Hardening NGINX Webserver.

1) Installing Nginx Web Server

Nginx is a high performance web server application. It is much more flexible and lightweight program than Apache web server.Due to its performance and load balancing capabilities many of heavy traffic websites like Wordpress are now using Nginx web server.

First of all we have to install the EPEL repository on our Server.

~]# yum install epel-release

Now we have install EPEL repo install Nginx using bellow Yum command.

~]# yum install nginx

Start Nginx and Enable it so that it will start after system reboot.

~]# systemctl start nginx                                                                     ~]# systemctl enable nginx

Add HTTP and HTTPS service in firewall.

~]# firewall-cmd --permanent --zone=public --add-service=http                                                     ~]# firewall-cmd --permanent --zone=public --add-service=https                                ~]# firewall-cmd reload

Verify whether Nginx install properly or not by visiting to server's localhost IP or by entering hostname into your web browser i.e. http://server_domain_name_or_IP/

If Everything is correct you will able to see bellow Nginx test page.

Main configuration file of Nginx is /etc/nginx/nginx.conf

In bellow image inside server token you can set server name, default port on which Nginx server will listen, Root directory of the web server where you can put your index file and data of the webserver.

2) Hardening Nginx Webserver.

i) Setting server tokens off.

By default if any error comes on Nginx web server it gives the error with version of Nginx.
Its not good practice to show the type and version of the webserver on which your website is running.
Some hackers may use this information to get inside your website and access information if any vulnerability found.

Bellow is the screenshot of the error which shows by default webserver version.

To avoid this we can set server_tokens off parameter in the nginx configuration file.

After adding above parameter if any error comes in the server user will not able to see version of webserver on which our website is running and will get bellow web page.

ii) Setting autoindex off.

If autoindex is on on the server then users will able to see the indexing as in the bellow image.

Its not a good practice to show indexing on the server to stop auto indexing on the server add bellow:

autoindex off;

After adding above parameter users will not able to see the indexing on the website.

iii) Some advanced Hardening / Security directive.

You can add some of the bellow directive in your webserver as per requirements of your webserver.

We can add this directives inside httpd core module section in configuration file of Nginx.

1) To Disable access log for performance as nginx uses direct file write for logging instead of syslog.

access_log off ;

2) sendfile enables copying file directly without explicit file read-write. Eg. Reading from stdin and writing to stdout can be done using sendfile() api instead of reading and writing.

sendfile on;

3) Enable open file caching which caches the inode information for files

max = max items to cache

inactive = if an item is inactive for this time interval it is removed from cache.

open_file_cache max=1000 inactive=10m;

4) To check the validity of cache every 1 min

open_file_cache_valid 1m;

5) A file info is cached only if it is used 3 times within inactive time interval defined above:

open_file_cache_min_uses 3;

6) Cache errors like 'file not found'

open_file_cache_errors on;

7) Maximum data that can be sent in 1 POST request

client_max_body_size 10m;

8) SSL in Nginx uses a CPU heavy set of ciphers by default. For avoiding CPU load add :

ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;

Also visit on bellow link for how to optimize Nginx for High traffic load.

http://blog.martinfjordvald.com/2011/04/optimizing-nginx-for-high-traffic-loads/

Opensource for all

Search This Blog