Nginx is a lightweight, high-performance web server/reverse proxy and e-mail (IMAP/POP3) proxy. It runs on UNIX, GNU/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows. According to Netcraft, 13.50% of all domains on the Internet use nginx web server. Nginx is one of a handful of servers written to address the C10K problem. Unlike traditional servers, Nginx doesn’t rely on threads to handle requests. Instead, it uses a much more scalable event-driven (asynchronous) architecture. Nginx powers several high traffic web sites, such as WordPress, Hulu, Github, and SourceForge.
This page collects hints how to improve the security of nginx web servers running on Linux or UNIX-like operating systems.
| Tutorial details | |
|---|---|
| Difficulty level | Easy |
| Root privileges | Yes |
| Requirements | Linux or Unix terminal |
| Category | Web Server |
| OS compatibility | AIX • Alma • Alpine • Arch • BSD • Debian • Fedora • FreeBSD • HP-UX • Linux • macOS • Mint • NetBSD • OpenBSD • openSUSE • Pop!_OS • RHEL • Rocky • Stream • SUSE • Ubuntu • Unix • WSL |
| Est. reading time |
20 minutes |
Default Config Files and Nginx Port
- /usr/local/nginx/conf/ or /etc/nginx/– The nginx server configuration directory and /usr/local/nginx/conf/nginx.conf is main configuration file.
- /usr/local/nginx/html/ or /var/www/html– The default document location.
- /usr/local/nginx/logs/ or /var/log/nginx – The default log file location.
- Nginx HTTP default port : TCP 80
- Nginx HTTPS default port : TCP 443
You can test nginx configuration changes as follows:# /usr/local/nginx/sbin/nginx -t
OR# nginx -t
Sample outputs:
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok configuration file /usr/local/nginx/conf/nginx.conf test is successful
To load config changes, type:# /usr/local/nginx/sbin/nginx -s reload
OR# nginx -s reload
To stop server, type:# /usr/local/nginx/sbin/nginx -s stop
OR# nginx -s stop
#1: Turn On SELinux
Security-Enhanced Linux (SELinux) is a Linux kernel feature that provides a mechanism for supporting access control security policies which provides great protection. It can stop many attacks before your system rooted. See how to turn on SELinux for CentOS / RHEL based systems.
Do Boolean Lockdown
Run the getsebool -a command and lockdown system:
getsebool -a | less getsebool -a | grep off getsebool -a | grep on
To secure the machine, look at settings which are set to ‘on’ and change to ‘off’ if they do not apply to your setup with the help of setsebool command. Set correct SE Linux booleans to maintain functionality and protection. Please note that SELinux adds 2-8% overheads to typical RHEL or CentOS installation.
#2: Allow Minimal Privileges Via Mount Options
Server all your webpages / html / php files via separate partitions. For example, create a partition called /dev/sda5 and mount at the /nginx. Make sure /nginx is mounted with noexec, nodev and nosetuid permissions. Here is my /etc/fstab entry for mounting /nginx:
LABEL=/nginx /nginx ext3 defaults,nosuid,noexec,nodev 1