I’m an nginx rookie. In fact, I moved a site specifically to nginx so I could sit and learn it. While this site, today, is ‘on’ nginx, it’s actually an nginx proxy that sits in front of Apache 2.4, not because I think Apache is necessarily better, but because after all this time, I still can’t stand the loss of the dynamism of my .htaccess.
When I was experimenting, though, one of the things I started to do was recreate my ‘tinfoil hat’ .htaccess rules in nginx. What are ‘tinfoil hat rules’? They’re things I’ve tweaked in .htaccess to make it harder for nefarious people to look at my code and get into my servers. They’re also general ‘stop being from being jerks’ rules (like preventing hotlinking).
This isn’t complete, but it’s everything I’d started to compile and test.
Header
###################### # TinFoil Hat Rules
This is pretty basic, I like to document my section before I get too far into this.
Directory Listing
# Directory Index Off location / { autoindex on; }
Directory listing is like when you go to domain.com/images/ and you get a list of all their images. This is just a bad idea, as people can also use it to list PHP files you might have (many plugins lack an index.php, and no, this isn’t a bad thing). This simple rule will protect you.
Hotlinking
# Hotlinking location ~* (.jpg|.png|.jpeg|.gif)$ { valid_referers blocked elftest.net *.elftest.net; if ($invalid_referer) { return 444; } }
Ah. Hotlinking. This is in-line using images from someone else’s server, like <img src="http://example.com/images/yourimage.jpg" />
– If I’m on example.com, that’s fine. If I’m not then that’s bad. Never ever hotlink images unless the site provides you a hotlinking URL. I cannot stress this enough.
This code comes straight from the nginx wiki, and works great.
Protecting wp-config.php
This is pretty straightforward. I want to block anyone from hitting that directly, any time, any where.
location /wp-config.php { deny all; }
Done.
Brute Force Protection
If you have ngx_http_limit_req_module module then you can rate-limit how many requests an IP can give to a file.
location /wp-login.php { limit_req zone=one burst=5; }
And that’s all I got to…
And that is, sadly, as far as I got before I started playing with Apache 2.4 and enjoying the ifs of that, over nginx. What about you? What are your nginx security tweaks?
Comments
2 responses to “Learning nginx”
Hey there!
Love these, thanks for sharing. I have been annoyed by particular referrer spam recently as has some of my customers so I enabled the following nginx rules to my sites:
if ($http_referer ~* (semalt.com)) { return 444; }
if ($http_referer ~* (buttons-for-website.com)) { return 444; }
if ($http_referer ~* (make-money-online.7makemoneyonline.com)) { return 444; }
Done! And another cool trick for your reference if ever needed is the ability to force file downloads in nginx. Here is that nifty code:
location ~* (.*\.pdf) {
types { application/octet-stream .pdf; }
default_type application/octet-stream;
}
I’ve not done it myself (you know I don’t value hiding version numbers) but many installations hide their nginx version numbers by setting server_tokens to off.
http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
I also redirect to the SSL version of my pages
location / {
return 301 https://$http_host$request_uri;
}
And use the HttpSubsModule to fix my non-SSL URLs in the HTML.
subs_filter_types text/css text/xml;
#
# http host substitution for https versions
#
subs_filter 'href=\'http://$http_host/' 'href=\'https://$http_host/';
subs_filter 'href=\"http://$http_host/' 'href=\"https://$http_host/';
I have a valid wildcard SSL cert on m vhost. so it works for me.