Essential Nginx Hardening and Performance Tuning Techniques
Software Maintenance and Updates
Running the latest stable version of Nginx is critical for security. Regular updates patch vulnerabilities and improve performance. While package managers like apt or yum simplify installation, compiling from source provides two distinct advantages: it allows the integration of third-party modules (such as ModSecurity) and ensures access to the absolute latest releases available on the official Nginx site.
Disabling Unused Modules
Reducing the attack surface involves disabling modules that are not required. During compilation, explicitly exclude unnecessary components to minimize binary size and potential risks.
./configure --without-http_autoindex_module --without-http_ssi_module
# Note: Verify that the directives you need are not contained within the modules you disable.
Concealing Version Information
By default, Nginx displays its version number on error pages. Exposing this information aids attackers in targeting specific version exploits. To hide the version, disable server_tokens in the HTTP context.
http {
server_tokens off;
# ...
}
Blocking Malicious User Agents
Filtering specific User Agents prevents resource exhaustion by bots and scrapers. Create a mapping block to identify unwanted agents and block them within the server context.
map $http_user_agent $blocked_bot {
default 0;
~*malicious 1;
~*spider 1;
~*scanner 1;
}
server {
if ($blocked_bot) {
return 403;
}
# ...
}
Restricting HTTP Request Methods
Limit the allowed HTTP methods to standard operations like GET, HEAD, and POST. Rejecting other methods (e.g., PUT, DELETE) secures the server against unauthorized actions.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
Configuring Buffer Sizes
Defining strict buffer limits prevents buffer overflow attacks and ensures efficient memory usage by setting caps on request body and header sizes.
client_body_buffer_size 8k;
client_header_buffer_size 1k;
client_max_body_size 1m;
large_client_header_buffers 4 4k;
Throttling Client Connections
Use the limit_conn_zone directive to define a shared memory zone for tracking IP addresses, and limit_conn to restrict the number of simultaneous connections from a single IP.
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
server {
limit_conn conn_limit 5;
# ...
}
Advanced Logging Configuration
Customize the log format to capture essential forensic data such as client IP, browser type, request processing time, and referral sources.
log_format custom '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log custom;
Preventing Image Hotlinking
Protect bandwidth by ensuring that only authorized domains can embed your assets, preventing external sites from linking directly to your images.
location /images/ {
valid_referers none blocked yourdomain.com *.yourdomain.com;
if ($invalid_referer) {
return 403;
}
}
Enforcing TLS Protocols
Disable deprecated SSL protocols and enforce modern TLS versions for secure data transmission. Older protocols like SSLv3 and TLSv1.0 contain known vulnerabilities.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
Implementing SSL Certificates
Ensure valid SSL certificates are installed. While commercial options exist for enhanced validation, solutions like Let's Encrypt provide free, automated certificates suitable for most production environments.
Forcing HTTPS Redirection
Redirect all unencrypted HTTP traffic to HTTPS to ensure data security and satisfy browser security requirements.
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
