Enhancing Nginx security configuration is crucial for safeguarding your website against sophisticated cyber threats like DDoS, SQL injection, XSS, and other malicious attacks that can compromise data integrity and system reliability, while optimizing Nginx’s powerful web server capabilities for handling HTTP requests, providing web services, increasing load capacity, and ensuring robust protection.
Fortifying Nginx Web Server Security: Strategies for DDoS Attack Prevention
Timeout and Resource Handling for DDoS Resilience
client_body_timeout 5s;
client_header_timeout 5s;
Both setup client_body_timeout
and client_header_timeout
in the Nginx configuration involve setting timeout limits for parts of the request from the client side. Here is a detailed explanation of each setting:
client_body_timeout 5s
: When a client submits a POST or PUT request with data (e.g. form information), the Nginx server will wait within 5 seconds to receive the request data. If no data is received from the client during this time, the Nginx server will close the connection with the client. This Secure Nginx Web Server configuration helps prevent hanging connections and free up server resources.
client_header_timeout 5s
: When the client sends a request (e.g. User-Agent, Accept-Language) it is attached. Nginx server will wait within 5 seconds to receive request header from client. If no request headers are received within this time, the Nginx server will close the connection. This helps prevent hanging connections and ensures that the server doesn’t have to wait indefinitely.
While timeout values can be adjusted, setting the timeout too low can cause problems such as the connection being closed before the request is completed. Therefore, it is recommended to set the values timeout
suitable for the request type and network environment to ensure stable operation of the website.
Hide Nginx version information
server_tokens off;
This is the setting to hide Nginx’s version information returned in the “Server” HTTP header. By disabling server_tokens
, Nginx will not display information about Nginx version but only “ Server: nginx
” without a specific version.
Securing Protected Folders Against Direct Access Attacks
autoindex off;
This configuration disables the autoindex
functionality in Nginx, which prevents users from directly accessing the server’s directory and file list through the browser. Instead, it will return a 403 error code to the user. This secure Nginx web server configuration is essential for ensuring the security of the site.
Prevent attacks via HTTP, MIME sniffing, clickjacking, JavaScript
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
: This line of code adds the “X-Frame-Options” HTTP header to the Nginx response. The “SAMEORIGIN” policy specified in this header restricts web pages from being embedded in frames from different origins. This security measure helps protect against attacks such as clickjacking and enhances the anti-DDoS protection of the website.
add_header Strict-Transport-Security "max-age=31536000";
: This line of code adds the HTTP header “Strict-Transport-Security” to the Nginx response. This header recommends that the browser only access the site over an HTTPS connection for a specified period of time (here, 31536000 seconds, equivalent to 1 year). This enhances the secure Nginx web server and prevents HTTP attacks.
add_header X-Content-Type-Options nosniff;
: This line of code adds the “X-Content-Type-Options” HTTP header to the Nginx response. The value “ nosniff
” in this header indicates that the browser should not determine the file’s content type automatically, but only use the content type declared in the “Content-Type” header. This helps prevent ddos website MIME sniffing.
add_header X-XSS-Protection "1; mode=block";
: This line of code adds the “X-XSS-Protection” HTTP header to the Nginx response. The “ ” value in this header turns on the browser’s built-in 1; mode=block
XSS ( ) protection. cross-site scripting
If the browser detects XSS attacks, it intercepts and prevents the execution of malicious JavaScript code.
Block access to Nginx Server by IP
Configuration to block direct IP access to the Nginx server is necessary to protect the system from direct attacks and increase security by forcing users to use the official domain name.
Prevent DDoS Attacks on Nginx Server
Implementing robust anti-DDoS protection measures is crucial to safeguard your website against DDoS attacks. These measures help mitigate the impact of such attacks by detecting and blocking malicious traffic originating from hijacked IP addresses. By employing effective anti-DDoS protection strategies, you can enhance the security and resilience of your website, ensuring uninterrupted access for legitimate users.
