In this section, we will cover essential security practices to ensure your NGINX server is secure. Security is a critical aspect of any web server configuration, and NGINX provides several features to help you protect your server and the data it handles.
Key Concepts
- Restricting Access
- Using Secure Protocols
- Configuring Firewalls
- Preventing Information Disclosure
- Rate Limiting
- Regular Updates and Patching
- Restricting Access
IP Whitelisting
You can restrict access to your NGINX server by allowing only specific IP addresses. This is useful for administrative interfaces or sensitive areas of your website.
Example Configuration:
Password Protection
You can use HTTP Basic Authentication to password-protect certain areas of your site.
Step-by-Step:
-
Create a Password File:
sudo htpasswd -c /etc/nginx/.htpasswd user1 -
Configure NGINX:
server { listen 80; server_name example.com; location /admin { auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd; } }
- Using Secure Protocols
Enabling SSL/TLS
Using SSL/TLS is crucial for encrypting data between the client and server.
Step-by-Step:
-
Obtain an SSL Certificate: You can get a free SSL certificate from Let's Encrypt.
-
Configure NGINX:
server { listen 443 ssl; server_name example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; location / { root /var/www/html; index index.html; } }
Redirect HTTP to HTTPS
Ensure all traffic uses HTTPS by redirecting HTTP requests.
Example Configuration:
- Configuring Firewalls
Use firewalls to control access to your NGINX server. Tools like ufw (Uncomplicated Firewall) can help.
Basic UFW Commands:
- Preventing Information Disclosure
Hiding NGINX Version
Prevent attackers from knowing the version of NGINX you are running.
Example Configuration:
Custom Error Pages
Avoid default error pages that may reveal server information.
Example Configuration:
server {
listen 80;
server_name example.com;
error_page 404 /custom_404.html;
location = /custom_404.html {
root /var/www/html;
internal;
}
}
- Rate Limiting
Rate limiting helps protect your server from brute force attacks and DDoS attacks.
Example Configuration:
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name example.com;
location /login {
limit_req zone=one burst=5 nodelay;
}
}
}
- Regular Updates and Patching
Keep your NGINX server and its dependencies up to date to protect against known vulnerabilities.
Update Commands:
Practical Exercise
Exercise: Implement Basic Security Practices
-
Restrict Access to the Admin Area:
- Allow only IP
192.168.1.1to access/admin.
- Allow only IP
-
Enable SSL/TLS:
- Obtain a certificate from Let's Encrypt and configure NGINX to use it.
-
Hide NGINX Version:
- Disable server tokens.
-
Set Up Rate Limiting:
- Limit requests to
/loginto 1 request per second with a burst of 5.
- Limit requests to
Solution:
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server_tokens off;
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location /admin {
allow 192.168.1.1;
deny all;
}
location /login {
limit_req zone=one burst=5 nodelay;
}
}
}Conclusion
In this section, we covered several basic security practices for NGINX, including restricting access, using secure protocols, configuring firewalls, preventing information disclosure, rate limiting, and keeping your server updated. These practices are essential for maintaining a secure NGINX server. In the next section, we will delve into rate limiting in more detail.