Nginx Security Hardening and Rules
Maxim Dounin
mdounin at mdounin.ru
Mon Oct 20 13:45:17 UTC 2014
Hello!
On Mon, Oct 20, 2014 at 09:37:51AM -0400, c0nw0nk wrote:
> Yeah sorry about that Maxim i don't actualy use the allow ip feature i
> accidently hashed out the #deny all; and this forum does not let us edit our
> posts.
This is because it's not a forum, it's a mailing list.
> Other than that the following that you posted.
>
> if ($request_method !~ ^(GET|HEAD|POST)$ ) {
> return 444;
> }
>
> For nginx itself this is not needed. Something like this may be
> useful if you are protecting your backends. See also limit_except
> which can be used on a per-location level:
>
> limit_except GET POST {
> deny all;
> }
>
> Did you intentionaly miss Head ?
> limit_except GET HEAD POST {
> deny all;
> }
Yes, see http://nginx.org/r/limit_except. HEAD is automatically
included if you specify GET.
> I dont see the benefit from using one to the other they both do the same
> thing.
The limit_except is expected to be slightly more efficient as
it'll use already parsed request method id instead of a regular
expression.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list