Nginx is a high-performance Web server that has excellent static page support, is lightweight and free, and is therefore widely used in highly concurrent sites.
1. Safe operation
Do not run Nginx as user root (upper case for software, lower case for instruction). You should run Nginx as user Nginx or nobody. Use user in the Nginx configuration to specify the user and user group for the Nginx worker process to run.
user nobody nobody;
Copy the code2. Project configuration file
Configuration files are prohibited in the Web directory because an attacker can change nginx.conf once he has read and write access to the Web directory.
client_boby_temp_path /etc/shadow;
# optional but more fun :)
location /wat {
alias /etc;
}
Copy the codeWhen Nginx restarts, Nginx executes.
# strace -e trace=chmod,chown -f nginx
chown("/etc/shadow",33,4294967295)=0
+++exited with 0 +++
Copy the codeOnce any file or folder is written to the above profile by an attacker, its owner will be changed and the attacker will have the corresponding permissions.
3. Log configuration
Ensure that Nginx access logs are enabled on the online server. Logs cannot be stored in the Web directory, and set the log operation permission to root. Nginx uses access_log to enable and specify the Nginx access logging path, and error_log to log errors.
access_log logs/access.log combined;
error_log logs/error.logerror;
Copy the codeUse the log_format configuration command to configure the Nginx log format. Log_format has a default, hands-down, combined log format, equivalent to Apache’s COMBINED log format.
log_format combined '$remote_addr - $remote_user [$time_local] ''"$request" $status $body_bytes_sent '' "$http_referer" "$http_user_agent" ';
Copy the codeThe Nginx log format allows variable annotations to be included as listed in Table 1.
Table 1 Nginx log variable meanings
4. Directory and file security
Any permission that allows “upload or write” directories must be set to deny access. Nginx uses the deny All directive to achieve this.
To disable directory access and return 403 Forbidden, you can use the following configuration.
location /dirdeny
{
deny all;
return 403;
}
location ~ ^/upload/.*.(php|php 5)$
{
deny all;
return 403;
}
Copy the code5. Hide the version number
To prevent Nginx’s version number fingerprints from being exposed, online servers hide Nginx information, usually by modifying configuration files. Go to the directory of the Nginx configuration file, such as /etc/nginx.conf, and add server_tokens off to the HTTP tag.
HTTP {... server_tokens off; # Hide Nginx version numbers...... }Copy the codeServer information can also be obfuscated. Ngx_http_header_filter_module. c: ngx_HTTP_server_string: SRC/HTTP /ngx_http_header_filter_module.c: ngx_http_server_string: SRC/HTTP /ngx_http_header_filter_module.
staticchar ngx_http_server_string[]="Server:nginx" CRLF;
staticchar ngx_http_server_full_string[]="Server: " NGINX_VER CRLF;
Copy the codeAlso modify the NGINX_VERSION and NGINX_VER values in the SRC /core/nginx.h file.
# define NGINX_VER "nginx/" NGINX_VERSIONCopy the codeEdit the configuration in the php-fpm configuration file, such as fastcgi.conf or fcgi.conf, and change the version number information in it.
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
You can modify the server information to other string identifiers in the preceding method to hide the version number and confuse some attackers.
6. Prevent directory traversal
Nginx does not allow entire directories to be listed by default. By default, this configuration is not required. Improper configuration can cause directory traversal vulnerabilities. If it is enabled, it should be disabled. Change it to OFF or delete it directly.
location / {
autoindex on;
autoindex_localtime on;
}
Copy the code7, Nginx file type error parsing vulnerability
This vulnerability makes it possible to hack any Nginx+PHP server that allows users to upload images. This vulnerability is not Nginx, but PHP PATH_INFO. For example, a user posted a photo, access address for www.ptpress.com.cn/Upl… The contents, and the test. The JPG file is actually a PHP code, through www.ptpress.com.cn/Upl… . The following fixes must be tested to ensure that changing the configuration does not affect the application.
(1) Modify php.ini, set cgi.fix_pathinfo=0, and restart php-cgi. This change affects applications that use PATH_INFO pseudo-static.
(2) in Nginx configuration file add the following content, the configuration will affect similar to www.ptpress.com.cn/sof… (v2.0 for directory).
if($fastcgi_script_name~.. */.*php) { return 403; }Copy the code(3) Check whether PHP files exist in CGI modules to avoid the occurrence of this vulnerability.
location ~ .php$ { if($request_filename~*(.*).php) { set $php_url$1; } if(! -e $php_url.php) { return 403; } fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root $fastcgi_script_name; include fastcgi_params; }Copy the code(4) Location {… }, should only allow pure static access, not PHP script execution.
location ~ *^/upload/.*.(php|php 5)$
{
deny all;
}
Copy the code8. IP access restriction
Nginx, like Apache, can restrict visitors by IP.
Deny 10.10.1.0/24; Deny access to this IP address segment
Allow 127.0.0.1; Allow access to this IP address
deny all; Disable access from all IP addresses
In addition, you can use the GEO whitelist mode to restrict IP addresses. The configuration is as follows: Configure the ip.config file.
The default is 0. // Default key=default,value=1 127.0.0.1 1; 10.0.0.0/8 1; / / key = 10.0.0.0, value = 0 192.168.1.0/24 1; Configure the nginx.conf file. geo $remote_addr #ip_whitelist { include ip.conf; } location /console { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_For; If ($ip_whitelist=1) {proxy_pass http://10.10.1.5:8080; break; } return 403; }Copy the codeSource: six. The club/article / 113…