Project

General

Profile

Support #666

Updated by Daniel Curtis about 9 years ago

These are a few tips for hardening nginx on FreeBSD. 

 h2. Nginx 

 h3. Disable nginx server_tokens 

 * Edit the main nginx config file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And add the following line inside the http block to disable nginx server_tokens: 
 <pre> 
 server_tokens off; 
 </pre> 

 h3. Configure an X-Frame-Options header 

 * Edit the main nginx config file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And add the following line inside the http block to configure an X-Frame-Options header: 
 <pre> 
 add_header X-Frame-Options "SAMEORIGIN"; 
 </pre> 

 h3. Redirect to HTTPS 

 * Edit the nginx server block: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* And add the following inside the server block to redirect all regular HTTP requests to HTTPS: 
 <pre> 
 # Redirect to HTTPS 
 if ($scheme = http) { 
     return 301 https://$server_name$request_uri; 
 } 
 </pre> 

 h3. Disable unwanted HTTP methods 

 * Edit the nginx server block: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* And add the following inside the server block to disable unwanted HTTP methods: 
 <pre> 
 if ($request_method !~ ^(GET|HEAD|POST)$ ) { 
     return 444; 
 } 
 </pre> 
 #* (Optional) For websites that use WebDAV, like owncloud, additional requests methods can be included.: 
 <pre> 
 if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|REPORT|PROPFIND)$ ) { 
     return 444; 
 } 
 </pre> 

 h3. Limit the maximum upload file size 

 * Edit the nginx server block: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* And add the following inside the server block to limit the maximum upload file size: 
 <pre> 
 client_max_body_size 20m; 
 client_body_buffer_size 128k; 
 </pre> 

 h3. Deny access to hidden files 

 * Edit the nginx server block: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* And add the following inside the server block to deny access to hidden files: 
 <pre> 
 location ~ /\. { 
     access_log off; 
     log_not_found off;  
     deny all; 
 } 
 </pre> 

 h2. PHP-FPM 

 h3. Defining An Individual Pool For Each Website 

 * Edit Create the main php-fpm config file: *www.example.com* website user: 
 <pre> 
 vi /usr/local/etc/php-fpm.conf pw add user -n wwwexamplecom -m -s /usr/sbin/nologin -c "www.example.com" 
 </pre> 
 #* And add  

 * Create the following: *mail.example.com* website user: 
 <pre> 
 include=/usr/local/etc/fpm.d/*.conf pw add user -n mailexamplecom -m -s /usr/sbin/nologin -c "mail.example.com" 
 </pre> 

  

 * Create the php-fpm directory to store each individual site php-fpm configs: 
 <pre> 
 mkdir /usr/local/etc/fpm.d 
 </pre> 

 h3. Define a pool for www.example.com 

 * Create Edit the *www.example.com* website user: main php-fpm config file: 
 <pre> 
 pw vi /usr/local/etc/php-fpm.conf 
 </pre> 
 #* And add user -n wwwexamplecom -m -s /usr/sbin/nologin -c "www.example.com" the following: 
 <pre> 
 include=/usr/local/etc/fpm.d/*.conf 
 </pre>  

 

 * Define a new pool for *www.example.com*: 
 <pre> 
 vi /usr/local/etc/fpm.d/www.example.com.conf 
 </pre> 
 #* And add the following 
 <pre> 
 [www.example.com] 
 listen = /var/run/www.example.com-php-fpm.sock 
 listen.owner = wwwexamplecom 
 listen.group = www 
 listen.mode = 0660 
 user = wwwexamplecom 
 group = www 
 pm = dynamic 
 pm.max_children = 50 
 pm.start_servers = 20 
 pm.min_spare_servers = 5 
 pm.max_spare_servers = 35 
 </pre> 

 * Edit the server config for *www.example.com*: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* And modify the PHP location handler: 
 <pre> 
 server { 
   location ~ \.php$ { 
     try_files $uri =404; 
     fastcgi_pass unix:/var/run/php5-fpm/www.example.com-php-fpm.sock; 
     fastcgi_index index.php; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
     fastcgi_param PATH_INFO $fastcgi_script_name; 
     include /etc/nginx/fastcgi_params; 
   } 
 } 
 </pre> 

 h3. Define a pool for mail.example.com 

 * Create the *mail.example.com* website user: 
 <pre> 
 pw add user -n mailexamplecom -m -s /usr/sbin/nologin -c "mail.example.com" 
 </pre>  

 * Define a new pool for *mail.example.com*: 
 <pre> 
 vi /usr/local/etc/fpm.d/mail.example.com.conf 
 </pre> 
 #* And add the following 
 <pre> 
 [mail.example.com] 
 listen = /var/run/mail.example.com-php-fpm.sock 
 listen.owner = mailexamplecom 
 listen.group = www 
 listen.mode = 0660 
 user = mailexamplecom 
 group = www 
 pm = dynamic 
 pm.max_children = 50 
 pm.start_servers = 20 
 pm.min_spare_servers = 5 
 pm.max_spare_servers = 35 
 </pre> 

 * Edit the server config for *www.example.com*: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* And modify the PHP location handler: 
 <pre> 
 server { 
   location ~ \.php$ { 
     try_files $uri =404; 
     fastcgi_pass unix:/var/run/php5-fpm/www.example.com-php-fpm.sock; 
     fastcgi_index index.php; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
     fastcgi_param PATH_INFO $fastcgi_script_name; 
     include /etc/nginx/fastcgi_params; 
   } 
 } 
 </pre> 

 * Edit the server config for *mail.example.com*: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/mail.example.com.conf 
 </pre> 
 #* And modify the PHP location handler: 
 <pre> 
 server { 
   location ~ \.php$ { 
     try_files $uri =404; 
     fastcgi_pass unix:/var/run/php5-fpm/mail.example.com-php-fpm.sock; 
     fastcgi_index index.php; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
     fastcgi_param PATH_INFO $fastcgi_script_name; 
     include /etc/nginx/fastcgi_params; 
   } 
 } 
 </pre> 

 h2. Resources 

 * https://www.howtoforge.com/php-fpm-nginx-security-in-shared-hosting-environments-debian-ubuntu 
 * http://www.if-not-true-then-false.com/2011/nginx-and-php-fpm-configuration-and-optimizing-tips-and-tricks/ 
 * https://www.acunetix.com/blog/articles/nginx-server-security-hardening-configuration-1/ 
 * https://www.acunetix.com/blog/articles/nginx-security-hardening-configuration-2/ 
 * http://sabre.io/dav/building-a-caldav-client/

Back