Home  >  Article  >  Operation and Maintenance  >  High-security configuration and firewall strategy for building Nginx servers

High-security configuration and firewall strategy for building Nginx servers

PHPz
PHPzOriginal
2023-08-04 19:17:041270browse

High-security configuration and firewall strategy for building Nginx servers

With the rapid development of the Internet, server security has received more and more attention. As an efficient and stable web server, Nginx's security configuration also needs our attention. In this article, we will explore how to configure your Nginx server for high security and introduce some firewall strategies.

  1. Use HTTPS protocol

HTTPS is an encrypted transmission protocol based on TLS/SSL protocol, which can ensure the security of data during transmission. To use the HTTPS protocol, you first need to obtain and install an SSL certificate. You can apply for a free SSL certificate from a certificate authority (such as Let's Encrypt) and then configure the certificate into the Nginx server. The following is an example configuration:

server {
   listen 443 ssl;
   server_name example.com;
 
   ssl_certificate /path/to/certificate.pem;
   ssl_certificate_key /path/to/private_key.pem;
 
   # 其他Nginx配置
   ...
}
  1. Use strong passwords and keys

Setting strong passwords and keys on the Nginx server is an important measure to protect the server. You can use the htpasswd command to generate an encrypted password file and reference the file in the Nginx configuration file. The following is an example configuration:

server {
   listen 80;
   server_name example.com;
   
   location / {
      auth_basic "Restricted Access";
      auth_basic_user_file /path/to/htpasswd;
      
      # 其他Nginx配置
      ...
   }
}
  1. Setting Access Restrictions

Restricting access to server resources can reduce the risk of malicious attacks. In the Nginx configuration file, you can use the allow and deny directives to set access restrictions. The following is an example configuration:

server {
   listen 80;
   server_name example.com;
   
   location / {
      deny 192.168.1.0/24;
      deny 10.0.0.0/8;
      allow 192.168.1.100;
      allow 127.0.0.1;
      deny all;
      
      # 其他Nginx配置
      ...
   }
}

The above configuration will deny access to the IP addresses 192.168.1.0/24 and 10.0.0.0/8 network segments, and allow access to the IP addresses 192.168.1.100 and 127.0.0.1 . Other unmatched IP addresses will be denied access.

  1. Using firewall policies

In addition to Nginx configuration, you can also use firewalls to increase server security. For example, you can use the iptables command or the firewalld service to configure firewall rules. The following is an example of setting a firewall policy using the iptables command:

# 允许SSH访问
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# 允许HTTP和HTTPS访问
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# 其他规则
...

# 拒绝所有其他访问
sudo iptables -A INPUT -j DROP

The above configuration will allow SSH, HTTP, and HTTPS access, and deny all other access.

To sum up, by using the HTTPS protocol, setting strong passwords and keys, restricting access and using firewall policies, we can help us improve the security of the Nginx server. Of course, these are just some basic configurations and strategies, and there are actually more security measures that can be implemented. Therefore, we should maintain continuous attention to server security and promptly update and optimize related configurations and policies to ensure the security and reliability of the server.

The above is the detailed content of High-security configuration and firewall strategy for building Nginx servers. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn