How to improve nginx security

Nginx is one of the most popular web servers today. It serves 7% of the world's web traffic and is growing at an astonishing rate. It's an amazing server and I'd love to deploy it.

The following is a list of common security pitfalls and solutions that can help ensure that your Nginx deployment is secure.

1. Use "if" carefully in configuration files. It is part of the rewrite module and should not be used anywhere.

The "if" statement is a mandatory part of the override module evaluation directive. In other words, Nginx configuration is generally declarative. In some cases, due to user demand, they tried to use "if" inside some non-overridden directives, which resulted in the situation we are facing now. Works fine in most cases, but...see above.

It seems like the only correct solution is to completely disable "if" inside non-overridden directives. This will change a lot of the existing configuration, so it's not done yet.

2. Forward each ~ .php$ request to PHP. We published an introduction to potential security vulnerabilities in this popular command last week. Even if the file name is hello.php.jpeg, it will match the ~.php$ regular pattern and execute the file.

There are now two good ways to solve the above problems. I think it's important to ensure that you don't easily execute arbitrary code with mixed methods.

If the file is not found, use try_files and only (which should be noted in all dynamic execution situations) to transfer it to the FCGI process running PHP.

Confirm that cgi.fix_pathinfo is set to 0 (cgi.fix_pathinfo=0) in the php.ini file. This ensures that PHP checks the full name of the file (when it doesn't find .php at the end of the file it will ignore it)

Fixes issue with regular expressions matching incorrect files. The regex now considers any file containing ".php". Adding "if" after the site ensures that only the correct files will run. Set both /location ~ .php$ and location ~ ..*/.*.php$ to return 403;

3. Disable the autoindex module. This may have changed in the Nginx version you are using. If not, just add the autoindex off; statement in the location block of the configuration file.

4. Disable ssi (server side reference) on the server. This can be done by adding ssi off; in the location block.

5. Turn off server tags. If enabled (by default) all error pages will display the server version and information. Add the server_tokens off; statement to the Nginx configuration file to resolve this issue.

6. Set up custom caching in the configuration file to limit the possibility of buffer overflow attacks.

client_body_buffer_size 1K;

client_header_buffer_size 1k;

client_max_body_size 1k;

large_client_header_buffers 2 1k;

7. Set timeout low Prevent DOS attacks. All these declarations can be placed in the main configuration file.

client_body_timeout 10;

client_header_timeout 10;

keepalive_timeout 5 5;

send_timeout 10;

8. Limit the number of user connections to Prevent DOS attacks.

limit_zone slimits $binary_remote_addr 5m;

limit_conn slimits 5;

9. Try to avoid using HTTP authentication. HTTP authentication uses crypt by default, and its hash is not secure. If you want to use it, use MD5 (this is not a good choice but it is better than crypt in terms of load).

10. Stay up to date with the latest Nginx security updates.

The above is the detailed content of How to improve nginx security. For more information, please follow other related articles on the PHP Chinese website!