Nginx Server Security: Nginx Hardening Guide

Nginx is a lightweight, open-source, robust, high-performance HTTP server and a reverse proxy. It’s the most popular web server, beating Apache and IIS.

Nginx is recognized for its stability, performance, rich feature set, easy configuration, and low resource consumption.

While the default configurations are favoured by most people, they are not secure enough, and extra tweaks are needed to reinforce the web server.

Here, we will look into some actions you can take to strengthen and improve Nginx server security.

Disable Any Unwanted Modules

While installing Nginx, in default it includes many modules. Currently, we cannot choose modules at runtime. To disable specific modules, you need to recompile Nginx.

It is advised to disable any modules that are not used as this will decrease the risk of potential attacks by limiting operations.

Implement SSL Certificate

The primary and essential step in strengthening your Nginx server security is to include an additional layer of protection using an SSL certificate.

The SSL certificate is a digital certificate powered by cryptography that encrypts data traffic between your web server and the web browser. SSL certificate also forces your website to use the secure HTTPS protocol over HTTP, which transmits traffic in plain text.

You can make use of Let’s Encrypt SSL which is free or any certificate according to your preference. There are two additional settings that should be taken care of after you implement a SSL certificate.

Disable weak SSL/TLS protocols

Implementing SSL does not imply that your site is secure. Deprecated versions of SSL such as TLS 1.0, TLS 1.1 are identified as weak, and these protocols are inclined to SSL and TLS vulnerabilities such as POODLE, BEAST, and CRIME.

The most commonly used web browsers like Chrome, Firefox, Safari and Edge no longer support TLS 1.0 and TLS 1.1.

To implement TLS 1.2 and TLS 1.3, we have to edit two configuration files:

  • /etc/nginx/nginx.conf

  • /etc/nginx/sites-available/default

Locate the following line in nginx.conf file

       ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

   

And, remove TLS versions 1 and 1.1 and add TLS 1.3

        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE

   

However, obsolete protocols also may be present in your Nginx server block configuration files. The block configuration files are in the directory /etc/nginx/sites-available/.

Therefore, continue and change your block configuration file as before.

Find the following line

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

   

As before, delete the TLSv1 and TLSv1.1 protocol and add the TLSv1.3.

        ssl_protocols TLSv1.2 TLSv1.3;

   

Disable weak cipher suites

Weak cipher suites may lead to vulnerabilities, and as a secure practice, we must make sure that only strong ciphers are allowed.

Add the following to the server block in the ssl.conf file

        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

   

Exclude Server Headers

The default state of a Nginx server returns something like Server: nginx/1.12.1 in the server response or error pages. The best method is to remove the header completely. For that, we require the installation of nginx-extras.

For Debian/Ubuntu

        sudo apt-get install nginx-extras

   

For RHEL

 
    yum install nginx-plus-module-headers-more

   

After installing and restarting the Nginx service, add the following lines to your nginx.conf file.

 
        # /etc/nginx/nginx.conf
        http {
            # Basic Settings
            more_set_headers 'Server: ';

   

If no value is specified, the header will be displayed empty. We can also create custom headers as given below.

 
        # /etc/nginx/nginx.conf
        http {
            # Basic Settings
            more_set_headers 'Server: Custom Header';

   

To completely disable the server header, find server_token in the Nginx configuration file and set it to server_tokens off (by removing # in the nginx.conf file).

neinx rename

Resource Control

To counter potential DoS attacks on Nginx it’s possible to set buffer size restrictions for all the clients.

These settings also prevent any potential buffer overflow attacks.

Adding the below lines to the nginx.conf file will prevent any such attack.

        ##buffer policy
        client_body_buffer_size 1K;
        client_header_buffer_size 1k;
        client_max_body_size 1k;
        large_client_header_buffers 2 1k;
        ##end buffer policy

   

Disable unsafe HTTP methods

Another sound practice for hardening Nginx server is to disable unsafe HTTP methods. Most of the time, GET, HEAD & POST methods are only used. Allowing TRACE or DELETE is unsafe as it can lead to attacks such as cross-site tracking.

The line below will only permit GET, POST, and HEAD methods and exclude all the other methods including TRACE and DELETE.

Modify nginx.conf and add the following under server block

        if ($request_method !~ ^(GET|HEAD|POST)$ )
        {
        return 405;s
        }

   

Configure Security Headers

For further Nginx hardening, you can add several different HTTP security headers to the server. These HTTP security headers tell the browser how to behave while handling the website content.

I happened to cover an in-depth blog on how you can harden server security by implementing security headers.

Configure and monitor Nginx Logs

Nginx access logs and error logs are enabled by default and are found in logs/error.log and logs/access.log.

We can also specify the logs to be recorded according to their severity level.

Continuously monitoring the Nginx log gives you a better understanding of requests made to your Nginx web server and also helps you to notice any encountered errors. This helps in discovering any attack attempts and also helps in identifying what you should do to optimize the server performance.

Update Nginx Server Regularly

Maintaining your web server up to date is mandatory in order to ensure Nginx server security.

Updating the server on time applies the patches that will address pre-existing vulnerabilities. If left ignored, they can be exploited to compromise your server.

Other than that, several performance enhancements, security fixes, and new features are also being added regularly with every update.

Conclusion

I believe I’ve covered all the fundamental actions that you can take to harden your Nginx web server. Leaving the server in default configuration is not a secure practice to follow and what we neglect as a low risk might become a possible threat in the future.

If you have any thoughts on Nginx server security or would like to ask me a question regarding it, please feel free to leave a comment below. I’d love to help you out!


Avatar
WRITTEN BY
Manieendar Mohan
Security Engineer
Comments

Latest Articles