Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004. Nginx is free and open-source software.
In this tutorial, we will explain some popular Nginx server security tips and tricks
Step 1 – Update Nginx
You will need to update your Nginx web server as there are many performance enhancement. You can update your Nginx web server with the following command:
apt-get update -y
apt-get install nginx --reinstall -yStep 2 – Prevent Information Disclosure
First, you will need to prevent the Nginx to disclose their version information.
By default, Nginx shows its name and version in the HTTP headers.
You can check it with the following command:
curl -I http://localhostYou should see the output:
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 09 Mar 2019 15:28:01 GMT
Content-Type: text/html
Content-Length: 10918
Last-Modified: Fri, 11 Dec 2018 13:21:24 GMT
Connection: keep-alive
ETag: "5c546e3d-2aa6"
Accept-Ranges: bytesYou can hide this information by editing /etc/nginx/nginx.conf file:
nano /etc/nginx/nginx.confAdd the server_tokens off line inside http configuration part:
http {
##
# Basic Settings
##
server_tokens off;Save and close, when you are finished. Then, restart Nginx web server to apply the changes:
systemctl restart nginxNow, run the curl command again:
curl -I http://localhostYou should see the output:
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Mar 2019 15:33:31 GMT
Content-Type: text/html
Content-Length: 10918
Last-Modified: Fri, 11 Dec 2018 13:21:24 GMT
Connection: keep-alive
ETag: "5c546e3d-2aa6"
Accept-Ranges: bytesStep 2 – Restrict the IPs from the Access
Nginx comes with a simple module called ngx_http_access_module to allow or deny a specific IP address.
If you want to allow Nginx form 192.168.0.0/24 and deny from other subnets. Then, open /etc/nginx/sites-enabled/default file:
nano /etc/nginx/sites-enabled/defaultMake the following changes inside server block:
server {
listen 80 default_server;
listen [::]:80 default_server;
allow 192.168.0.0/24;
deny all;Save and close the file, when you are finished. Then, restart Nginx to apply these changes:
systemctl restart nginxNow, try to access your Nginx server from other IP address range like 172.16.0.0
Next, check the Nginx log with the following command:
tail -f /var/log/nginx/error.logYou should get access forbidden in the following output:
2019/03/09 16:13:01 [error] 11589#11589: *1 access forbidden by rule, client: 172.16.0.122, server: _, request: "GET /test/ HTTP/1.1", host: "192.168.0.102"
