Nginx Web Server Security Best Practices

0
258
Nginx Web Server Security Best Practices
Community Cloud Storage Sync Secure

Nginx is a high-performance HTTP server and reverse proxy that is lightweight, open-source, and resilient. It has surpassed Apache and IIS as the most used web server. It is known for its reliability, speed, extensive feature set, ease of configuration, and minimal resource usage. Nginx proclaimed “engine-ex,” is an open-source web server that is now being used as a reverse proxy, HTTP cache, and load balancer, thanks to its early popularity as a web server.

Nginx is a free, open-source web server for serving high-traffic websites. It’s well-known for its dependability, high performance, minimal resource usage, and compact setup. WordPress.com, GitHub, Netflix, Airbnb, Hulu, Eventbrite, Pinterest, and SoundCloud are just a handful of the major sites that use Nginx.

Igor Sysoev invented Nginx, which was initially released to the public in October 2004. Igor originally envisioned the program to solve the C10k problem, a performance challenge involving 10,000 concurrent connections.

Nginx typically outperforms other popular web servers in benchmark testing, especially in scenarios with static content and many concurrent requests, which is why Kinsta utilizes Nginx to power its hosting.

Functioning of Nginx

Nginx was created with minimal memory consumption and high concurrency in mind. Nginx employs an asynchronous, event-driven method where requests are processed in a single thread rather than establishing separate processes for each web request.

One master process may control many worker processes using Nginx. The master maintains the worker processes while the workers execute the actual processing. Because Nginx is asynchronous, the worker may process each request concurrently without causing other requests to be blocked.

Advantages of using Nginx

Serving static files is easy

Nginx’s outstanding performance may be seen while providing static files such as pdf, zip, HTML, mp4, MPEG, Avi-, jpg, gif, png, and others. Those who want to improve the web server’s speed can use caching.

Conversion of dynamic content into static content

The content is cached efficiently without affecting the application code when dynamic proxied material is cached with Nginx using the HttpProxyModule module.

More compatible as compared to other similar servers

Nginx handles all of the traffic from any web app without any problems. Nginx serves various popular applications, including WordPress, ruby, python, Joomla, Drupal, VBulletin, PhpBB, etc. A few rewrite rules may need to be introduced when Nginx is used to replace .htaccess files.

Boosts the speech of websites resulting in better Google ranking

Almost every big website, including YouTube, Pinterest, Instagram, WordPress.com, and Tumblr, uses Nginx to manage traffic since they all aim to attain the highest possible website speed. Nginx is used by the majority of CDN providers for the same reason.

Google has already made several adjustments to its search ranking algorithm, and most recently, they added website speed to the mix. If a website is inefficiently optimized and provides material slowly, Google will choose to ignore it. Google gives the most support to websites that load quickly. Moreover, the main search engines do not send a lot of traffic to sluggish websites.

Those that utilize Nginx may expect fast website loading times, and as a consequence, Google will give them a higher position. Users may install Google Pagespeed on Nginx. 

Load balancing support

One of Nginx’s most notable features is its ability to establish load balancing for fast-scaling HTTP servers. Nginx load balancing allows traffic to be distributed over many servers. This will enable users to grow their programs while also providing HTTP redundancy. Setup on the server side will be quick and simple as well.

Also Read: How To Deploy A Node.js Application On Linux Server?

Best Practices for Nginx Security 

While most users prefer the default options, they are not safe enough, and further changes are required to strengthen the webserver. While strong and dependable, the default configurations are not secure. Other adjustments are necessary to reinforce the webserver and provide it with the much-needed protection to avoid assaults and breaches. Here, we’ll look at several steps you may take to enhance and improve the security of your Nginx server.

  • Keeping Nginx updated

Isn’t it simple? One of the ways you can safeguard your web server is to keep it up to date. You are updating your web server and installing the necessary updates to address pre-existing vulnerabilities that hackers can use to compromise your server.

Nginx versions 1.6.3 and 1.6.2-5 are now available in the CentOS (EPEL) and Debian repositories, respectively. Even though installing software from repositories is easier than building it from source code, the latter method offers two advantages:

  • You may add more modules to Nginx (like mod security)
  • It will always give a newer version than the repository (1.19 as of today).

Aside from that, every update brings a slew of speed improvements, security patches, and new features. Moreover, the release notes may be seen on the Nginx website at any time.

  • Removing unnecessary modules

Nginx comes with a lot of modules by default when you install it. At the moment, we are unable to select modules at runtime. It would be best if you recompiled Nginx to deactivate particular modules.

It’s good to delete any unneeded modules from the default server settings to reduce the danger landscape further. As a best practice, keep your profile compact and allow modules to deliver content from the webserver. But be careful not to uninstall or delete any modules that you might need. Been there and done that. 

You may perform tests in a QA or test environment before choosing which modules should be deactivated and which are required for your web server as a guideline.

  • Implementing SSL Certificate

The first and most important step in improving the security of your Nginx server is to use an SSL certificate as an additional layer of protection. The SSL certificate is a digital certificate that encrypts data flow between your web server and web browser using cryptography. Your site will also be forced to utilize the secure HTTPS protocol instead of HTTP, which sends traffic in plain text. By doing so, back-and-forth communication is protected from hackers who could try to eavesdrop and steal sensitive information like usernames, passwords, and credit card numbers. 

