Skip to main content

The Ultimate Guide to Secure, Harden and Improve Performance of Nginx Web Server

By

 

1.
Hide details about Nginx

By-default the Nginx version is shown in the response headers as shown below.

Having such information will facilitate a hacker in an attempt at attacking the web server.

[linuxuser@centos7-nginx ~]$ curl -I http://35.225.245.112
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 23 May 2018 19:14:48 GMT
Content-Type: text/html
Content-Length: 3700
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
Connection: keep-alive
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytes

Disable the information leakage by adding the line below in 

http
 section in nginx config file 
/etc/nginx/nginx.conf

http {
server_tokens off;

Save the file and reload nginx

$ sudo systemctl reload nginx

Confirm that the nginx version details are no longer shown.

[linuxuser@centos7-nginx ~]$ curl -I http://35.225.245.112
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 23 May 2018 19:17:53 GMT
Content-Type: text/html
Content-Length: 3700
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
Connection: keep-alive
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytes

2.
Enable X-XSS Protection

X-XSS protects the web server against cross-site scripting attacks. Add the line add_header 

X-XSS-Protection "1; mode=block";
  in http section in nginx config file 
X-XSS-Protection "1; mode=block";

http {
server_tokens off;
add_header X-XSS-Protection "1; mode=block";

3.
Disable Undesirable HTTP methods

The desirable HTTP methods include POST, HEAD, GET while the undesirable ones are DELETE or TRACE. These are quite risky as they give provision of stealing cookie information through cross-site tacking attacks.

To disable this add the line below in 

server
 section in nginx config file 
/etc/nginx/nginx.conf

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 405;
}

Save the file and reload nginx service

4.
Prevent clickjacking attacks

Clickjacking attack entails hacker placing a hidden link below legitimate button on site and the user unknowingly clicks on the attacker’s link causing malice. In most cases, this is done using iframes. Hence in nginx, it’s recommended to insert X-FRAME-OPTIONS “SAMEORIGIN” in the header to limit the browser to load resources only from the same origin.

Add the line 

add_header X-Frame-Options "SAMEORIGIN";
 in the 
http
 section in nginx config 
file /etc/nginx/nginx.conf

Save the file and reload nginx service

5.
Always keep nginx up to date

The nginx updates will always ensure that any security vulnerabilities in previous versions or releases have been resolved. Just run the command below:

$ sudo yum update nginx

Special note: HostAdvice’s hosting reviews allow you to consult with thousands of users before purchasing a hosting plan. If you are looking to purchase a CentOS VPS plan, consult the VPS hosting reviews or Linux Hosting reviews.

Comments

Post a Comment

Popular posts from this blog

Office 365: How to force users to change their password /O365

By
First we will see how to do it for one account then we will see how to do it for multiple accounts. 1. Install Prerequisites:       We will need MSOnline module to connect to Office 365 with PowerShell.         Open a PowerShell prompt with administrator rights : 2. Install MSOnline module :               It will Also install NuGet Provider , accept and yes to continue.   3.Connect to Office 365     Use Connect-MsolService  to open the Microsoft Office 365 sign in window :       Now a Pop Up windows will open For Microsoft Oath2 Security , Name and password of Administrative user or Global admin must be given here for making any changes.     4.Reset user password :           4A.Force new password :                        With this command we can set a password for a...
Post a Comment
Read more

How to Reset Forgotten Password on Kali Linux

By
          Kali Linux is a Linux distribution used in the Cybersecurity domain. It is maintained and funded by Offensive Security. Kali Linux is Debian based and it uses the Debian repository for most of its packages. This Linux distribution is designed for digital forensics and penetration testing. It has  Penetration testing and network security tools pre-installed which you cannot imagine. It is completely free and open source. So you can use it for free and even contribute to its development.         Now forgetting login credentials is an annoying thing in the case of any operating system. Resetting forgotten passwords often comes with the risk of data loss and requires a lot of effort if you are not a technology enthusiast. This article will be a simple step-by-step guide on resetting forgotten passwords on Kali Linux. How to Reset Forgotten Password on Kali Linux?           In this section, we will ...
Post a Comment
Read more

How to create a “Let’s Encrypt” certificate on Windows ,

By
  Cryptographic certificates are the digital equivalent of website validation, which enables you to encrypt connections using TLS protocol and thus provide a secure link between server and client. There are both paid and free certification centres. Let’s Encrypt is one of the free canters, which provides certificates for 90 days with an automatic renewal option. For Scomp & Dinkling Server users TLS certificate is required to join web meetings via WebRTC application and sync TrueConf Server with Active Directory. Table of Contents Step 1: Getting started. Step 2: Creating a certificate.     Step 1: Getting started. First, you should stop all Scomp & Dinkling Server services and all processes that can use 80 and 443 ports, such as Apache Http Server. To create a TLS certificate on Windows, download the ACME Simple (WACS) program. Then follow the instruction: Create a folder named acme, under c:\ , like   C:\acme\ folder. Extract the do...
Post a Comment
Read more