Good content takes time and effort to come up with.
Please consider supporting us by just disabling your AD BLOCKER and reloading this page again.
NGINX Security Best Practices & Optimization
29th April 2020
3 mins read
Share On
As the technologies are growing fast so does the basic security needs for the website too. In this article, you will learn the simple techniques for securing your NGINX web server & optimizing for best performance.
Prerequisites
I hope you have installed NGINX in your server to carry out the following settings. Don't worry if you don't know to install NGINX I have written a whole article on it How To Install NGINX In Linux / Ubuntu Package Manager & Manage It.
Basically your NGINX configuration file will be in the following path for Ubuntu/Linux distros
Main NGINX Conf File - /etc/nginx/nginx.conf
NGINX Website Available Conf File - /etc/nginx/sites-available/default your's might be different
NGINX Website Enabled Conf File - /etc/nginx/sites-enabled/default
Note: Also when you make changes to nginx.conf or website conf file don't forget to reload your NGINX server
1) Security - Disable NGINX Version
Now go to your nginx.conf file find for server_tokens and do the following settings.
This enables or disables emitting NGINX version on error pages and in the Server response header field.
server_tokens off
2) Security - Don't Use Obsolete Protocols
I highly recommend to disable and remove the following Protocols from /etc/nginx/nginx.conf file
Disable - SSLv3, TLSv1.0, TLSv1.1
Instead, enable the following
Enable - TLSv1.2, TLSv1.3
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
Disable Protocols In Certbot (Lets Encrypt)
If using Certbot for SSL certificate generation then you will have something like the following in /etc/nginx/sites-available/default website NGINX configuration
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
Go to that particular path ie /etc/letsencrypt/options-ssl-nginx.conf and make sure to look for ssl_protocols and replace with the following code snippet
ssl_protocols TLSv1.2 TLSv1.3;
3) Security - Diffie Hellman key exchange (ssl-dhparams.pem)
DH Key Exchange is a method to securely exchanging cryptographic keys over a public channel.
If you have installed SSL certificate with Certbot (Lets Encrypt) then it will be default managed by Certbot & you will have the following line of code in your /etc/nginx/sites-available/default file
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
If you have not installed by Certbot then kindly check with your SSL provider and place them accordingly.
4) Security - Prevent ClickJacking Attack
Don't allow the browser to render the page inside a frame or iframe in /etc/nginx/sites-available/default
add_header X-Frame-Options SAMEORIGIN; #ALLOW_FROM option available
5) Security - Prevent XSS Protection
This header enables the Cross-site scripting (XSS) filter built into most recent web browsers in /etc/nginx/sites-available/default
add_header X-XSS-Protection "1; mode=block";
6) Security - Prevent Form Content Sniffing
when serving user-supplied content, include a X-Content-Type-Options: nosniff to disable content-type sniffing on some browsers in /etc/nginx/sites-available/default
add_header X-Content-Type-Options nosniff;
7) Optimization - Worker Processes - Auto
For the best optimal solution keep work_processes to auto in /etc/nginx/nginx.conf
worker_processes auto;
8) Optimization - Enable GZIP Compression
Enable gzip compression in your server so that the contents can be delivered faster /etc/nginx/nginx.conf
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
9) Optimization -Turn Off Access Log
Turn off your access_log unless you have some specific reason to keep in on. Just keep error_log enabled like the following in /etc/nginx/nginx.conf
access_log off;
error_log /var/log/nginx/error.log;
10) Optimization - Worker Connections
Take the maximum benefit of the worker_connection by default you have 768. But you need to set based on the server
You can check the number of worker connections with the following command
ulimit -n
Since I got 1024 I changed my settings to 1024 in /etc/nginx/nginx.conf
events {
worker_connections 1024;
}
11) Optimization - Enable HTTP2
Enabling HTTP2 is very simple and can be achieved by modifying the following line in /etc/nginx/sites-available/default
listen 443 ssl http2;
12) Security - Inbuilt Security Against DDOS Attacks
Use inbuilt security against DDOS attacks. For more on DDOS attacks please use the following link
Conclusion
Being said the above connections work best for certain scenarios, so be cautious while changing.
Articles For You
Create Gmail App Password For SMTP Mails
SummerNote WYSIWYG Text Editor Save Images To Public Path In PHP Laravel
Upload File From Frontend Server {GuzzleHttp} To REST API Server In PHP {Laravel}
Install Apache Web Server On Ubuntu 20.04 / Linux & Manage It
Multiple GIT Key Pairs Or Account In The Same Computer
Proper Way To Validate MIME Type Of Files While Handling File Uploads In PHP
Plain PHP Resumable Large File Uploads In Chunks Using FlowJs
PHP file_put_contents failed to open stream: Permission denied
Google reCAPTCHA Integration In PHP Laravel Forms
Search Engine Optimization Concepts
