
Good content takes time and effort to come up with.
Please consider supporting us by just disabling your AD BLOCKER and reloading this page again.
As the technologies are growing fast so does the basic security needs for the website too. In this article, you will learn the simple techniques for securing your NGINX web server & optimizing for best performance.
I hope you have installed NGINX in your server to carry out the following settings. Don't worry if you don't know to install NGINX I have written a whole article on it How To Install NGINX In Linux / Ubuntu Package Manager & Manage It.
Basically your NGINX configuration file will be in the following path for Ubuntu/Linux distros
Main NGINX Conf File - /etc/nginx/nginx.conf
NGINX Website Available Conf File - /etc/nginx/sites-available/default
your's might be different
NGINX Website Enabled Conf File - /etc/nginx/sites-enabled/default
Note: Also when you make changes to nginx.conf or website conf file don't forget to reload your NGINX server
Now go to your nginx.conf
file find for server_tokens
and do the following settings.
This enables or disables emitting NGINX version on error pages and in the Server response header field.
server_tokens off
I highly recommend to disable and remove the following Protocols from /etc/nginx/nginx.conf
file
Disable - SSLv3, TLSv1.0, TLSv1.1
Instead, enable the following
Enable - TLSv1.2, TLSv1.3
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
If using Certbot for SSL certificate generation then you will have something like the following in /etc/nginx/sites-available/default
website NGINX configuration
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
Go to that particular path ie /etc/letsencrypt/options-ssl-nginx.conf
and make sure to look for ssl_protocols
and replace with the following code snippet
ssl_protocols TLSv1.2 TLSv1.3;
DH Key Exchange is a method to securely exchanging cryptographic keys over a public channel.
If you have installed SSL certificate with Certbot (Lets Encrypt) then it will be default managed by Certbot & you will have the following line of code in your /etc/nginx/sites-available/default
file
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
If you have not installed by Certbot
then kindly check with your SSL provider and place them accordingly.
Don't allow the browser to render the page inside a frame or iframe in /etc/nginx/sites-available/default
add_header X-Frame-Options SAMEORIGIN; #ALLOW_FROM option available
This header enables the Cross-site scripting (XSS) filter built into most recent web browsers in /etc/nginx/sites-available/default
add_header X-XSS-Protection "1; mode=block";
when serving user-supplied content, include a X-Content-Type-Options: nosniff to disable content-type sniffing on some browsers in /etc/nginx/sites-available/default
add_header X-Content-Type-Options nosniff;
For the best optimal solution keep work_processes
to auto
in /etc/nginx/nginx.conf
worker_processes auto;
Enable gzip compression in your server so that the contents can be delivered faster /etc/nginx/nginx.conf
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
Access Log
Turn off your access_log
unless you have some specific reason to keep in on. Just keep error_log
enabled like the following in /etc/nginx/nginx.conf
access_log off;
error_log /var/log/nginx/error.log;
Take the maximum benefit of the worker_connection
by default you have 768
. But you need to set based on the server
You can check the number of worker connections with the following command
ulimit -n
Since I got 1024
I changed my settings to 1024 in /etc/nginx/nginx.conf
events {
worker_connections 1024;
}
Enabling HTTP2 is very simple and can be achieved by modifying the following line in /etc/nginx/sites-available/default
listen 443 ssl http2;
Use inbuilt security against DDOS attacks. For more on DDOS attacks please use the following link
Being said the above connections work best for certain scenarios, so be cautious while changing.
Create Gmail App Password For SMTP Mails
SummerNote WYSIWYG Text Editor Save Images To Public Path In PHP Laravel
Upload File From Frontend Server {GuzzleHttp} To REST API Server In PHP {Laravel}
Install Apache Web Server On Ubuntu 20.04 / Linux & Manage It
Multiple GIT Key Pairs Or Account In The Same Computer
Proper Way To Validate MIME Type Of Files While Handling File Uploads In PHP
Plain PHP Resumable Large File Uploads In Chunks Using FlowJs
PHP file_put_contents failed to open stream: Permission denied
Google reCAPTCHA Integration In PHP Laravel Forms
Search Engine Optimization Concepts