Comments on Tips and Tricks to Secure Your Nginx Web Server

Nginx is an open source, lightweight, high-performance the fastest growing web server around the world. In this tutorial, we will explain some popular Nginx server security tips and tricks.

7 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Petter Neumann
Reply  

These days, wouden't the more practical way be to use Let's encrypt / Certboot for HTTPS ?

By: till
Reply  

LE is nice and there are tutorials for it https://www.howtoforge.com/tutorial/nginx-with-letsencrypt-ciphersuite/ and https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/ But LE does not work in all environments, e.g. you can't get a LE cert in your local network.

By: Not me
Reply  

This is NOT securing an nginx server.  SSL is not security, it is for privacy only.

Using Let's Encrypt would be much better. To accomplish that, acme.sh is much easier to use for requesting and deploying the certs.  There are many how-tos for that.

I hoped to learn about deploying u2f for 2FA with this article and for methods to dynamically block myphpadmin requests. BTW, if you use myphpadmin, please only allow localhost connections - for the users to ssh into the machine with a tunnel first. Actually, it would be good to block all .php requests from any outside country, IMHO.

Also blocking WP admin requests and putting those source IPs into a gulag would be helpful.

Or perhaps how to prevent brute force attacks against the normally terrible end-user passwords with fail2ban? A nice regex for this would be good.

Security is more than just blocking internet access to an internet service.

By: till
Reply  

The tutorial shows how to restrict access by IP, how to prevent that Nginx version information is shown, how to protect the website with a password and how to secure the server with a self-signed SSL cert. All these things are important to secure an Nginx server. We covered Let's encrypt certificates for Nginx servers already here https://www.howtoforge.com/tutorial/nginx-with-letsencrypt-ciphersuite/ and https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/

By: Warren
Reply  

I recommend looking into ngx_http_geoip_module, to limit which country your reverse proxy reponds to.It should go without saying that this could likely be circumvented by using a vpn.

By: CTan
Reply  

I have a question here. Anyway, for the nginx.key (which is a private key) to be protected? Because everyone can see when you open the conf file.

By: shailendra S
Reply  

Hi ,

my requirement is i need to secure my application throug one off the custom API which accept user id and password.

So first my custom API will call once it is success then only the main application should be call.

 

Please suggets how can we achive through Nginx configraution file.

i tried with ngx_http_auth_request_module with subrequest ,but i dont know how to call my api which is having post method.how i will get user id and password from client and pass to my sub API.

 

Please suggest.