The Complete Magazine on Open Source

Basic tips for security in NGINX

SHARE
/ 3792 0

Screenshot

As software gets more popular, it gets more unwanted attention by hackers and ill-doers. Suffice it to say, if you don’t properly take measures to secure your website, it will get attacked and that will result in unwanted scenarios. One of the most widely used web servers today is NGINX, so we will focus more on security in NGINX, but first to understand security in NGINX, you must understand what NGINX actually is.

What is NGINX?

NGINX is a free and open source web server that runs on different operating systems, including, but not limited to Linux, Windows and OS X. It was created in 2002 by Igor Sysoev and today it’s considered as one of the best web servers out there. It has a lot of features. For experts, a lot of features means lots of possibilities, but for newbies they are overwhelming and hard to setup. The most overlooked part of NGINX by beginners is it’ security. NGINX should be properly secured and we understand that it’s not easy for beginners to properly secure NGINX, so that’s why we decided to show you how to do it with some basic tips. For our demonstration purposes, we will be using an Ubuntu VPS by RoseHosting. But these settings, with a few modifications, should work in any other environment.

How to secure NGINX

There are 7 basic modifications you can do to secure your NGINX, and they are fairly easy to do since you can just copy and paste them from this article.

1. Always keep your OS and NGINX up-to-date

You should frequently update your OS since most of the updates are security updates. Of course, you should update NGINX no matter what, but you should update your other software because it can still be used by NGINX. Instead of updating everything one by one, you can update your whole OS with all their packages by using these 2 simple commands in a terminal:

apt-get update

apt-get upgrade

Before updating, be sure to save all your data and make a backup, in case anything goes wrong.

2. Hide your NGINX version

It’s the right thing to do, as the first thing hackers do is look for what version of NGINX you are using, and than they find an exploit based on your version of NGINX. In order to hide the NGINX version you are using, you should add the following line to your NGINX configuration file (nginx.conf):

server_tokens off

After this edit to nginx.conf, your version of NGINX wont be displayed in error messages or in a server header response field.

3. Disable any unwanted HTTP methods

You should only allow GET, HEAD and POST HTTP requests in your website application. You should block TRACE and DELETE. To do so, add the following lines under your respective Nginx server block:

if ($request_method !~ ^(GET|HEAD|POST)$ )

{

return 405;

}

Now, when someone tries to use TRACE or DELETE in your web app, they will get a ‘405 Not Allowed’ response.

4. Block common SQL injections

SQL injections is the most used method of attacking a website. With a SQL injection, an attacker can read or even edit your database. To block the common SQL injections, add the following code to the respective Nginx server block:

## Block SQL injections

set $block_sql_injections 0;

if ($query_string ~ "union.*select.*\(") {

set $block_sql_injections 1;

}

if ($query_string ~ "union.*all.*select.*") {

set $block_sql_injections 1;

}

if ($query_string ~ "concat.*\(") {

set $block_sql_injections 1;

}

if ($block_sql_injections = 1) {

return 403;

}

5. Block common file injections

File injections can be used by an attacker to gain direct access to the directory where your website files reside. To block the most common file injections in NGINX, add the following block of code to the corresponding Nginx server block:

## Block file injections

set $block_file_injections 0;

if ($query_string ~ "[a-zA-Z0-9_]=http://") {

set $block_file_injections 1;

}

if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {

set $block_file_injections 1;

}

if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {

set $block_file_injections 1;

}

if ($block_file_injections = 1) {

return 403;

}

6. Block common exploits

Hackers frequently use the same exploits that are quite popular and common. You can avoid them by blocking their malicious requests by returning a 403 error code when they try to access them. You can do so by adding the following block to your Nginx configuration file in the respective server block:

## Block common exploits

set $block_common_exploits 0;

if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {

set $block_common_exploits 1;

}

if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {

set $block_common_exploits 1;

}

if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {

set $block_common_exploits 1;

}

if ($query_string ~ "base64_(en|de)code\(.*\)") {

set $block_common_exploits 1;

}

if ($block_common_exploits = 1) {

return 403;

}

7. Include an X-Frame-Options header

This could prevent click-jacking attacks by disallowing a web browser to render the web page inside a frame or iframe from another website. To do that, add this line of code under your ‘server’ section in your NGINX configuration file:

add_header X-Frame-Options SAMEORIGIN;

Before applying these 7 changes you’ve made, you should test the configuration file by adding this line in a terminal:

# /usr/local/nginx/sbin/nginx -t

If everyhing is okay, you should receive a message like this one:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

For the changes to take effect, you should restart the NGINX service by adding this line in a terminal:

#service nginx restart

And that’s it. By doing these simple 7 steps, your NGINX and websites hosted on your virtual server are secured.

You should still be aware of what you are doing and learn more about web security. These steps will greatly improve your NGINX security and they should take no more than 10 minutes of your time. Having a secure website and web apps means a lot, especially if you are running a business. If you want to be more secure, you should contact professionals to do it for you.