Configure Nginx to limit sending requests to Server
You can limit the rate at which NGINX accepts incoming requests to a value typical for real users. For example, you might decide that a real user who visits the login page can only make a request every 2 seconds. You can configure NGINX to allow a single client IP address to attempt to login every 2 seconds (equivalent to 30 requests per minute):
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
server {
# ...
location /login/ {
limit_req zone=one;
# ...
}
}
Handling Burst Limits in Nginx to Prevent DDoS Attacks
To handle bursts and limit multiple valid accesses at the same time, you can use additional options and configurations in the “limit_req” module of Nginx. The example below will help you understand how:
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=burst:10m burst=10 nodelay;
server {
...
location / {
limit_req zone=one burst=5;
limit_req zone=burst burst=10 nodelay;
...
}
}
}
In the above example, we have created two request-bound areas. The “one” zone has a rate limit of 1 request per second, and the “burst” zone with a burst option of 10 (the number of temporarily acceptable requests for a short period of time).
In the location /
block, we have implemented request rate limiting using limit_req
a zone named ‘one’ and a burst limit of 5. This secure Nginx web server configuration helps prevent excessive requests by limiting the maximum number of requests to 5 within a short timeframe. Additionally, we have also utilized limit_req
a zone named burst
, a burst limit of 10, and optionally enabled nodelay
to handle sudden bursts of requests without delay, ensuring a secure Nginx web server setup.
Using the above configuration allows you to limit the number of requests in a period of time, while handling bursts
valid accesses dynamically. You can adjust the values of burst and rate limit ( rate
) to suit the needs and load of your application.
Queue processing without delay request (Queueing with No Delay)
The approach of preventing DDoS attacks by utilizing the ‘burst’ parameter mentioned above helps in smoothing out the traffic flow, ensuring a secure Nginx web server setup. However, it is important to consider that this method may result in perceived slowness of your website.
In our example, the 20th request in the queue needs to wait for 2 seconds to be processed, which can negatively impact the user experience. To address this issue and maintain a smooth user experience, you can employ the nodelay
parameter alongside burst
in your secure Nginx web server configuration.
location /login/ {
limit_req zone=mylimit burst=20 nodelay;
proxy_pass https://arriveddev.com;
}
The above configuration applies the request limit ( limit_req
) to an area ( zone
) called “mylimit” in location
the path of /login/
. This means that any access requests to URLs starting with /login/
will be limited to the specified rate and burst.
burst=20
: Specifies that for a short period of time, Nginx will accept up to 20 requests (bursts) from the IP address sending the request before the limit is applied.nodelay
: This option allows immediate processing of burst requests without waiting, meaning there is no delay between requests.
After applying the request limit, if an IP address sends more requests than the burst limit (in this case, 20 requests) in a short period of time, further requests will be rejected (returned error code 503). Valid requests will be forwarded ( proxy_pass
) to https://arriveddev.com
, handled by upstream server
.
This helps limit server uploads and protects against DDoS attacks or resource abuse by applying a request limit on the /login/
.
Configure Nginx to limit the number of connections
Another DDoS defense and secure Nginx web server is to limit the number of connections that can be opened by a client IP address. For example, you can allow each user’s IP address (client)
to open no more than 10 connections to your site:
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
# ...
location /store/ {
limit_conn addr 10;
# ...
}
}
Denying Specific IP Connections to Nginx Server
If your site is under DDOS you can identify the IP addresses that are attacking and deny incoming connections server
. For example, we have identified IP 123.123.123.0 port 28 is making continuous calls requets
to the server and the way to configure anti-ddos website with Nginx is to add IP block list.
location / {
deny 123.123.123.0/28;
# ...
}
If you have identified multiple IPs, you can configure them as follows:
location / {
deny 123.123.123.3;
deny 123.123.123.5;
deny 123.123.123.7;
# ...
}
The above instructions demonstrate how to configure DDoS prevention for your website and secure your Nginx web server. Additionally, you can enhance your DDoS protection by leveraging CloudFlare, which offers effective anti-DDoS capabilities.