In this blog, we will go through the Nginx configuration for web application security, so that we can prevent it from web-based malicious attacks, SQL injections, and other vulnerabilities.
We will cover, how to restrict directory and file access, how to prevent DDOS attacks, stopping the directory listing, and setting up the server and request logs.
Restricting access to directories and files
Restricting the directory and file access to users can be achieved by installing apache-utils. This will prompt passwords for users and even for the admin user. To install the password utility we need to run:
apt-get install -y apache-utilsapache-utils will provide a password tool htpasswd. Using this tool password and the user will be created which will be used to access the files.
sudo htpasswd -c /etc/apache2/ .htpasswd ramanThen to prompt the users for a password, we’ll need to add auth_basic_user_file directive inside the location, and the value will be the path for the password file.
location /emails {
basic_auth "Admin Area";
auth_basic_user_file /etc/apache2/ .htpasswd;
}allow directive
Using allow directive, we can restrict access to some files to specific IPs only. We can whitelist the IPs, from where the files are accessible.
location /logs {
allow 192.168.0.1;
allow 192.168.0.2;
}Preventing DDOS attack
DDOS attacks can be prevented by limiting the user connections and terminating the long and slow connections on the server after a period of time.
Limiting the number of connections
The number of connections can be limited to the specific locations or files using limit_conn directive inside the location.
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
location /products/ {
limit_conn addr 10;
}
}Limit user requests
This is also embedded in location directive. This will limit the number of connections received from a user in a minute.
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
server {
location /admin.html {
limit_req zone=one;
}
}Terminating slow connections
We can use timeout to let nginx know how long should it wait for the writes from the client body and header.
server {
client_body_timeout 5s;
client_header_timeout 5s;
}DDOS attacks can also be prevented using cloud services like Cloudflare and AWS Shield etc. These services will stop the attack at their end and will prevent them from reaching the servers at all.
Disable directory structure
In Nginx or any other web server, when setting up a project or serving an app, we should always disable the directory indexing which will help us in securing the file data from attackers and gives errors when the files are not executable.
To achieve this you can use:
location / {
auto_index off;
}Configure server logs
Server logs will help us determine the flaws and vulnerabilities in our setup and code. We’ll set up both access and error logs. Access logs will help us in logging all the requests and the responses sent to the users, and the incoming request IPs. Error logs will capture all the errors occurring on our server in all the applications configured.
We can differentiate the logs by defining different log files for different apps and different configurations.
http {
access_log logs/access.log combined;
error_log logs/warn.log warn;
}Also read: Understanding the structure of nginx.
How Security configuration on servers affects the website performance.
A secure server will help in many ways in terms of SEO, cost of the servers, data security and integrity. Without the proper security, websites are prone to hacking attacks and the data leakage of the clients or customers which can lead to potential lawsuits. Above mentioned configuration of the NGINX server will be crucial in taking all the security measures and will stop from potential attacks from the hackers.
These configurations have been very useful for me in many big production websites that were exposed to many hacking attacks but these configurations helped stop them and maintain the server to serve the genuine users without any problem.
Pingback: 3 ways Branding and Marketing Impacts on Customers. - Raman