Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ 10 Nginx safety tips     - Migrate Oracle database files to ASM (Database)

- OpenGL Programming Guide (8th edition of the original book) - compute shader (Programming)

- Ubuntu System Log Configuration / var / log / messages (Linux)

- How to view the Linux program or process used in the library (Linux)

- tar command to extract a file error: stdin has more than one entry (Linux)

- Linux settings Java_home (Linux)

- Use HugePages optimize memory performance (Database)

- CentOS boot image to achieve semi-automatic installation (Linux)

- mysqldump MySQL command-line tool (Database)

- Summarize small problems encountered in the use Lua (Programming)

- Parse Server supports iOS and Android push messaging (Programming)

- Oracle 11g through SCN do incremental backup repair standby library detailed process (Database)

- C language print various graphic (Programming)

- shell script: MySQL startup script simple (Database)

- Storm how to ensure that at least once semantics (Programming)

- MacBook Air install Ubuntu dual system (Linux)

- Gitlab installation under CentOS 7 (Linux)

- 256 with rich colors decorate your terminal (Linux)

- Android float ball and boot from the start (Programming)

- Linux server alarms using Java (Server)

  10 Nginx safety tips
  Add Date : 2018-11-21      
  Nginx is one of today's most popular Web server. It provides services and is growing at an alarming rate of 7% of the world's web traffic. It is amazing server, I would like to deploy it.

Below is a list of common pitfalls and security solutions, which can assist to ensure that you deploy Nginx is safe.

1. Carefully use "if" in the configuration file. It is part of the rewriting module, it should not be used anywhere.

"If" statement is to override the module evaluates the instruction compulsory part. Put it another way, Nginx configuration generally declarative. In some cases, due to the needs of users, they tried to use the "if" in some non-rewrite instruction, which led to the situation we are now experiencing. In most cases it can work, but ... see above.

It seems the only correct solution is to rewrite the instructions in the non completely disabled "if". This will change many existing configuration, it is not yet complete.

Source: IfIsEvil

2. Each ~ .php $ request transmitted PHP. Last week we published this popular instruction a potential security vulnerability introduced. Even if it will match the file name hello.php.jpeg ~ .php $ This regular and execute files.

There are a good way to solve these two problems. I feel sure that you do not easily mix method to execute arbitrary code is necessary.

If the file is not found when using try_files and only (should note that in all dynamic performance) it will be forwarded to running PHP FCGI process.
Claim your php.ini file cgi.fix_pathinfo set to 0 (cgi.fix_pathinfo = 0). This ensures that PHP check file full name (when it is found, it will be ignored at the end .php file)
Repair the regular expression matching the incorrect file. Now the regular expression that the file contains any ".php". After the site added "if" to ensure that only the correct files to run. .. Will / location ~ .php $ and location ~ .. * / * php $ are set to return 403;
3. Disable autoindex module. This may be the version you are using Nginx has changed, if not, then just add the location block in the configuration file autoindex off; declaration can be.

4. Disable ssi on the server (server references). This is done by adding the location block ssi off;.

5. Close the server tag. If you open the case (default) error page displays all the version and information servers. The server_tokens off; declaration to the Nginx configuration file to solve this problem.

6. Set up a custom cache to limit the possibility of buffer overflow attacks in the configuration file.

client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
7. timeout set low to prevent DOS attacks. All of these statements are placed in the main configuration file.

client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
8. limit the number of user connections to prevent DOS attacks.

limit_zone slimits $ binary_remote_addr 5m;
limit_conn slimits 5;
9. Try to avoid using HTTP authentication. HTTP authentication is used by default crypt, it is not secure hash. If you want to use, just use MD5 (this is not a good choice, but better than the loading of crypt).

10. In keeping with the latest security updates Nginx.
- Configuring a Linux operating system security management services Explain (Linux)
- CentOS use wget (Linux)
- Log device files under Linux - logger (Linux)
- Easy to install CentOS 6.6 desktop environment (Linux)
- Manually create Oracle Database Explanations (Database)
- Based on a complete solution RMI service to transfer large files (Programming)
- In Spring AOP example explanation (Programming)
- Linux Timing task Crontab command Detailed (Linux)
- Oracle DataGuard principles and basic configuration (Database)
- Netapp storage routine inspections and information gathering (Linux)
- To create someone else can not afford to delete the administrator user (Linux)
- Java environment to build a number of issues (Linux)
- MySQL Tutorial: About checkpoint mechanism (Database)
- Use scripts easily install the latest Linux kernel in Ubuntu (Linux)
- Source compiler install Nginx (Server)
- Linux 6 install Oracle 11g (64bit) (Database)
- redis main building and disaster recovery from a cluster deployment (Database)
- Linux Getting Started tutorial: Experience Xen Virtual Machine chapter (Linux)
- OpenGL Superb Learning Notes - Fragment Shader (Programming)
- Linux kernel boot to retain large memory method summary (Linux)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.