Simple steps to harden Nginx for home use?

Winfried nginx-forum at forum.nginx.org
Tue May 1 09:28:44 UTC 2018


Hello,

I use Nginx on a home Debian appliance to run a couple of personal web
sites.

It's the only port reachable from the Net through the ADSL model with NAT
firewall enabled.

Recently, the server was no longer responding and I couldn't log on:
[code]
(initramfs) root
/bin/sh: root: not found
[/code]

Since I was in a rush, I simply wiped the USB keydrive clean, reinstalled
Debian and the htdocs.

Provided it was a hack and no some internal issue (keydrive?), are there
simple steps I can take to harden Nginx ?

Thank you.

PS: I use apt to install applications. FWIW, here's what "nginx -V" says
after installing it from the repository:

nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f  25 May 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2
-fdebug-prefix-map=/build/nginx-re6b6X/nginx-1.10.3=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_v2_module --with-http_dav_module --with-http_slice_module
--with-threads --with-http_addition_module --with-http_flv_module
--with-http_geoip_module=dynamic --with-http_gunzip_module
--with-http_gzip_static_module --with-http_image_filter_module=dynamic
--with-http_mp4_module --with-http_perl_module=dynamic
--with-http_random_index_module --with-http_secure_link_module
--with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic
--with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/headers-more-nginx-module
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nginx-auth-pam
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nginx-cache-purge
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nginx-dav-ext-module
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nginx-development-kit
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nginx-echo
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/ngx-fancyindex
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nchan
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nginx-lua
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nginx-upload-progress
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/nginx-upstream-fair
--add-dynamic-module=/build/nginx-re6b6X/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279655,279655#msg-279655



More information about the nginx mailing list