Nginx Security Hardening and Rules

Maxim Dounin mdounin at mdounin.ru
Mon Oct 20 13:45:17 UTC 2014


Hello!

On Mon, Oct 20, 2014 at 09:37:51AM -0400, c0nw0nk wrote:

> Yeah sorry about that Maxim i don't actualy use the allow ip feature i
> accidently hashed out the #deny all; and this forum does not let us edit our
> posts.

This is because it's not a forum, it's a mailing list.

> Other than that the following that you posted.
> 
> if ($request_method !~ ^(GET|HEAD|POST)$ ) {
> return 444;
> }
> 
> For nginx itself this is not needed. Something like this may be
> useful if you are protecting your backends. See also limit_except
> which can be used on a per-location level:
> 
> limit_except GET POST {
> deny all;
> }
> 
> Did you intentionaly miss Head ?
> limit_except GET HEAD POST {
> deny all;
> }

Yes, see http://nginx.org/r/limit_except.  HEAD is automatically 
included if you specify GET.

> I dont see the benefit from using one to the other they both do the same
> thing.

The limit_except is expected to be slightly more efficient as 
it'll use already parsed request method id instead of a regular 
expression.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list