Nginx Security: How To Harden Your Server Configuration

How to protect your Nginx server from various misuse and attacks.
February 2, 2025 by
Nginx Security: How To Harden Your Server Configuration
Hamed Mohammadi
| No comments yet

Nginx is a powerful, high-performance web server used by millions of websites worldwide. However, like any software exposed to the internet, it must be properly secured to prevent unauthorized access, data breaches, and other cyber threats. In this guide, we will explore various techniques to harden your Nginx server configuration and enhance its security.

1. Keep Nginx Updated

Security vulnerabilities are discovered regularly, and updates often include critical security patches. To ensure your Nginx installation is secure, always keep it up to date:

sudo apt update && sudo apt upgrade nginx -y  # Debian/Ubuntu
sudo yum update nginx -y                      # CentOS/RHEL

Consider using the official Nginx repository to get the latest stable version.

2. Minimize Exposure with Minimal Modules

Nginx has a modular architecture, and loading unnecessary modules can increase the attack surface. When compiling Nginx from source, enable only the modules you need using --with and --without flags.

3. Restrict Access with Firewall Rules

Use a firewall to allow only necessary traffic. For example, using ufw on Ubuntu:

sudo ufw allow 'Nginx Full'   # Allows HTTP and HTTPS traffic
sudo ufw enable

Or with iptables:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT  # If using SSH
sudo iptables -P INPUT DROP  # Drop all other traffic

4. Disable Unused HTTP Methods

By default, Nginx supports various HTTP methods, some of which may be unnecessary. You can limit them in your server configuration:

server {
    listen 80;
    server_name example.com;

    location / {
        limit_except GET POST HEAD {
            deny all;
        }
    }
}

5. Prevent Information Disclosure

By default, Nginx may reveal its version number and other information. Disable this by editing your configuration file:

server_tokens off;

This should be placed inside the http block of your Nginx configuration file.

6. Enable SSL/TLS with Strong Cipher Suites

Always use HTTPS to encrypt data in transit. Configure strong SSL/TLS settings in your Nginx configuration:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305";
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
}

Use tools like SSL Labs to check your TLS configuration.

7. Enable HTTP Security Headers

Security headers protect against common attacks like XSS, clickjacking, and MIME sniffing. Add the following headers in your configuration:

add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy no-referrer-when-downgrade;
add_header Content-Security-Policy "default-src 'self';";

8. Protect Against DDoS and Brute-Force Attacks

Use rate limiting to protect against excessive requests:

limit_req_zone $binary_remote_addr zone=limit_req:10m rate=5r/s;
server {
    location / {
        limit_req zone=limit_req burst=10 nodelay;
    }
}

9. Use Access Controls and Authentication

To restrict access to certain locations, use basic authentication:

location /admin {
    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Create a password file using:

sudo htpasswd -c /etc/nginx/.htpasswd username

10. Monitor Logs and Enable Security Modules

Regularly check logs for suspicious activity:

tail -f /var/log/nginx/access.log

Consider using security modules like ModSecurity or tools like Fail2Ban to block abusive IPs.

Conclusion

Hardening your Nginx server is an ongoing process that requires regular updates and monitoring. By implementing the best practices outlined in this guide, you can significantly improve the security of your server and protect it from common threats.

Would you like to see a specific section expanded with more details? Let me know in the comments!

Nginx Security: How To Harden Your Server Configuration
Hamed Mohammadi February 2, 2025
Share this post
Tags
Archive

Please visit our blog at:

https://zehabsd.com/blog

A platform for Flash Stories:

https://readflashy.com

A platform for Persian Literature Lovers:

https://sarayesokhan.com

Sign in to leave a comment