Skip to content

EsadCetiner/Secure-Nginx-Config

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Fast and Secure NGINX Configuration Template - By Esad Cetiner

This project's goal is to provide a fast and secure by default NGINX configuration template and encourage secure design that minimizes the chances of misconfigurations and their impacts. Code snippets are also provided for additional functionality for you to include in your server blocks.

Features

  • HTTPs redirection
  • DoS mitigations (Rate limiting rules will need to be tuned to your needs)
  • Brotli Compression (Disabled by default)
  • Disable page indexing for Search Engines (Disabled by default)
  • 0-RTT (Disabled by default)
  • Hide NGINX and minimize information leakage via headers
  • HTTPs only mode with Strict Transport Security (Disabled by default)
  • Prevent host header spoofing
  • A/A+ Score on SSL Labs (A+ requires HTTPs only mode)
  • Prevent DNS Spoofing
  • Prioritize ChaCha20 encryption for clients that don't support AES-NI (Disabled by default)
  • OCSP Stapling
  • File caching for frequently accessed files
  • Restrict access to sensitive files
  • Default empty webroot (Prevents accidentally exposing your entire server's file system to the internet)
  • Security header template (Get a higher score in https://securityheaders.com)

Requirements

  • A certificate with OCSP Stapling
  • ECC certificates are recommended, they are more secure and performant than RSA.
  • Nginx more_set_headers module installed
  • This has only been tested on Ubuntu/Debian so Ubuntu/Debian is recommended, although there is nothing stopping you from using this on Arch/Cent OS etc

Before you install

To prevent DNS spoofing, the resolver directive within the http block is set to use an localhost DNS stub resolver (which is 127.0.0.53 for most users, 127.0.0.11 for docker). DNS resolution will fail if your DNS stub resolver is not at 127.0.0.53, monitor your error.log file and update the resolver directive to use the correct IP address if your having issues.

Don't set the resolver directive to a public DNS server, only use the localhost DNS resolver.

See: https://blog.zorinaq.com/nginx-resolver-vulns/

How to install

  1. It's recommended to start with an server without NGINX installed and without any NGINX related configuration.
  2. Then, install the following NGINX packages: apt install nginx-common libnginx-mod-http-headers-more-filter ssl-cert git this will install the bare minimum for NGINX to operate and has smallest possible attack surface out of the box. If you need to use additional NGINX modules then you should also install those also.
  3. Clone this repository git clone https://github.com/esadcetiner/secure-nginx-config/.
  4. Replace the stock nginx.conf file with cp secure-nginx-config/nginx.conf /etc/nginx/nginx.conf.
  5. Move snippets to NGINX directory cp -r secure-nginx-config/snippets/ /etc/nginx/.
  6. Move error pages to webroot cp -r secure-nginx-config/error_pages/ /var/www/.
  7. Create an empty webroot mkdir -p /var/www/empty-webroot/ (Never place anything in this directory).
  8. Update ssl_trusted_certificate directive inside nginx.conf with the path to your certificate file for OCSP stapling. Please make sure your certificate supports OCSP stapling.
  9. You should now be done now. Please consult the documentation on information about the included snippets and additional features.
  10. (Optional) If you need to enable Diffie-Helman Ephemeral for legacy clients, then you must generate an Diffie-Helamn parameters file(openssl dhparam -out /etc/ssl/dhparams-4096.pem 4096) and uncomment the ssl_dhparam directive in nginx.conf to avoid logjam. Only ECDHE is enabled for key exchange by default for better performance and security.

Additional resources:

This configuration template is a good starting point for configuring NGINX securely, but it's not a silver bullet. You can find additional resources below to ensure NGINX is configured properly along with tools that give you extra hardening on top of NGINX.

Yandex Gixy: Yandex Gixy is a static analysis tool for Nginx, it can detect misconfigurations like HTTP splitting, host header spoofing and SSRF. This project passes all tests from gixy out of the box.

NGINX CIS Benchmark: The CIS NGINX benchmark is a community compiled list of recommendations for a secure NGINX deployment, many of the recomendations are already applied here.

Pitfalls and Common Mistakes: This NGINX blog post covers some common mistakes made by both new and inexperienced users, some of these are prevented by secure by default design.

ModSecurity WAF: ModSecurity is an open source Web Application Firewall that can protect against a wide range of attacks, including the OWASP top 10, common misconfigurations, and data leakage. ModSecurity requires a ruleset to be effective, the most popular one is OWASP CRS.

CrowdSec: CrowdSec is an open source log analysis tool with Crowdsourced IP threat intelligence. It scans your logs for common indicators of attacks (i.e brute force attacks, multiple 404 errors, scanning for sensitive files, common exploits, etc), bans the offending IP address, and then shares that information with other CrowdSec users. All CrowdSec are given an free community IP blocklist that is powered from the signals of all CrowdSec users.

Releases

No releases published

Packages

No packages published

Languages