Nginx has grown into one of the most popular web servers in the world, and with its scalability and efficiency, it’s an optimal choice for hosting websites, applications, and services. However, like any web server, Nginx is not immune to security threats, and proper configuration is critical to ensure the safety and integrity of your data. Here, we outline the top Nginx security best practices for Linux servers that every system administrator should implement.

1. Keep Nginx and Your OS Updated

The first step toward a secure web server is to ensure that both your Nginx installation and the underlying operating system are up to date. Regular updates help protect against vulnerabilities that can be exploited by attackers.

  • Command to update Nginx on a Debian-based system:

    sudo apt-get update && sudo apt-get upgrade nginx

  • Command to update Nginx on a Red Hat-based system: 
    sudo yum update nginx

2. Use SSL/TLS

Encrypting data in transit is crucial for protecting sensitive information being transmitted over the internet. Implement SSL/TLS to secure communication between clients and your server.

  • Use Let’s Encrypt for free SSL certificates: 
    sudo apt install certbot python3-certbot-nginx
    
sudo certbot --nginx

Ensure you set up automatic certificate renewal with a cron job to avoid expiry:

0 0 * * * /usr/bin/certbot renew --quiet

3. Secure Configuration Files

The configuration files for Nginx contain sensitive information. Proper permissions should be set to restrict access to these files:

sudo chmod 600 /etc/nginx/nginx.conf

Only let necessary users manage and access these configurations to reduce the risk of unauthorized modifications.

4. Limit Request Methods

Limiting HTTP methods can help mitigate certain types of attacks, such as Cross-Site Request Forgery (CSRF).

server {

    ...

    location / {

        ...

        if ($request_method !~ ^(GET|POST)$) {

            return 444;

        }

    }

}

The above configuration will return a 444 status code for any request methods other than GET and POST.

5. Implement a Web Application Firewall (WAF)

A WAF can provide an additional layer of protection for your Nginx server by filtering and monitoring HTTP traffic to and from your web application. Popular options include ModSecurity and NAXSI.

Example ModSecurity setup:

  1. Install ModSecurity:

    sudo apt-get install libnginx-mod-http-modsecurity

  2. Enable ModSecurity in your Nginx configuration file: 
    server {
    
   ...
    
   ModSecurity on;
    
   ModSecurityConfig /etc/nginx/modsecurity/modsecurity.conf;
    
}

6. Use Fail2Ban

Fail2Ban helps protect your server against brute-force attacks by monitoring log files and banning IP addresses that show malicious activities.

  1. Install Fail2Ban:

    sudo apt-get install fail2ban

  2. Create a custom filter for Nginx (e.g., /etc/fail2ban/filter.d/nginx-auth.conf).

  3. Configure Fail2Ban to monitor Nginx logs in /etc/fail2ban/jail.local:

[nginx-auth]

enabled  = true

port     = http,https

filter   = nginx-auth

logpath  = /var/log/nginx/access.log

maxretry = 5

bantime  = 3600

7. Disable Unused Modules

Nginx is modular, meaning that it may come with features that you’re not using. Disabling unused modules can minimize the attack surface of your server.

Review the compiled configuration and if unneeded modules are present, recompile Nginx without them.

8. Disable Directory Listing

To prevent unauthorized users from viewing the contents of directories, disable directory listing in your Nginx configuration:

server {

    ...

    location / {

        autoindex off;

    }

}

9. Limit Connection Rate

Implement rate limiting to prevent abuse of your service by restricting the number of requests a single IP can make within a specified time frame.

http {

    ...

    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;



    server {

        ...

        location / {

            limit_req zone=one burst=5;

        }

    }

}

10. Use Security Headers

Implementing security headers can greatly enhance your application’s security. Here are a few headers to consider:

server {

    ...

    add_header X-Content-Type-Options nosniff;

    add_header X-Frame-Options DENY;

    add_header X-XSS-Protection "1; mode=block";

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

}

Conclusion

Securing your Nginx web server is essential to maintaining the integrity of your applications and the privacy of your users. By implementing these best practices, you’ll not only protect against common threats but also create a robust environment for your applications to thrive. Always remember, security is an ongoing process. Regularly review and adapt your configurations to stay ahead of emerging threats. Happy securing!