Good content takes time and effort to come up with.

Please consider supporting us by just disabling your AD BLOCKER and reloading this page again.







NGINX Security Best Practices & Optimization


Share On     Share On WhatsApp     Share On LinkedIn


As the technologies are growing fast so does the basic security needs for the website too. In this article, you will learn the simple techniques for securing your NGINX web server & optimizing for best performance.


Prerequisites


I hope you have installed NGINX in your server to carry out the following settings. Don't worry if you don't know to install NGINX I have written a whole article on it How To Install NGINX In Linux / Ubuntu Package Manager & Manage It.


Basically your NGINX configuration file will be in the following path for Ubuntu/Linux distros


Main NGINX Conf File - /etc/nginx/nginx.conf

NGINX Website Available Conf File - /etc/nginx/sites-available/default your's might be different

NGINX Website Enabled Conf File - /etc/nginx/sites-enabled/default


Note: Also when you make changes to nginx.conf or website conf file don't forget to reload your NGINX server

1) Security - Disable NGINX Version


Now go to your nginx.conf file find for server_tokens and do the following settings.


This enables or disables emitting NGINX version on error pages and in the Server response header field.


server_tokens off

2) Security - Don't Use Obsolete Protocols


I highly recommend to disable and remove the following Protocols from /etc/nginx/nginx.conf file


Disable - SSLv3, TLSv1.0, TLSv1.1


Instead, enable the following


Enable - TLSv1.2, TLSv1.3


ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;



Disable Protocols In Certbot (Lets Encrypt)


If using Certbot for SSL certificate generation then you will have something like the following in /etc/nginx/sites-available/default website NGINX configuration


include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot


Go to that particular path ie /etc/letsencrypt/options-ssl-nginx.conf and make sure to look for ssl_protocols and replace with the following code snippet


ssl_protocols TLSv1.2 TLSv1.3;

3) Security - Diffie Hellman key exchange (ssl-dhparams.pem)


DH Key Exchange is a method to securely exchanging cryptographic keys over a public channel.


If you have installed SSL certificate with Certbot (Lets Encrypt) then it will be default managed by Certbot & you will have the following line of code in your /etc/nginx/sites-available/default file


ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


If you have not installed by Certbot then kindly check with your SSL provider and place them accordingly.



4) Security - Prevent ClickJacking Attack


Don't allow the browser to render the page inside a frame or iframe in /etc/nginx/sites-available/default


add_header X-Frame-Options SAMEORIGIN; #ALLOW_FROM option available

5) Security - Prevent XSS Protection


This header enables the Cross-site scripting (XSS) filter built into most recent web browsers in /etc/nginx/sites-available/default


add_header X-XSS-Protection "1; mode=block";



6) Security - Prevent Form Content Sniffing


when serving user-supplied content, include a X-Content-Type-Options: nosniff to disable content-type sniffing on some browsers in /etc/nginx/sites-available/default


add_header X-Content-Type-Options nosniff;



7) Optimization - Worker Processes - Auto


For the best optimal solution keep work_processes to auto in /etc/nginx/nginx.conf


worker_processes auto;

8) Optimization - Enable GZIP Compression


Enable gzip compression in your server so that the contents can be delivered faster /etc/nginx/nginx.conf


gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;



9) Optimization -Turn Off Access Log


Turn off your access_log unless you have some specific reason to keep in on. Just keep error_log enabled like the following in /etc/nginx/nginx.conf


access_log off;
error_log /var/log/nginx/error.log;



10) Optimization - Worker Connections


Take the maximum benefit of the worker_connection by default you have 768. But you need to set based on the server


You can check the number of worker connections with the following command


ulimit -n


Since I got 1024 I changed my settings to 1024 in /etc/nginx/nginx.conf


events {
	worker_connections 1024;
}



11) Optimization - Enable HTTP2


Enabling HTTP2 is very simple and can be achieved by modifying the following line in /etc/nginx/sites-available/default


listen 443 ssl http2;

12) Security - Inbuilt Security Against DDOS Attacks


Use inbuilt security against DDOS attacks. For more on DDOS attacks please use the following link

NGINX DDOS ATTACKS.


Conclusion


Being said the above connections work best for certain scenarios, so be cautious while changing.







Author Image
AUTHOR

Channaveer Hakari

I am a full-stack developer working at WifiDabba India Pvt Ltd. I started this blog so that I can share my knowledge and enhance my skills with constant learning.

Never stop learning. If you stop learning, you stop growing