How do I secure my Nginx server?

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article. You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

UPDATED: 8 months ago | Elijah Were

$5.50 Monthly

4 vCPU Cores | 8GB RAM

$15.50 Monthly

6 vCPU Cores | 16GB RAM

$17.50 Monthly

8 vCPU Cores | 24GB RAM

Here are the various ways you can use to secure your Nginx server:

Update Nginx Regularly

Keeping your Nginx server up-to-date is crucial for security. Ensure you are using the latest stable version to benefit from security patches and bug fixes. Use the following commands:

sudo apt-get update
sudo apt-get upgrade nginx

Configure a Firewall

Utilize a firewall to control incoming and outgoing traffic. For example, using ufw on Ubuntu:

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable

Enable HTTPS with SSL/TLS

Encrypt data in transit by enabling HTTPS. Acquire and install an SSL/TLS certificate, and update your Nginx configuration:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;

    # Additional SSL configurations
}

Disable Unnecessary Nginx Modules

Minimize the attack surface by only loading necessary modules. Edit your Nginx configuration file:

nginx.conf:

# Disable unnecessary modules
load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_http_realip_module.so;

Restrict Access to Nginx Configuration

Protect sensitive information by restricting access to Nginx configuration files. Set appropriate permissions:

sudo chmod 640 /etc/nginx/nginx.conf
sudo chown root:www-data /etc/nginx/nginx.conf

Implement Security Headers

Enhance security by adding HTTP security headers. Modify your server block:

server {
    # ...

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
}

Limit File Upload Size

Prevent potential abuse and server overload by limiting file upload size. Adjust the client_max_body_size directive:

http {
    client_max_body_size 10M; # Adjust as needed
}

Set Up Basic Authentication

Add an extra layer of protection by implementing basic authentication. Use the htpasswd command to generate a password file:

sudo htpasswd -c /etc/nginx/.htpasswd username

Update your Nginx configuration:

location / {
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;

    # Your other configurations
}

Monitor and Audit Logs

Regularly review Nginx access and error logs to detect potential security issues. Use the tail command to monitor logs in real-time:

sudo tail -f /var/log/nginx/access.log
sudo tail -f /var/log/nginx/error.log

Disable Server Tokens

Hide Nginx version information from HTTP headers to avoid providing unnecessary information to potential attackers:

http {
    server_tokens off;
}

Implement Rate Limiting

Protect your server from abuse and potential denial-of-service attacks by implementing rate limiting. Use the limit_req_zone directive to set up a zone for rate limiting and apply it to specific locations:

http {
    limit_req_zone $binary_remote_addr zone=my_limit:10m rate=5r/s;

    server {
        location / {
            limit_req zone=my_limit burst=10 nodelay;
            # Your other configurations
        }
    }
}

Secure Nginx Against SQL Injection and Cross-Site Scripting (XSS)

Prevent common web application vulnerabilities by validating and sanitizing user input. Use the ngx_http_map_module to define a map for security headers:

http {
    map $sent_http_content_type $xss_header {
        ~text/ "nosniff";
        default "";
    }

    server {
        add_header X-Content-Type-Options $xss_header;
        # Your other configurations
    }
}

Harden Nginx Permissions

Strengthen the security of your Nginx installation by setting appropriate file permissions. Restrict access to sensitive files and directories:

sudo chmod 750 /etc/nginx
sudo chmod 640 /etc/nginx/nginx.conf
sudo chown -R root:www-data /etc/nginx

Enable Fail2Ban

Fail2Ban can help protect your server by monitoring logs for suspicious activity and banning IP addresses that show signs of malicious behavior. Install Fail2Ban and configure it for Nginx:

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Add the following lines:

[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3

Restart Fail2Ban:

sudo service fail2ban restart

Conclusion

Securing your Nginx server is an ongoing process that involves a combination of preventive measures and monitoring. Following the best practices can enhance the security posture of your Nginx installation and protect it against a broader range of potential threats.

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

Website migration, troubleshooting, and maintenance.
Server & application deployment, scaling, troubleshooting, and maintenance
Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx, OpenVPN, cPanel, WHMCS, WordPress, and more
Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.