[PATCH] Config: enhancing nginx default config file with added security options

Maxim Dounin mdounin at mdounin.ru
Thu Jul 31 12:25:43 UTC 2014 

Hello!

On Thu, Jul 31, 2014 at 03:56:59AM -0700, Kristian Erik Hermansen wrote:

> # HG changeset patch
> # User Kristian Erik Hermansen <kristian.hermansen at gmail.com>
> # Date 1406803911 25200
> #      Thu Jul 31 03:51:51 2014 -0700
> # Node ID 8966ff589f5de5e9155335373247de4485451304
> # Parent  e0eaf2d92a8cee90abe592d7ac01d3118cb0853a
> Config: enhancing nginx default config file with added security options.

No, thanks.

We intentionally avoid various "security recommendations" except 
via providing appropriate defaults.

People tend to have different ideas of what security is, and how 
it should be achieved.  Additionally, all such recommendations 
tend to become stale in a very short period of time.

Goal of the sample configuration file is to show how to configure 
things, not to give any recommendations.

Some additional comments below.

> diff -r e0eaf2d92a8c -r 8966ff589f5d conf/nginx.conf
> --- a/conf/nginx.conf Wed Jul 30 04:32:16 2014 -0700
> +++ b/conf/nginx.conf Thu Jul 31 03:51:51 2014 -0700
> @@ -105,9 +105,34 @@
>      #    ssl_session_cache    shared:SSL:1m;
>      #    ssl_session_timeout  5m;
> 
> +    # recommended protocols that provide better security and compatibility
> +    #
> +    #    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> +

This is the default and usually there is no need to set it 
explicitly.

>      #    ssl_ciphers  HIGH:!aNULL:!MD5;
>      #    ssl_prefer_server_ciphers  on;
> 
> +    # security headers recommended by OWASP to block common attacks
> +    #
> +    #    add_header X-Frame-Options 'DENY';
> +    #    add_header X-Content-Type-Options 'nosniff';
> +    #    add_header X-XSS-Protection '1; mode=block';
> +    #    add_header Cache-Control 'no-cache, no-store, must-revalidate';
> +    #    add_header Pragma 'no-cache';
> +    #    add_header Expires '-1';

Cache-related headers are either invalid (Expires syntax doesn't 
allow "-1" as a valid value, and "Pragma: no-cache" behaviour is 
unspecified when used in a response) or just silly (Cache-Control 
in question disables caching, which is irrelevant for security in 
most cases, but will make things much slower).

Moreover, there is the "expires" directive to control 
cache-related headers, and it should be used in a proper nginx 
configuration instead, see http://nginx.org/r/expires.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list