Basic security measures for Nginx

Nginx is a powerful web server, reverse proxy server and load balancer. Its high performance and wide range of applications make it the first choice for many Internet companies, sites and applications. However, due to its complexity and popularity, Nginx has also become the target of many hacker attacks. In order to protect our web applications and servers, we need to take some basic Nginx security measures.

1. Enable the firewall

The firewall is the first line of defense for any web application and server. Use a firewall to prevent unauthorized access and attacks. When using Nginx, we recommend using firewall software such as iptables or firewalld, configuring rules to restrict the IP addresses and ports that access our web applications and servers.

2. Disable unnecessary HTTP methods

Nginx enables all HTTP methods by default, including unsafe methods such as PUT, DELETE and TRACE. An attacker may exploit these methods to perform unauthorized actions, such as uploading malicious files or reading sensitive files. To prevent this, we recommend disabling unnecessary HTTP methods and allowing only necessary methods, such as GET and POST methods. The following directive can be used in the Nginx configuration file:

if ($request_method !~ ^(GET|POST)$ ) {
    return 444;
}

This will disable all HTTP methods except GET and POST and return a 444 error.

3. Use SSL/TLS encrypted transmission

Using SSL/TLS encrypted transmission can protect our web applications and servers from data leaks and man-in-the-middle attacks. We can use free SSL certificates such as Let's Encrypt to achieve SSL/TLS encrypted transmission. In the Nginx configuration file, we can configure the following directive to enable SSL:

listen 443 ssl;
ssl_certificate /path/to/cert;
ssl_certificate_key /path/to/key;

This will enable SSL/TLS encrypted transmission and specify the path to the SSL certificate and private key.

4. Limit concurrent connections

An attacker can occupy server resources by sending a large number of requests, resulting in service unavailability. To prevent this, we can use Nginx's limit_conn module to limit the number of concurrent connections. In the Nginx configuration file, we can configure the following directive to limit the number of concurrent connections:

http {
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

    server {
        limit_conn conn_limit_per_ip 10;
        ...
    }
}

This will limit the number of concurrent connections to 10 per IP address.

5. Shield server version information

An attacker can use server version information to find server versions that may have vulnerabilities, and try to exploit these vulnerabilities for attacks. To prevent this, we can mask the Nginx server version information. In the Nginx configuration file, we can configure the following directive to mask server version information:

server_tokens off;

This will hide the server version information in the HTTP response header.

Summary

Nginx is a powerful web server, reverse proxy server and load balancer. Its high performance and wide range of applications make it the preferred choice for many Internet companies, sites and applications. First choice. However, due to its complexity and popularity, we need to take some basic security measures to protect our web applications and servers. The above introduces some basic Nginx security measures, such as enabling firewalls, disabling unnecessary HTTP methods, using SSL/TLS encrypted transmission, limiting concurrent connections, and blocking server version information. By taking these measures, we can improve the security of our web applications and servers and effectively protect our data and business.

The above is the detailed content of Basic security measures for Nginx. For more information, please follow other related articles on the PHP Chinese website!