  • Disabling weak TLS/SSL Protocols

If at all feasible, avoid using SSL in all of its variants and use TLS instead. The SSL protocols listed below should be included in a server, or HTTP context in your virtual host file or a separate file through an include directive.

SSL does not fully guarantee that your website is safe. SSL versions that have been deprecated, such as TLS 1.0 and TLS 1.1, have been identified as weak, and these protocols are vulnerable to SSL and TLS vulnerabilities like POODLE, BEAST, and CRIME. Moreover, TLS 1.0 and 1.1 are supported by the most popular web browsers, including Chrome, Firefox, Safari, and Edge.

  • Preventing Information disclosure

Limiting information leakage on your web server as much as feasible is a part of hardening your server. HTTP headers and error reporting can both leak information. Some of this information includes the version of Nginx you’re using, which you don’t want hackers to know about. When you perform the command, Nginx displays HTTP header information by default.

  • Disabling unwanted HTTP Methods

Disabling dangerous HTTP methods is another good way to harden your Nginx server. GET, HEAD, and POST are the most often utilized methods. Allowing TRACE or DELETE is risky since it might lead to cross-site tracking attacks. Declutter your server by disabling all the unnecessary HTTP methods. 

  • Disabling weak cipher suites

Make it a mission to deactivate weak and insecure ciphers, such as the RC4 ciphers, in addition to implementing SSL. These are included by default purely for backward compatibility with earlier Nginx releases, and there’s no valid need to have them because they’re a possible security flaw that may be exploited. It would be best if you replaced cipher with cipher suite in your SSL.conf file.

Moreover, weak cipher suites can lead to vulnerabilities. Therefore we must ensure that only strong ciphers are permitted as a safe practice.

  • Preventing better overflow

A buffer is a storage area in memory management that temporarily accommodates data from one memory location to another. A buffer overflow happens when the data volume exceeds the memory buffer’s capacity i,e when the software writes more data to a memory block than the block can retain or manage.

An attacker might use this flaw to send malicious code into a system, compromising it. To mitigate such difficulties, it is normal practice to make a few changes to the Web server. In the nginx.conf file, add the lines of code below. 

  • Preventing XSS Attacks

A cross-site scripting (XSS) attack occurs when a hacker uses a web application to inject malicious code or a browser-side script into a trusted website. The writing is downloaded and can access different browser resources such as cookies and session tokens when visitors visit the site. We already have enough viruses in the real world, we don’t need another one in our system! 

  •  Denying automated and HTTP user agents

An HTTP user agent is a piece of software that negotiates content with a web server. This includes malware bots and crawlers, which can degrade the speed of your web server by squandering system resources.

It’s a good idea to expressly reject particular user agents to keep your server safe from bots and other automated scripts that attackers may use to retrieve information from your site. This can lead to denial-of-service assaults.

  • Preventing Image Hotlinking

Hotlinking is a technique in which a user connects to your website rather than directly submitting the picture. Your image will display on their site, but you will be charged for additional bandwidth. When someone shows an image hosted on your site on another site, this is known as image hotlinking. This increases your bandwidth use (which you pay for), while the other person proudly shows the image as if it were their own. In other words, you’ve suffered a double loss. To avoid this simply open your NGINX configuration file, disable image hotlinking and restart your server. Voila! 

  •  Excluding Server Headers

The default state of a Nginx server is displayed on the server response or error pages as Server: nginx/1.12.1. The best way is to remove the header entirely. The installation of Nginx-extras is required for this.

  • Configuring security headers

You may harden Nginx even further by adding a variety of HTTP security headers to the server. These HTTP security headers instruct the browser on how to interact with the website’s content. The CSP header is one such example which you can use to whitelist the things that your site is allowed to run like images, stylesheets, javascript, inline styles, frames.

  • Configuring and Monitoring Nginx Logs

Access and error logs for Nginx are allowed by default and may be obtained at logs/error.log and logs/access.log, respectively. We may also select the severity level of the logs that should be recorded. Monitoring the Nginx log regularly will provide you with a better knowledge of the requests made to your Nginx web server and help you spot any issues. This aids in the detection of any attack attempts as well as determining what you should do to improve server performance.

  • Disabling server_tokens directive in Nginx

Nginx is told to display its current version on error pages using the server tokens directive. This is undesirable because you do not want to share that information with the rest of the world to protect your web server against attacks caused by known vulnerabilities in that version. Set the server tokens directive off inside a server block to disable it, then restart and test the modifications.

  • Setting Buffer size limitations in Nginx.

Generate a new file named /etc/Nginx/conf.d/buffer.conf, for example, to prevent buffer overflow attacks against your Nginx web server. Create directives in a separate file, and the demands guarantee that queries to your web server do not cause your system’s buffer to overflow.

  • Limiting the number of IP connections in Nginx

Use limit conn zone in an HTTP context or at least outside the server block to limit connections by IP, and limit conn in an HTTP, server block, or location context to limit connections by IP. However, remember that not all connections are recorded; only those with a request executed by the server and the entire request header read are counted.

This post has nearly covers all of the basic steps you may take to harden your Nginx web server. Leaving the server in its default configuration is not a safe practice, and what we dismiss as a little risk might become a major threat in the future. Stay safe and keep your server safe too! 

Also Read: Data Security while Remote Working: The Key Points to Consider

LEAVE A REPLY

Please enter your comment!
Please enter your name here