In this blog, we will go through the Nginx configuration for web application security, so that we can prevent it from web-based malicious attacks, SQL injections, and other vulnerabilities.<\/p>\n\n\n\n
We will cover, how to restrict directory and file access, how to prevent DDOS attacks, stopping the directory listing, and setting up the server and request logs.<\/p>\n\n\n\n
Restricting the directory and file access to users can be achieved by installing Then to prompt the users for a password, we’ll need to add Using allow directive, we can restrict access to some files to specific IPs only. We can whitelist the IPs, from where the files are accessible.<\/p>\n\n\n\n DDOS attacks<\/a> can be prevented by limiting the user connections and terminating the long and slow connections on the server after a period of time.<\/p>\n\n\n\n The number of connections can be limited to the specific locations or files using This is also embedded in location directive. This will limit the number of connections received from a user in a minute.<\/p>\n\n\n\n We can use DDOS attacks can also be prevented using cloud services like Cloudflare and AWS Shield etc. These services will stop the attack at their end and will prevent them from reaching the servers at all.<\/p>\n\n\n\n In Nginx or any other web server, when setting up a project or serving an app, we should always disable the directory indexing which will help us in securing the file data from attackers and gives errors when the files are not executable.<\/p>\n\n\n\n To achieve this you can use:<\/p>\n\n\n\n Server logs will help us determine the flaws and vulnerabilities in our setup and code. We’ll set up both access and error logs. Access logs will help us in logging all the requests and the responses sent to the users, and the incoming request IPs. Error logs will capture all the errors occurring on our server in all the applications configured. <\/p>\n\n\n\n We can differentiate the logs by defining different log files for different apps and different configurations.<\/p>\n\n\n\n Also read: Understanding the structure of nginx.<\/a><\/p>\n\n\n\n A secure server will help in many ways in terms of SEO, cost of the servers, data security and integrity. Without the proper security, websites are prone to hacking attacks and the data leakage of the clients or customers which can lead to potential lawsuits. Above mentioned configuration of the NGINX server will be crucial in taking all the security measures and will stop from potential attacks from the hackers. <\/p>\n\n\n\n These configurations have been very useful for me in many big production websites that were exposed to many hacking attacks but these configurations helped stop them and maintain the server to serve the genuine users without any problem.<\/p>\n","protected":false},"excerpt":{"rendered":" In this blog, we will go through the Nginx configuration for web application security, so that we can prevent it from web-based malicious attacks, SQL injections, and other vulnerabilities. We will cover, how to restrict directory and file access, how to prevent DDOS attacks, stopping the directory listing, and setting up the server and request… Read More »How to configure server security with Nginx.<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":209,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_themeisle_gutenberg_block_has_review":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7,5],"tags":[10,9,12],"class_list":["post-205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-devops","category-technology","tag-devops","tag-nginx","tag-security"],"jetpack_featured_media_url":"https:\/\/ramansaini.in\/blog\/wp-content\/uploads\/2023\/01\/Nginx-1-3.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/posts\/205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/comments?post=205"}],"version-history":[{"count":6,"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/posts\/205\/revisions"}],"predecessor-version":[{"id":292,"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/posts\/205\/revisions\/292"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/media\/209"}],"wp:attachment":[{"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/media?parent=205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/categories?post=205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ramansaini.in\/blog\/wp-json\/wp\/v2\/tags?post=205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}apache-utils<\/code>. This will prompt passwords for users and even for the admin user. To install the password utility we need to run:<\/p>\n\n\n\napt-get install -y apache-utils<\/code><\/pre>\n\n\n\napache-utils<\/code> will provide a password tool htpasswd<\/code>. Using this tool password and the user will be created which will be used to access the files.<\/p>\n\n\n\nsudo htpasswd -c \/etc\/apache2\/ .htpasswd raman<\/code><\/pre>\n\n\n\nauth_basic_user_file<\/code> directive inside the location, and the value will be the path for the password file.<\/p>\n\n\n\nlocation \/emails { \n\n basic_auth \"Admin Area\"; \n auth_basic_user_file \/etc\/apache2\/ .htpasswd; \n\n}<\/code><\/pre>\n\n\n\nallow directive<\/h4>\n\n\n\n
location \/logs { \n allow 192.168.0.1; \n allow 192.168.0.2; \n}<\/code><\/pre>\n\n\n\nPreventing DDOS attack<\/h3>\n\n\n\n
Limiting the number of connections<\/h4>\n\n\n\n
limit_conn<\/code> directive inside the location.<\/p>\n\n\n\nlimit_conn_zone $binary_remote_addr zone=addr:10m;\n\nserver {\n \n location \/products\/ {\n limit_conn addr 10;\n \n }\n}<\/code><\/pre>\n\n\n\nLimit user requests<\/h4>\n\n\n\n
limit_req_zone $binary_remote_addr zone=one:10m rate=30r\/m; \n\nserver {\n location \/admin.html { \n limit_req zone=one;\n }\n\n}<\/code><\/pre>\n\n\n\nTerminating slow connections<\/h4>\n\n\n\n
timeout<\/code> to let nginx know how long should it wait for the writes from the client body and header.<\/p>\n\n\n\nserver {\n client_body_timeout 5s;\n client_header_timeout 5s;\n}<\/code><\/pre>\n\n\n\nDisable directory structure<\/h3>\n\n\n\n
location \/ { \n auto_index off;\n}<\/code><\/pre>\n\n\n\nConfigure server logs<\/h3>\n\n\n\n
http { \n\n access_log logs\/access.log combined; \n error_log logs\/warn.log warn;\n\n}<\/code><\/pre>\n\n\n\nHow Security configuration on servers affects the website performance.<\/h3>\n\n\n\n