Jump to content

secure and top performance config for /etc/nginx/nginx.conf

Featured Replies

Posted
comment_458

Hi, I hope you are be fine. Kindly guide me on how can make a high secure and top performance config for 

 /etc/nginx/nginx.conf 

which help the server against attacker and keep server more secure and mitigate attacks.

Kindly share the whole ngnix.conf here with full details.

thank you very much.

  • Author
comment_470

HI, I mean on how can hardening the server by nginx.conf more than usual

user nobody;
worker_processes auto;
#worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log crit;
pid                     /var/run/nginx.pid;

events {
	worker_connections  1024;
	use                 epoll;
	multi_accept        on;

}
http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	client_header_timeout 3m;
	client_body_timeout 3m;
	client_max_body_size 256m;
	client_header_buffer_size 4k;
	client_body_buffer_size 256k;
	large_client_header_buffers 4 32k;
	send_timeout 3m;
	keepalive_timeout 60 60;
	reset_timedout_connection       on;
	server_names_hash_max_size 1024;
	server_names_hash_bucket_size 1024;
	ignore_invalid_headers on;
	connection_pool_size 256;
	request_pool_size 4k;
	output_buffers 4 32k;
	postpone_output 1460;

	include mime.types;
	default_type application/octet-stream;

	# Compression gzip
	gzip on;
	gzip_vary on;
	gzip_disable "MSIE [1-6]\.";
	gzip_proxied any;
	gzip_min_length 512;
	gzip_comp_level 6;
	gzip_buffers 8 64k;
	gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

	# Proxy settings
	proxy_redirect      off;
	proxy_set_header    Host            $host;
	proxy_set_header    X-Real-IP       $remote_addr;
	proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header   Set-Cookie;
	proxy_connect_timeout   300;
	proxy_send_timeout  300;
	proxy_read_timeout  300;
	proxy_buffers       32 4k;
	proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
	proxy_cache_key "$host$request_uri $cookie_user";
	proxy_temp_path  /var/cache/nginx/temp;
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_valid any 1d;

	open_file_cache_valid 120s;
	open_file_cache_min_uses 2;
	open_file_cache_errors off;
	open_file_cache max=5000 inactive=30s;
	open_log_file_cache max=1024 inactive=30s min_uses=2;

	# SSL Settings
	ssl_session_cache   shared:SSL:10m;
	ssl_protocols       TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

	# Logs
	log_format  main    '$remote_addr - $remote_user [$time_local] $request '
		                '"$status" $body_bytes_sent "$http_referer" '
		                '"$http_user_agent" "$http_x_forwarded_for"';
	log_format  bytes   '$body_bytes_sent';
	#access_log          /var/log/nginx/access.log main;
	access_log off;

	# Cache bypass
	map $http_cookie $no_cache {
		default 0;
		~SESS 1;
		~wordpress_logged_in 1;
	}

	# Include additional configuration
	include /etc/nginx/cloudflare.inc;
	include /etc/nginx/conf.d/*.conf;
}


I mean what else we have to add to the above config file to make it more secure and highly performance

kindly guide us. thank you

comment_471

hi replace these lines :

worker_rlimit_nofile    65535;
	worker_connections  5000;

final config :

user nobody;
worker_processes auto;
worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log crit;
pid                     /var/run/nginx.pid;

events {
	worker_connections  5000;
	use                 epoll;
	multi_accept        on;

}
http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	client_header_timeout 3m;
	client_body_timeout 3m;
	client_max_body_size 256m;
	client_header_buffer_size 4k;
	client_body_buffer_size 256k;
	large_client_header_buffers 4 32k;
	send_timeout 3m;
	keepalive_timeout 60 60;
	reset_timedout_connection       on;
	server_names_hash_max_size 1024;
	server_names_hash_bucket_size 1024;
	ignore_invalid_headers on;
	connection_pool_size 256;
	request_pool_size 4k;
	output_buffers 4 32k;
	postpone_output 1460;

	include mime.types;
	default_type application/octet-stream;

	# Compression gzip
	gzip on;
	gzip_vary on;
	gzip_disable "MSIE [1-6]\.";
	gzip_proxied any;
	gzip_min_length 512;
	gzip_comp_level 6;
	gzip_buffers 8 64k;
	gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

