Sanity check of my config - is it secure?

benseb nginx-forum at nginx.us
Sun May 22 18:56:51 MSD 2011


Hi

We had Nginx setup on a domain serving static content
(images[0-9].domain.com). Recently we've made our main domain also use
the same Nginx installation and proxy any php requests to Apache.

All is working fine. We've set it to serve all static content from our
images.domain.com domains, and it will also catch any static content
served from the main www.domain.com as well, before finally passing any
dynamic php requests through to Apache.

What I want to check is that there are no problems with the
configuration that would let someone view the source of our PHP pages or
access restricted 'admin' directories, etc. I've not configured NGinx
before so would appreciate some help checking my config?


user  www;
worker_processes  6;

error_log  /var/log/nginx-error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

     ## Timeouts
        client_body_timeout   10;
        client_header_timeout 10;
        keepalive_timeout     5 5;
        send_timeout          10;

    gzip  on;
#  gzip_static on;
    gzip_comp_level   5;
    gzip_http_version 1.0;
    gzip_min_length   1000;
    gzip_types        text/plain text/css image/x-icon
application/x-javascript;

    server{
                listen 80 default_server; #all other hosts deny
                server_name _;
                return 444;
    }

 server {  #IMAGES DOMAIN
        listen       x.x.x.x:80;
        server_name  images.x.com images1.x.com images2.x.com stat

        server_tokens off;
        gzip_comp_level 9;
        if ($request_method !~ ^(GET|HEAD)$ ) {
         return 444;
        }



        # Only serve these locations
        location ^~ /images/folder1/{

         if ($request_uri ~*
(^\/|\.ico|\.css|\.js|\.swf|\.gif|\.jp?g|\.png)$ ) {
          break;
        }

                root /home/vhosts/x.com/httpdocs;
                expires 7d;

        }
        location ^~ /images/folder2/{
               root /home/vhosts/x.com/httpdocs;
                expires 7d;

        }

         location ^~/images/ {
               root /home/vhosts/x.com/httpdocs;


        }


         location ^~ /applets/{
               root /home/vhosts/x.com/httpdocs;
               expires max;
        }
        location ^~ /css/{
               root /home/vhosts/x.com/httpdocs;
               expires max;
        }


        location ~* \.(ico|css|js|swf|gif|jp?g|png)$ {
                root /home/vhosts/x.com/httpdocs;
              
        }
        location ~* \.(php|html){
                return 444; #should not happen, but just incase
        }
                if ($host !~
^(images.x.com|images1.x.com|images2.x.com)){
                        return 444;
        }
        location ^~/admin/ {
                deny all;


        }



    }

server {   #MAIN DOMAIN - REDIRECT TO www.
        listen x.x.x.x:80;
        server_name x.com;
        rewrite ^(.*) http://www.x.com$1 permanent;

        }
 server { #MAIN DOMAIN
        listen       x.x.x.x:80;
        server_name www.x.com;

        #access_log /var/log/nginx.access.log;
        error_log /var/log/nginx.error.log;

         location /nginx_status {

            stub_status on;
            access_log   off;
           allow x.x.x.x/24;
            deny all;
        }

        location ^~ /images/folder1/{
               root /home/vhosts/x.com/httpdocs;
                expires 7d;

        }
        location ^~ /images/folder2/{
               root /home/vhosts/x.com/httpdocs;
                expires 7d;

        }
    

         location ^~/images/ {
               root /home/vhosts/x.com/httpdocs;

        }


         location ^~ /applets/{
               root /home/vhosts/x.com/httpdocs;
               expires max;
        }
        location ^~ /css/{
               root /home/vhosts/x.com/httpdocs;
               expires max;
        }


        location ~* \.(ico|css|js|swf|gif|jp?g|png)$ {
                root /home/vhosts/x.com/httpdocs;
                #expires max;
        }

        location / {
                proxy_pass http://127.0.0.1:8080;

                #CACHING
                #proxy_cache my-cache;
                #proxy_cache_valid 200 302 1m;
                #proxy_cache_valid 404 1m;

                 #proxy_redirect off;
                proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;

                client_max_body_size 200m; #max upload size

                client_body_buffer_size 128k;
                proxy_connect_timeout 900;
                proxy_send_timeout 900;
                proxy_read_timeout 900;
                #proxy_buffer_size 4k;
                #proxy_buffers 4 32k;
                #proxy_busy_buffers_size 64k;
                #proxy_temp_file_write_size 64k;

        }
}

}

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,199902,199902#msg-199902




More information about the nginx mailing list