Tips and Tricks to Secure Your Nginx Web Server

Nginx is an open source, lightweight, high-performance the fastest growing web server around the world. Nginx runs on Linux, Windows, Mac OS, and Solaris operating system. NGINX continues to rise in popularity, so means more and more NGINX deployments need to be secured.

In this tutorial, we will explain some popular Nginx server security tips and tricks.

Requirements

Install Nginx

First, you will need to install Nginx to your system. You can install it by running the following command:

Once the Nginx has been installed, you can check the status of Nginx with the following command:

You should see the following output:

Update Nginx

You will need to update your Nginx web server as there are many performance enhancement, new features and security fixes are being added. Most modern Linux distributions will not come with the latest version of nginx into their default package lists. So you will need to upgrade the latest version of nginx via a package manager. You can update your Nginx web server with the following command:

Prevent Information Disclosure

First, you will need to prevent the Nginx to disclose their version information.

By default, Nginx shows its name and version in the HTTP headers.

You can check it with the following command:

You should see the following output:

In the above output, you should see the Nginx and operating system version.

You can hide this information by editing /etc/nginx/nginx.conf file:

Add the server_tokens off line inside http configuration part:

Save and close the file, when you are finished. Then, restart Nginx web server to apply the changes:

Now, run the curl command again:

You should see the following output:

Restrict the IPs from the Access

Nginx comes with a simple module called ngx_http_access_module to allow or deny a specific IP address.

If you want to allow Nginx form 172.16.0.0/16 and deny from other subnets. Then, open /etc/nginx/sites-enabled/default file:

Make the following changes inside server block:

Save and close the file, when you are finished. Then, restart Nginx to apply these changes:

Now, try to access your Nginx server from other IP address range like 192.168.0.102.

Next, check the Nginx log with the following command:

You should get access forbidden in the following output:

Secure Nginx with TLS

TLS (Transport Layer Security) is the successor to SSL (Secure Socket Layer). It provides stronger and more efficient HTTPS and contains more enhancements such as Forward Secrecy, compatibility with modern OpenSSL cipher suites, and HSTS.

First, create a directory for SSL with the following command:

Next, generate a key and a certificate with the following command:

First, generate key with the following command:

You should see the following output:

Next, generate csr with the following command:

Provide all the information as shown below:

Next, sign the certificate with the following command:

You should see the following output:

Next, open Nginx default virtual host file and define the certificate:

Make the following changes:

Save and close the file, when you are finished. Then, restart Nginx server to apply these changes:

Password Protect The Directory

When setting up an Nginx web server, you can also protect a specific directory with a password. You can do this using .htpasswd file.

To do so, create the passwd file and add the user to it with the following command:

You should see the following output:

Next, create a test directory inside Nginx web root with the following command:

Next, give ownership to www-data user with the following command:

Next, open Nginx default virtual host file with the following command:

Next, protect test directory as shown below:

Save and close the file, when you are finished. Then, restart Nginx service to apply these changes:

Next, open your web browser and type the URL http://your-server-ip/test. You will be prompt to enter username and password to access the test directory as shown in the following page:

Congratulations! you have successfully secured your Nginx server on Ubuntu 18.04 server. I hope this will help you to protect your application hosted on the Nginx web server. Feel free to ask me if you have any questions. For more information, you can refer to theĀ Nginx security doc.

This content was originally published here.