	# Proxy settings
	proxy_redirect      off;
	proxy_set_header    Host            $host;
	proxy_set_header    X-Real-IP       $remote_addr;
	proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header   Set-Cookie;
	proxy_connect_timeout   300;
	proxy_send_timeout  300;
	proxy_read_timeout  300;
	proxy_buffers       32 4k;
	proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
	proxy_cache_key "$host$request_uri $cookie_user";
	proxy_temp_path  /var/cache/nginx/temp;
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_valid any 1d;

	open_file_cache_valid 120s;
	open_file_cache_min_uses 2;
	open_file_cache_errors off;
	open_file_cache max=5000 inactive=30s;
	open_log_file_cache max=1024 inactive=30s min_uses=2;

	# SSL Settings
	ssl_session_cache   shared:SSL:10m;
	ssl_protocols       TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

	# Logs
	log_format  main    '$remote_addr - $remote_user [$time_local] $request '
		                '"$status" $body_bytes_sent "$http_referer" '
		                '"$http_user_agent" "$http_x_forwarded_for"';
	log_format  bytes   '$body_bytes_sent';
	#access_log          /var/log/nginx/access.log main;
	access_log off;

	# Cache bypass
	map $http_cookie $no_cache {
		default 0;
		~SESS 1;
		~wordpress_logged_in 1;
	}

	# Include additional configuration
	include /etc/nginx/cloudflare.inc;
	include /etc/nginx/conf.d/*.conf;
}

 

  • Author
comment_473

Hi, dear Sandeep you're always very helpful, God Bless you.

 

I added the config like below: 

user nobody;
worker_processes auto;
#worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log crit;
pid                     /var/run/nginx.pid;

events {
	worker_connections  1024;
	use                 epoll;
	multi_accept        on;

}
http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	client_header_timeout 3m;
	client_body_timeout 3m;
	client_max_body_size 256m;
	client_header_buffer_size 4k;
	client_body_buffer_size 256k;
	large_client_header_buffers 4 32k;
	send_timeout 3m;
	keepalive_timeout 60 60;
	reset_timedout_connection       on;
	server_names_hash_max_size 1024;
	server_names_hash_bucket_size 1024;
	ignore_invalid_headers on;
	connection_pool_size 256;
	request_pool_size 4k;
	output_buffers 4 32k;
	postpone_output 1460;
    server_tokens off;

	include mime.types;
	default_type application/octet-stream;

	# Compression gzip
	gzip on;
	gzip_vary on;
	gzip_disable "MSIE [1-6]\.";
	gzip_proxied any;
	gzip_min_length 512;
	gzip_comp_level 6;
	gzip_buffers 8 64k;
	gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

	# Proxy settings
	proxy_redirect      off;
	proxy_set_header    Host            $host;
	proxy_set_header    X-Real-IP       $remote_addr;
	proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header   Set-Cookie;
	proxy_connect_timeout   300;
	proxy_send_timeout  300;
	proxy_read_timeout  300;
	proxy_buffers       32 4k;
	proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
	proxy_cache_key "$host$request_uri $cookie_user";
	proxy_temp_path  /var/cache/nginx/temp;
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_valid any 1d;

	open_file_cache_valid 120s;
	open_file_cache_min_uses 2;
	open_file_cache_errors off;
	open_file_cache max=5000 inactive=30s;
	open_log_file_cache max=1024 inactive=30s min_uses=2;

	# SSL Settings
	ssl_session_cache   shared:SSL:10m;
	ssl_protocols       TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

	# Logs
	log_format  main    '$remote_addr - $remote_user [$time_local] $request '
		                '"$status" $body_bytes_sent "$http_referer" '
		                '"$http_user_agent" "$http_x_forwarded_for"';
	log_format  bytes   '$body_bytes_sent';
	#access_log          /var/log/nginx/access.log main;
	access_log off;

	# Cache bypass
	map $http_cookie $no_cache {
		default 0;
		~SESS 1;
		~wordpress_logged_in 1;
	}

	# Include additional configuration
	include /etc/nginx/cloudflare.inc;
	include /etc/nginx/conf.d/*.conf;
}


and added those line you recommend and the below line as well:  server_tokens off;

 

kindly recommend us more to make is more secure and stable and high perfromance please

 

regards.

  • 2 weeks later...
comment_583

What is your use case? Nginx has specific "recipes" you can replicate for various CMS platforms if you want to tune it to better support the platform you are using. I have some WordPress sites, a Drupal site, and a Joomla site running under different Nginx vhosts, so each is tuned for its specific use. Or are you looking for a general purpose performance boost?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now