How to Secure Nginx Web Server

Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004. Nginx is free and open-source software.

In this tutorial, we will explain some popular Nginx server security tips and tricks

Step 1 – Update Nginx

You will need to update your Nginx web server as there are many performance enhancement. You can update your Nginx web server with the following command:

apt-get update -y
apt-get install nginx --reinstall -y

Step 2 – Prevent Information Disclosure

First, you will need to prevent the Nginx to disclose their version information.
By default, Nginx shows its name and version in the HTTP headers.
You can check it with the following command:

curl -I http://localhost

You should see the output:

HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 09 Mar 2019 15:28:01 GMT
Content-Type: text/html
Content-Length: 10918
Last-Modified: Fri, 11 Dec 2018 13:21:24 GMT
Connection: keep-alive
ETag: "5c546e3d-2aa6"
Accept-Ranges: bytes

You can hide this information by editing /etc/nginx/nginx.conf file:

nano /etc/nginx/nginx.conf

Add the server_tokens off line inside http configuration part:

http {

        ##
        # Basic Settings
        ##
        server_tokens off;

Save and close, when you are finished. Then, restart Nginx web server to apply the changes:

systemctl restart nginx

Now, run the curl command again:

curl -I http://localhost

You should see the output:

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Mar 2019 15:33:31 GMT
Content-Type: text/html
Content-Length: 10918
Last-Modified: Fri, 11 Dec 2018 13:21:24 GMT
Connection: keep-alive
ETag: "5c546e3d-2aa6"
Accept-Ranges: bytes

Step 2 – Restrict the IPs from the Access

Nginx comes with a simple module called ngx_http_access_module to allow or deny a specific IP address.

If you want to allow Nginx form 192.168.0.0/24 and deny from other subnets. Then, open /etc/nginx/sites-enabled/default file:

nano /etc/nginx/sites-enabled/default

Make the following changes inside server block:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

	allow 192.168.0.0/24;
    	deny  all;

Save and close the file, when you are finished. Then, restart Nginx to apply these changes:

systemctl restart nginx

Now, try to access your Nginx server from other IP address range like 172.16.0.0

Next, check the Nginx log with the following command:

tail -f /var/log/nginx/error.log

You should get access forbidden in the following output:

2019/03/09 16:13:01 [error] 11589#11589: *1 access forbidden by rule, client: 172.16.0.122, server: _, request: "GET /test/ HTTP/1.1", host: "192.168.0.102"


Leave a Reply

Your email address will not be published. Required fields are marked *