Good content takes time and effort to come up with.

Please consider supporting us by just disabling your AD BLOCKER and reloading this page again.

NGINX Security Best Practices & Optimization

29th April 2020 3 mins read

Share On

As the technologies are growing fast so does the basic security needs for the website too. In this article, you will learn the simple techniques for securing your NGINX web server & optimizing for best performance.

Prerequisites

I hope you have installed NGINX in your server to carry out the following settings. Don't worry if you don't know to install NGINX I have written a whole article on it How To Install NGINX In Linux / Ubuntu Package Manager & Manage It.

Basically your NGINX configuration file will be in the following path for Ubuntu/Linux distros

Main NGINX Conf File - /etc/nginx/nginx.conf

NGINX Website Available Conf File - /etc/nginx/sites-available/default your's might be different

NGINX Website Enabled Conf File - /etc/nginx/sites-enabled/default

Note: Also when you make changes to nginx.conf or website conf file don't forget to reload your NGINX server

1) Security - Disable NGINX Version

Now go to your nginx.conf file find for server_tokens and do the following settings.

This enables or disables emitting NGINX version on error pages and in the Server response header field.

server_tokens off

2) Security - Don't Use Obsolete Protocols

I highly recommend to disable and remove the following Protocols from /etc/nginx/nginx.conf file

Disable - SSLv3, TLSv1.0, TLSv1.1

Instead, enable the following

Enable - TLSv1.2, TLSv1.3

ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

Disable Protocols In Certbot (Lets Encrypt)

If using Certbot for SSL certificate generation then you will have something like the following in /etc/nginx/sites-available/default website NGINX configuration

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

Go to that particular path ie /etc/letsencrypt/options-ssl-nginx.conf and make sure to look for ssl_protocols and replace with the following code snippet

ssl_protocols TLSv1.2 TLSv1.3;

3) Security - Diffie Hellman key exchange (ssl-dhparams.pem)

DH Key Exchange is a method to securely exchanging cryptographic keys over a public channel.

If you have installed SSL certificate with Certbot (Lets Encrypt) then it will be default managed by Certbot & you will have the following line of code in your /etc/nginx/sites-available/default file

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

If you have not installed by Certbot then kindly check with your SSL provider and place them accordingly.

4) Security - Prevent ClickJacking Attack

Don't allow the browser to render the page inside a frame or iframe in /etc/nginx/sites-available/default

add_header X-Frame-Options SAMEORIGIN; #ALLOW_FROM option available

5) Security - Prevent XSS Protection

This header enables the Cross-site scripting (XSS) filter built into most recent web browsers in /etc/nginx/sites-available/default

add_header X-XSS-Protection "1; mode=block";

6) Security - Prevent Form Content Sniffing

when serving user-supplied content, include a X-Content-Type-Options: nosniff to disable content-type sniffing on some browsers in /etc/nginx/sites-available/default

add_header X-Content-Type-Options nosniff;

7) Optimization - Worker Processes - Auto

For the best optimal solution keep work_processes to auto in /etc/nginx/nginx.conf

worker_processes auto;

8) Optimization - Enable GZIP Compression

Enable gzip compression in your server so that the contents can be delivered faster /etc/nginx/nginx.conf

gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

9) Optimization -Turn Off `Access Log`

Turn off your access_log unless you have some specific reason to keep in on. Just keep error_log enabled like the following in /etc/nginx/nginx.conf

access_log off;
error_log /var/log/nginx/error.log;

10) Optimization - Worker Connections

Take the maximum benefit of the worker_connection by default you have 768. But you need to set based on the server

You can check the number of worker connections with the following command

ulimit -n

Since I got 1024 I changed my settings to 1024 in /etc/nginx/nginx.conf

events {
	worker_connections 1024;
}

11) Optimization - Enable HTTP2

Enabling HTTP2 is very simple and can be achieved by modifying the following line in /etc/nginx/sites-available/default

listen 443 ssl http2;

12) Security - Inbuilt Security Against DDOS Attacks

Use inbuilt security against DDOS attacks. For more on DDOS attacks please use the following link

NGINX DDOS ATTACKS.

Conclusion

Being said the above connections work best for certain scenarios, so be cautious while changing.

Articles For You

Generate Sitemap in PHP Laravel

Cache Static Files With NGINX Server

Generate SSH Key with ssh-keygen In Linux / Unix

Getting Started With AMP (Accelerated Mobile Pages)

Global Data In All Laravel Blade Pages

Composer Install v/s Composer Update

Setup AMP (Accelerated Mobile Pages) In PHP Laravel

Laravel 7.x Multiple Database Connections, Migrations, Relationships & Querying

TRUNCATE vs DELETE In MySQL

Automate Repeating Tasks In Linux Server With Cronjobs

Add Google ADS In AMP (Accelerated Mobile Pages) Website

Route Model Binding In Laravel & Change Default Column id To Another Column

Laravel Custom Maintenance Page

Multiple GIT Key Pairs Or Account In The Same Computer

Factories To Speed Up Test-Driven Development In Laravel

AUTHOR

Channaveer Hakari

I am a full-stack developer working at WifiDabba India Pvt Ltd. I started this blog so that I can share my knowledge and enhance my skills with constant learning.

Never stop learning. If you stop learning, you stop growing