Secure Nginx
How to secure a Nginx web server.
On this page
Steps you can take to secure your Nginx web server.
Disable unused Nginx modules
By default, Nginx comes with preinstalled modules that you may not need for your project. Disable unused Nginx modules in order to reduce the attack surface.
To disable unused Nginx modules, you need to recompile Nginx without the modules you don't need:
Uninstall Nginx if it's already installed.
Download the uncompiled Nginx version to build it from source.
Run
./configure
along with the modules you don't want to install. Here's an example:./configure --without-http_map_module make make install
Disable server_tokens
server_tokens
outputs the Nginx version in each HTTP response header.
Disable
server_tokens
by following these steps:
Edit the
nginx.conf
file:vi /etc/nginx/nginx.conf
Add the
server_tokens
parameter with theoff
value in theserver { }
block directive.server { listen 127.0.0.1:80; server_name mydomain.com; server_tokens off; }
Restart Nginx:
sudo systemctl restart nginx
Verify that the header has been removed from the request response:
curl -I https://www.mydomain.com/
Disable X-Powered-By
By default, a
X-Powered-By
header is added by Nginx to server requests.
Disable the
X-Powered-By
header on Nginx:
Edit the
nginx.conf
file:vi /etc/nginx/nginx.conf
Inside the
server {}
block directive usemore_clear_headers
:server { .... more_clear_headers "Server"; more_clear_headers "X-Powered-By"; .... }
Restart Nginx:
sudo systemctl restart nginx
Verify that the header has been removed from the request response:
curl -I https://www.mydomain.com/
If the
more_clear_headers
(More Clear Headers module) is not installed for your Nginx server and you're using PHP-FPM, try:
location ~ \.php$ {
fastcgi_hide_header X-Powered-By;
}
Disable unused HTTP methods
You can disable unused HTTP methods such as
DELETE
,
TRACK
,
TRACE
and keep only the common HTTP methods used:
GET
,
POST
,
HEAD
.
Edit the
nginx.conf
file:vi /etc/nginx/nginx.conf
Add the following directive in the
server { }
block directive:server { if ($request_method !~ ^(GET|HEAD|POST)$) { return 405; } # other lines }
This code snippet will return HTTP error code 405 (Method Not Allowed) if the HTTP method is not
GET
,POST
orHEAD
.Restart Nginx:
sudo systemctl restart nginx
Use TLS
You can use TLS instead of SSLv3 to prevent unwanted attacks on your Nginx server.
Use the
ssl_protocols TLSv1.3;
in the
nginx.conf
file:
Edit the
nginx.conf
file:vi /etc/nginx/nginx.conf
Go to the
server {}
block directive:server { .... ssl_protocols TLSv1.3; .... }
Restart Nginx:
sudo systemctl restart nginx