7 Important Steps For Hardening Nginx

Securing your Nginx server is crucial to protecting your applications and data from potential cyberattacks. By implementing a few key configuration changes, you can significantly reduce your server’s attack surface, improve its resilience against threats, and ensure better overall security. Below are seven essential steps to harden your Nginx setup and keep your system secure.

1. Hide Nginx Version Information

• One of the most critical pieces of information you can give an attacker is the version of Nginx you’re using. As we’ve previously discussed, if an attacker doesn’t know your Nginx version, their job becomes much harder, and they may be forced to find another entry point. You can hide the Nginx version by editing the nginx.conf file (located in /etc/nginx/) and setting the server_tokens directive to off. If it’s commented out, simply remove the comment, as shown below.

sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;

2. Hide X-Powered-By Header in Proxy Mode

• If you’re using Nginx as a proxy, you can also hide version information of components like PHP by adding the following directive to your nginx.conf configuration file (located in /etc/nginx/):

proxy_hide_header X-Powered-By;

3. Restrict Access to Critical Endpoints

• It is also recommended to restrict access to critical endpoints, such as admin panels, by using a whitelist. This can be done through the configuration file. For example:

location /wp-admin {
allow 1.2.3.4;
allow 192.168.0.0/24;
deny all;
}

4. Enable ModSecurity for Web Application Firewall

• The ModSecurity module provides enhanced security within Nginx, acting as a web application firewall. Installing the mod_security module is highly recommended to strengthen Nginx’s native security. You can find the installation guide here:
  https://opsshield.com/help/cpguard/install-modsecurity-with-nginx-on-debian-ubuntu/

• To prevent potential DoS attacks against Nginx, you can set buffer size limits for all clients. You can do this by adding the following directives to the Nginx configuration file:
  
  • client_body_buffer_size: Use this directive to specify the buffer size for client request bodies. The default value is 8k or 16k, but it is recommended to lower this to 1k.
    
  • client_max_body_size: This directive specifies the maximum body size accepted for a client request. A setting of 1k may suffice, but if you’re accepting file uploads via POST, you may need to increase this value.

##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
client_body_buffer_size 1k
client_max_body_size 1k
server tokens off;

5. Limit Buffer Size to Mitigate DoS Attacks

• Disable unwanted HTTP methods. Attackers may attempt to manipulate your system by changing request methods. This can be mitigated by adding rules to the configuration file at the root directory.

6. Disable Unnecessary HTTP Methods

location / { 
limit_except GET HEAD POST {
 deny all; 
}

7. Regularly Update Software and Libraries

• Lastly, and most importantly, always make sure to use the most up-to-date versions of your server, and any libraries or frameworks running on it, to ensure maximum security.

What is Nginx?

Nginx is a high-performance, open-source web server and reverse proxy server. Originally developed by Igor Sysoev in 2004, it has since become a popular choice for large-scale websites and projects due to its efficiency and scalability.

Use Cases of Nginx

• Nginx serves static files (HTML, CSS, JavaScript) and dynamic content efficiently and quickly.
  
• It can handle HTTP/HTTPS requests, redirecting them to backend application servers, enabling load balancing. This leads to improved performance and scalability.
  
• Nginx can distribute incoming requests to servers, ensuring balanced usage of server resources, optimizing efficiency.
  
• By caching both static and dynamic content, it significantly enhances performance, which is especially crucial for high-traffic websites.
  
• It filters traffic and applies restrictions to specific IP addresses or request types, offering enhanced security.
  
• Nginx manages SSL certificates, ensuring secure connections via HTTPS.

Key Features of Nginx

• Nginx is renowned for its low memory consumption and high connection capacity.
  
• Unlike traditional servers, which create a separate thread for each client, Nginx’s asynchronous architecture allows it to handle multiple requests simultaneously with efficiency.
  
• It features a simple, readable configuration file structure, making it easy to manage.

Vulnerabilities Discovered in Nginx

• Even in recent versions of Nginx, several vulnerabilities have been identified. As of October 18, 2024, the latest version is 1.27.2. Notably, many vulnerabilities have been found in versions 1.26.0 and below. To check if these vulnerabilities have been patched and to view the details, visit the following link:
  https://nginx.org/en/security_advisories.html

• Additionally, you can see a list of all discovered vulnerabilities in Nginx, along with the affected version ranges, by visiting this link:
  https://security.snyk.io/package/linux/debian:11/nginx

• If the term “The patch” is mentioned on the relevant page, it indicates that the vulnerability has been patched in that version.

• As a further note, a vulnerability in software, libraries, or other components may not always impact you directly. For example, there could be a severe security issue in a specific function of a library within a certain version of Python. While you may be using that version, if you aren’t using the vulnerable function, you may not be affected. This explanation is provided for informational purposes only. Nevertheless, it’s always recommended to use the most up-to-date version of any software to ensure security.