Nginx is one of the most popular web servers today. It serves 7% of the world's web traffic and is growing at an astonishing rate. It's an amazing server and I'd love to deploy it.
The following is a list of common security pitfalls and solutions that can help ensure that your Nginx deployment is secure.
1. Use "if" carefully in configuration files. It is part of the rewrite module and should not be used anywhere.
The "if" statement is a mandatory part of the override module evaluation directive. In other words, Nginx configuration is generally declarative. In some cases, due to user demand, they tried to use "if" inside some non-overridden directives, which resulted in the situation we are facing now. Works fine in most cases, but...see above.
It seems like the only correct solution is to completely disable "if" inside non-overridden directives. This will change a lot of the existing configuration, so it's not done yet.
2. Forward each ~ .php$ request to PHP. We published an introduction to potential security vulnerabilities in this popular command last week. Even if the file name is hello.php.jpeg, it will match the ~.php$ regular pattern and execute the file.
There are now two good ways to solve the above problems. I think it's important to ensure that you don't easily execute arbitrary code with mixed methods.
If the file is not found, use try_files and only (which should be noted in all dynamic execution situations) to transfer it to the FCGI process running PHP.
Confirm that cgi.fix_pathinfo is set to 0 (cgi.fix_pathinfo=0) in the php.ini file. This ensures that PHP checks the full name of the file (when it doesn't find .php at the end of the file it will ignore it)
Fixes issue with regular expressions matching incorrect files. The regex now considers any file containing ".php". Adding "if" after the site ensures that only the correct files will run. Set both /location ~ .php$ and location ~ ..*/.*.php$ to return 403;
3. Disable the autoindex module. This may have changed in the Nginx version you are using. If not, just add the autoindex off; statement in the location block of the configuration file.
4. Disable ssi (server side reference) on the server. This can be done by adding ssi off; in the location block.
5. Turn off server tags. If enabled (by default) all error pages will display the server version and information. Add the server_tokens off; statement to the Nginx configuration file to resolve this issue.
6. Set up custom caching in the configuration file to limit the possibility of buffer overflow attacks.
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
7. Set timeout low Prevent DOS attacks. All these declarations can be placed in the main configuration file.
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
8. Limit the number of user connections to Prevent DOS attacks.
limit_zone slimits $binary_remote_addr 5m;
limit_conn slimits 5;
9. Try to avoid using HTTP authentication. HTTP authentication uses crypt by default, and its hash is not secure. If you want to use it, use MD5 (this is not a good choice but it is better than crypt in terms of load).
10. Stay up to date with the latest Nginx security updates.
The above is the detailed content of How to improve nginx security. For more information, please follow other related articles on the PHP Chinese website!

Maintenance mode plays a key role in Linux system management, helping to repair, upgrade and configuration changes. 1. Enter maintenance mode. You can select it through the GRUB menu or use the command "sudosystemctlisolaterscue.target". 2. In maintenance mode, you can perform file system repair and system update operations. 3. Advanced usage includes tasks such as resetting the root password. 4. Common errors such as not being able to enter maintenance mode or mount the file system, can be fixed by checking the GRUB configuration and using the fsck command.

The timing and reasons for using Linux maintenance mode: 1) When the system starts up, 2) When performing major system updates or upgrades, 3) When performing file system maintenance. Maintenance mode provides a safe and controlled environment, ensuring operational safety and efficiency, reducing impact on users, and enhancing system security.

Indispensable commands in Linux include: 1.ls: list directory contents; 2.cd: change working directory; 3.mkdir: create a new directory; 4.rm: delete file or directory; 5.cp: copy file or directory; 6.mv: move or rename file or directory. These commands help users manage files and systems efficiently by interacting with the kernel.

In Linux, file and directory management uses ls, cd, mkdir, rm, cp, mv commands, and permission management uses chmod, chown, and chgrp commands. 1. File and directory management commands such as ls-l list detailed information, mkdir-p recursively create directories. 2. Permission management commands such as chmod755file set file permissions, chownuserfile changes file owner, and chgrpgroupfile changes file group. These commands are based on file system structure and user and group systems, and operate and control through system calls and metadata.

MaintenanceModeinLinuxisaspecialbootenvironmentforcriticalsystemmaintenancetasks.Itallowsadministratorstoperformtaskslikeresettingpasswords,repairingfilesystems,andrecoveringfrombootfailuresinaminimalenvironment.ToenterMaintenanceMode,interrupttheboo

The core components of Linux include kernel, file system, shell, user and kernel space, device drivers, and performance optimization and best practices. 1) The kernel is the core of the system, managing hardware, memory and processes. 2) The file system organizes data and supports multiple types such as ext4, Btrfs and XFS. 3) Shell is the command center for users to interact with the system and supports scripting. 4) Separate user space from kernel space to ensure system stability. 5) The device driver connects the hardware to the operating system. 6) Performance optimization includes tuning system configuration and following best practices.

The five basic components of the Linux system are: 1. Kernel, 2. System library, 3. System utilities, 4. Graphical user interface, 5. Applications. The kernel manages hardware resources, the system library provides precompiled functions, system utilities are used for system management, the GUI provides visual interaction, and applications use these components to implement functions.

Linux maintenance mode can be entered through the GRUB menu. The specific steps are: 1) Select the kernel in the GRUB menu and press 'e' to edit, 2) Add 'single' or '1' at the end of the 'linux' line, 3) Press Ctrl X to start. Maintenance mode provides a secure environment for tasks such as system repair, password reset and system upgrade.


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

Atom editor mac version download
The most popular open source editor

Notepad++7.3.1
Easy-to-use and free code editor

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
