[PATCH] Config: enhancing nginx default config file with added security options
mdounin at mdounin.ru
Thu Jul 31 12:25:43 UTC 2014
On Thu, Jul 31, 2014 at 03:56:59AM -0700, Kristian Erik Hermansen wrote:
> # HG changeset patch
> # User Kristian Erik Hermansen <kristian.hermansen at gmail.com>
> # Date 1406803911 25200
> # Thu Jul 31 03:51:51 2014 -0700
> # Node ID 8966ff589f5de5e9155335373247de4485451304
> # Parent e0eaf2d92a8cee90abe592d7ac01d3118cb0853a
> Config: enhancing nginx default config file with added security options.
We intentionally avoid various "security recommendations" except
via providing appropriate defaults.
People tend to have different ideas of what security is, and how
it should be achieved. Additionally, all such recommendations
tend to become stale in a very short period of time.
Goal of the sample configuration file is to show how to configure
things, not to give any recommendations.
Some additional comments below.
> diff -r e0eaf2d92a8c -r 8966ff589f5d conf/nginx.conf
> --- a/conf/nginx.conf Wed Jul 30 04:32:16 2014 -0700
> +++ b/conf/nginx.conf Thu Jul 31 03:51:51 2014 -0700
> @@ -105,9 +105,34 @@
> # ssl_session_cache shared:SSL:1m;
> # ssl_session_timeout 5m;
> + # recommended protocols that provide better security and compatibility
> + #
> + # ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
This is the default and usually there is no need to set it
> # ssl_ciphers HIGH:!aNULL:!MD5;
> # ssl_prefer_server_ciphers on;
> + # security headers recommended by OWASP to block common attacks
> + #
> + # add_header X-Frame-Options 'DENY';
> + # add_header X-Content-Type-Options 'nosniff';
> + # add_header X-XSS-Protection '1; mode=block';
> + # add_header Cache-Control 'no-cache, no-store, must-revalidate';
> + # add_header Pragma 'no-cache';
> + # add_header Expires '-1';
Cache-related headers are either invalid (Expires syntax doesn't
allow "-1" as a valid value, and "Pragma: no-cache" behaviour is
unspecified when used in a response) or just silly (Cache-Control
in question disables caching, which is irrelevant for security in
most cases, but will make things much slower).
Moreover, there is the "expires" directive to control
cache-related headers, and it should be used in a proper nginx
configuration instead, see http://nginx.org/r/expires.
More information about the nginx-devel