /etc/nginx/sites-enabled/certs/nginx.crt;
ssl_certificate_key /etc/nginx/sites-enabled/certs/nginx.key;
...
}
You can also purchase SSL certificates from third-party providers such as RapidSSL, Comodo, Verisign, GeoTrust, etc.
6. Enable TLS 1.3 in NGINX
After you have set up SSL certificates, enable TLS v1.3 in NGINX since it is the most secure protocol yet. You can do this by adding ssl_protocols directive to your server block in the previous step.
server{
listen 443;
...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
...
}
7. Redirect HTTP to HTTPS
It is important to redirect all HTTP requests to HTTPS port (443). Add the following line to server block that listens to port 80 (HTTP port).
server{
listen 80;
...
return 301 https://$server_name$request_uri;
}
Bonus Read : How to Redirect Subdomain to Folder in NGINX
After you have made the above changes, restart NGINX web server to apply changes.
Restart NGINX server to apply changes
# nginx -t # systemctl restart nginx.service
Hopefully, now you can easily harden NGINX server.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!
