Nginx Security Hardening and Rules

c0nw0nk nginx-forum at nginx.us
Sun Oct 19 02:51:20 UTC 2014


So since i searched the Nginx Forum i can't find anyone who has posted a
topic for Nginx security rules or examples so i will be the first to share
my examples regardless of how bad of a idea some people may think that is.

So the first security addition is to block direct IP access to my server
connecting via IP instead of a assigned domain name will result in a error
or denied request.

server {
listen 80;
listen [::]:80;
location / {
#deny  all;
return 404;
}

Hide your Nginx version / Information by turning of server tokens and
restrict upload file sizes.

server_tokens off;
# File uploads
client_max_body_size 10M;

Another thing is to block access to certain directories or config files even
file paths or locations that could be resource extensive or contain
sensative data allowing access to only your IP.

location ~
^/(xampp|security|phpmyadmin|licenses|webalizer|server-status|server-info|cpanel|configuration.php|htaccess)
{
#deny  all;
#return 404;
allow 192.168.1.5;
}

Deny running scripts inside writable directories unless your own IP.

location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$
{
#return 403;
allow 192.168.1.5;
}

Only allow these request methods GET|HEAD|POST Do not accept DELETE, SEARCH
and other methods.

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}

Apparently itpp2012 told me in another post the zero day exploit was fixed
but i see no harm in having it in here. (And some people still run outdated
PHP versions.)

location ~ \.php$ {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this server,
which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another
machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
}

Password restrict directories you only want yourself or admins to access.

location ~ /administrator/.*) {
auth_basic "Restricted";
auth_basic_user_file C:/www/vhosts/passwd;
}

Looking forward to see what other people use and if i can adapt anyone elses
to my own setup, I run a Joomla enviorment but i know that this can be
helpfull for wordpress users too.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254125,254125#msg-254125



More information about the nginx mailing list