Nginx¶
Nginx is a fast, light and scalable Webserver.
Installation¶
to install Nginx:
sudo apt-get install nginx-full
Disable the server version display in
/etc/nginx/nginx.conf
:http { server_tokens off; }
Additional security¶
Note
The default settings of nginx are quite secure. This section is considered optional.
Note
The following settings can be written into the http-section of /etc/nginx/nginx.conf
or in server-sections in /etc/nginx/sites-available/*
.
Restrict access to domain names:
if ($host !~ ^(first.tld|second.tld|third.tld)$ ) { return 444; }
Limit to GET and POST:
if ($request_method !~ ^(GET|POST)$ ) { return 444; }
Block User-Agents:
if ($http_user_agent ~* LWP::Simple|BBBike|wget|msnbot|scrapbot) { return 403; }
Block Buffer-Overflow-Attacks:
client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k;
Block Timeout-Attacks:
client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10;
Limit simultaneous connections:
limit_zone slimits $binary_remote_addr 5m; limit_conn slimits 5;
Note
The following settings must be in a server-section in /etc/nginx/sites-available/
.
Disable hotlinking:
location /images/ { valid_referers blocked first.allowed.tld second.allowed.tld; if ($invalid_referer) { return 403; } }
Basic authentication:
auth_basic "Restricted"; auth_basic_user_file /usr/nginx/htpasswd;
Rewrite HTTP to HTTPS for all virtual hosts in
/etc/nginx/sites-available/default
:server { listen 80 default_server; rewrite ^ https://$host$request_uri? permanent; }
Deny access to hidden files:
location ~ /\. { deny all; }
Deny access to folders:
location ^~ /dir { deny all; }
Start¶
sudo service nginx start
Stop¶
sudo service nginx top
Disable¶
sudo update-rc.d nginx remove
Enable¶
sudo update-rc.d nginx defaults
Responsible¶
Alexander Werner, Robert Einsle