Support #666
Hardening Nginx & PHP-FPM on FreeBSD
Description
These are a few tips for hardening nginx on FreeBSD.
Nginx¶
Disable nginx server_tokens¶
- Edit the main nginx config file:
vi /usr/local/etc/nginx/nginx.conf
- And add the following line inside the http block to disable nginx server_tokens:
server_tokens off;
- And add the following line inside the http block to disable nginx server_tokens:
Configure an X-Frame-Options header¶
- Edit the main nginx config file:
vi /usr/local/etc/nginx/nginx.conf
- And add the following line inside the http block to configure an X-Frame-Options header:
add_header X-Frame-Options "SAMEORIGIN";
- And add the following line inside the http block to configure an X-Frame-Options header:
Redirect to HTTPS¶
- Edit the nginx server block:
vi /usr/local/etc/nginx/conf.d/www.example.com.conf
- And add the following inside the server block to redirect all regular HTTP requests to HTTPS:
# Redirect to HTTPS if ($scheme = http) { return 301 https://$server_name$request_uri; }
- And add the following inside the server block to redirect all regular HTTP requests to HTTPS:
Disable unwanted HTTP methods¶
- Edit the nginx server block:
vi /usr/local/etc/nginx/conf.d/www.example.com.conf
- And add the following inside the server block to disable unwanted HTTP methods:
# Disable unwanted HTTP methods if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } - (Optional) For websites that use WebDAV, like owncloud, additional requests methods can be included.:
# Disable unwanted HTTP methods if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|REPORT|PROPFIND)$ ) { return 444; }
- And add the following inside the server block to disable unwanted HTTP methods:
Limit the maximum upload file size¶
- Edit the nginx server block:
vi /usr/local/etc/nginx/conf.d/www.example.com.conf
- And add the following inside the server block to limit the maximum upload file size:
client_max_body_size 20m; client_body_buffer_size 128k;
- And add the following inside the server block to limit the maximum upload file size:
Deny access to hidden files¶
- Edit the nginx server block:
vi /usr/local/etc/nginx/conf.d/www.example.com.conf
- And add the following inside the server block to deny access to hidden files:
location ~ /\. { access_log off; log_not_found off; deny all; }
- And add the following inside the server block to deny access to hidden files:
PHP-FPM¶
- Edit the main php-fpm config file:
vi /usr/local/etc/php-fpm.conf
- And add the following:
include=/usr/local/etc/fpm.d/*.conf
- And add the following:
- Create the php-fpm directory to store each individual site php-fpm configs:
mkdir /usr/local/etc/fpm.d
Define a pool for www.example.com¶
- Create the www.example.com website user:
pw add user -n wwwexamplecom -m -s /usr/sbin/nologin -c "www.example.com"
- Define a new pool for www.example.com:
vi /usr/local/etc/fpm.d/www.example.com.conf
- And add the following
[www.example.com] listen = /var/run/www.example.com-php-fpm.sock listen.owner = wwwexamplecom listen.group = www listen.mode = 0660 user = wwwexamplecom group = www pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35
- And add the following
- Edit the server config for www.example.com:
vi /usr/local/etc/nginx/conf.d/www.example.com.conf
- And modify the PHP location handler:
server { location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php5-fpm/www.example.com-php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_script_name; include /etc/nginx/fastcgi_params; } }
- And modify the PHP location handler:
Define a pool for mail.example.com¶
- Create the mail.example.com website user:
pw add user -n mailexamplecom -m -s /usr/sbin/nologin -c "mail.example.com"
- Define a new pool for mail.example.com:
vi /usr/local/etc/fpm.d/mail.example.com.conf
- And add the following
[mail.example.com] listen = /var/run/mail.example.com-php-fpm.sock listen.owner = mailexamplecom listen.group = www listen.mode = 0660 user = mailexamplecom group = www pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35
- And add the following
- Edit the server config for mail.example.com:
vi /usr/local/etc/nginx/conf.d/mail.example.com.conf
- And modify the PHP location handler:
server { location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php5-fpm/mail.example.com-php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_script_name; include /etc/nginx/fastcgi_params; } }
- And modify the PHP location handler:
Resources¶
- https://www.howtoforge.com/php-fpm-nginx-security-in-shared-hosting-environments-debian-ubuntu
- http://www.if-not-true-then-false.com/2011/nginx-and-php-fpm-configuration-and-optimizing-tips-and-tricks/
- https://www.acunetix.com/blog/articles/nginx-server-security-hardening-configuration-1/
- https://www.acunetix.com/blog/articles/nginx-security-hardening-configuration-2/
- http://sabre.io/dav/building-a-caldav-client/
Updated by Daniel Curtis over 8 years ago
- Description updated (diff)
- Status changed from New to In Progress
- % Done changed from 0 to 50
Updated by Daniel Curtis over 8 years ago
- Description updated (diff)
- % Done changed from 50 to 70
Updated by Daniel Curtis over 8 years ago
- Description updated (diff)
- % Done changed from 70 to 80
Updated by Daniel Curtis over 8 years ago
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100