NGINX SERVER SECURITY

Nginx is a very secure and reliable web server even with a default setup. However, there are many ways to secure Nginx further.Here is some method to secure the Nginx server.

Implement SSL Certificate

For the first step we can implement a ssl certificate and we can access the web application with https instead of http. 

  • Use OpenSSL to generate CSR with 2048 bit and sha-2

The below command will generate CSR and key files at current working directly. Don’t forget to change the .csr and .key file name.

#openssl req -nodes -new -sha256 -newkey rsa:2048 -keyout example.key -out example.csr

Get the CSR signed by a certificate authority and once we have the signed certificate, we can add those to the nginx as below. 

  • Login to the Nginx Server  and  locate the conf folder where we have the ssl.conf file. 

                       (The default folder path is = /etc/nginx/conf.d )

  •     Edit the file ssl.conf    and  the following configuration which will enable Nginx to listen to 443 port

server {

listen       443 ssl;

   server_name example.com;

   ssl                 on;

   ssl_certificate     /opt/cert/example.pem;

   ssl_certificate_key /opt/cert/example.key;

   }

(replace the certificate with our own and key file path too)

  • Save the configuration and restart the Nginx. An SSL cert is implemented successfully.

SSL/TLS Optimization

running an SSL scan against the website to find the score and essential vulnerability.

SSL SCAN (SSL Server Test)

This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.

Install Chain Certificate

We can obtain a chain certificate from the authorities. Mostly we will find it from their website or just google it. Adding this can increase the ssl lab rating to A.

Disable nginx server_tokens

By default, the server_tokens directive in nginx displays the nginx version number. It is directly visible in all automatically generated error pages but also present in all HTTP responses in the Server header.

This could lead to information disclosure.So we can disable the  server_tokens directive in the nginx configuration file by setting server_tokens off.

Disable weak SSL/TLS protocols

SSL 3, TLS 1.0, and TLS 1.1 are vulnerable, and we will allow only a strong TLS 1.2 protocol.

  • Edit ssl.conf file and add below in server block

                                  ssl_protocols       TLSv1.2;

  • Save the ssl.conf file and restart the Nginx

Disable Any Unwanted HTTP methods

Another method is to disable any HTTP methods, which are not going to be utilized and which are not required to be implemented on the web server. If we add the following condition in the location block of the nginx virtual host configuration file, the server will only allow GET, HEAD, and POST methods and will filter out methods such as DELETE and TRACE.

location / {

limit_except GET HEAD POST { deny all; }

}

Also we can add another method in nginx.conf file :

if ($request_method !~ ^(GET|HEAD|POST)$ ) 

{

return 405; 

}

Save the file and restart the Nginx. This will now show 405 Not Allowed if someone is trying to use TRACE, DELETE, PUT, OPTIONS.

Control Resources and Limits

To prevent potential DoS attacks on nginx,we can set buffer size limitations for all clients. we can do this in the nginx configuration file using the following directives:

client_body_buffer_size –  this directive specifies the client request body buffer size.its  default value is 8k or 16k we can set this as low as 1k: client_body_buffer_size 1k.

 client_header_buffer_size this directive specifies the header buffer size for the client request header. A buffer size of 1k is enough for most requests.

 client_max_body_sizethis directive specifies the maximum accepted body size for a client request. A 1k directive should be sufficient but you need to increase it if you are receiving file uploads via the POST method.

large_client_header_buffersthis directive to specify the maximum number and size of buffers to be used to read large client request headers. A large_client_header_buffers 2 1k directive sets the maximum number of buffers to 2, each with a maximum size of 1k. This directive will accept 2 kB data URI.

Implement ModSecurity WAF ( web application firewall)

Add an additional layer of security by implementing Web Application Firewall ModSecurity with OWASP Core Rule Set.

Alternatively, if you may consider using cloud-based security like SUCURI in front of the Nginx server.

Check Your Configuration with Gixy

Gixy is an open-source tool to analyze Nginx configuration After you prepare your nginx configuration check it with Gixy. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.

Keep Nginx up-to-date

Last but not least,always update nginx server to the latest stable version. Updates frequently include new security features and improvements also.

SUMMERY

These are the configurations that can be done to secure our Nginx server and harden the server configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *