Nginx is one of today's most popular Web server. It provides services and is growing at an alarming rate of 7% of the world's web traffic. It is amazing server, I would like to deploy it.
Below is a list of common pitfalls and security solutions, which can assist to ensure that you deploy Nginx is safe.
1. Carefully use "if" in the configuration file. It is part of the rewriting module, it should not be used anywhere.
"If" statement is to override the module evaluates the instruction compulsory part. Put it another way, Nginx configuration generally declarative. In some cases, due to the needs of users, they tried to use the "if" in some non-rewrite instruction, which led to the situation we are now experiencing. In most cases it can work, but ... see above.
It seems the only correct solution is to rewrite the instructions in the non completely disabled "if". This will change many existing configuration, it is not yet complete.
2. Each ~ .php $ request transmitted PHP. Last week we published this popular instruction a potential security vulnerability introduced. Even if it will match the file name hello.php.jpeg ~ .php $ This regular and execute files.
There are a good way to solve these two problems. I feel sure that you do not easily mix method to execute arbitrary code is necessary.
If the file is not found when using try_files and only (should note that in all dynamic performance) it will be forwarded to running PHP FCGI process.
Claim your php.ini file cgi.fix_pathinfo set to 0 (cgi.fix_pathinfo = 0). This ensures that PHP check file full name (when it is found, it will be ignored at the end .php file)
Repair the regular expression matching the incorrect file. Now the regular expression that the file contains any ".php". After the site added "if" to ensure that only the correct files to run. .. Will / location ~ .php $ and location ~ .. * / * php $ are set to return 403;
3. Disable autoindex module. This may be the version you are using Nginx has changed, if not, then just add the location block in the configuration file autoindex off; declaration can be.
4. Disable ssi on the server (server references). This is done by adding the location block ssi off;.
5. Close the server tag. If you open the case (default) error page displays all the version and information servers. The server_tokens off; declaration to the Nginx configuration file to solve this problem.
6. Set up a custom cache to limit the possibility of buffer overflow attacks in the configuration file.
large_client_header_buffers 2 1k;
7. timeout set low to prevent DOS attacks. All of these statements are placed in the main configuration file.
keepalive_timeout 5 5;
8. limit the number of user connections to prevent DOS attacks.
limit_zone slimits $ binary_remote_addr 5m;
limit_conn slimits 5;
9. Try to avoid using HTTP authentication. HTTP authentication is used by default crypt, it is not secure hash. If you want to use, just use MD5 (this is not a good choice, but better than the loading of crypt).
10. In keeping with the latest security updates Nginx.