An nginx configuration for security

112 点作者 plentz超过 11 年前

12 条评论

spindritf超过 11 年前

<pre><code> > add-apt-repository ppa:nginx/stable </code></pre> I don't think this is a good idea. It's a bit unclear on their wiki[1] but they have an official repository maintained by nginx.org<pre><code> deb http://nginx.org/packages/ubuntu/ lucid nginx deb-src http://nginx.org/packages/ubuntu/ lucid nginx </code></pre> (substitute your Ubuntu version for lucid, obviously)and separately the PPA you're using but "this PPA is maintained by volunteers and is not distributed by nginx.org." How committed are those volunteers? Do you want to find out on your server?The official repository carries nginx 1.4.2 (I use it with raring) which works with at least TLS 1.1 (that's what Chrome tells me about the connection).EDIT: Qualsys gives my setup an A, with a pat on the back for supporting forward secrecy and a warning that I'm vulnerable to the BEAST attack. Apparently, I also support TLS 1.2, what do you know.[1] <a href="http://wiki.nginx.org/Install#Official_Debian.2FUbuntu_packages" rel="nofollow">http://wiki.nginx.org/Install#Official_Debian.2FUbuntu_packa...</a>

评论 #6457003 未加载

评论 #6457015 未加载

评论 #6459840 未加载

sdfjkl超过 11 年前

A couple points:* !RC4 - RC4 is in doubt[1]. The only reason to keep it around was to mitigate the BEAST attack, which is now mitigated[2] client side, so RC4 should be dropped.* gzip off; - Explicitly disable gzip compression to avoid BREACH[3]* Ensure TLS deflate is off to mitigate CRIME[4] (this is the default in most, but not all combinations of nginx/OpenSSL).* openssl ciphers -v is great for testing what ciphers match your settings.* Comment your nginx config! You will not remember all of this when you next look at it (or someone else does). And some of it will certainly be outdated. Security is not a static game.[1] <a href="http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/" rel="nofollow">http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_b...</a> [2] <a href="https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat" rel="nofollow">https://community.qualys.com/blogs/securitylabs/2013/09/10/i...</a> [3] <a href="http://en.wikipedia.org/wiki/BREACH_%28security_exploit%29" rel="nofollow">http://en.wikipedia.org/wiki/BREACH_%28security_exploit%29</a> [4] <a href="http://en.wikipedia.org/wiki/CRIME_%28security_exploit%29" rel="nofollow">http://en.wikipedia.org/wiki/CRIME_%28security_exploit%29</a>

评论 #6459501 未加载

评论 #6460609 未加载

评论 #6457460 未加载

ck2超过 11 年前

I guess it is a slow news day but there are better guides out there.If you are using centos or any redhat related product you will have to build your own openssl to get 1.0.1 with perfect-forward-secrecy (the IUS repository does NOT include EC ciphers either). RedHat decided EC ciphers have patents that are valid (they are not).The example configuration is missing ocsp stapling.Their configuration is also including the root certificate in the download for every connection which is unnecessary.Using RC4 over AES for beast mitigation is no longer considered optimal, if anything RC4 is not 100% trustworthy anymore. Lean on elliptic-curve ciphers with AES over RC4 for modern browsers. As a bonus you get CPU acceleration for AES on most servers and many newer home computers.

评论 #6456946 未加载

jrochkind1超过 11 年前

Why can't get the 'best config for security' be default out of the box on nginx and apache httpd? That's the only way we're actually going to have a secure web, ain't it?

评论 #6457395 未加载

throwaway125超过 11 年前

The following two headers are also useful:<pre><code> add_header Strict-Transport-Security max-age=31536000; add_header X-Frame-Options DENY; </code></pre> The first one tells browsers it should never try to visit the http version of this site, even if the user clicks on a http link the browser will visit the https version. This helps prevent ssl stripping attacks.The second prevents browsers from including this site in an iframe or frame, which helps prevent clickjacking attacks. If your site depends on those you can also set the option to SAMEORIGIN.<a href="https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options" rel="nofollow">https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Option...</a> <a href="https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security" rel="nofollow">https://developer.mozilla.org/en-US/docs/Security/HTTP_Stric...</a> <a href="https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping" rel="nofollow">https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping</a>

评论 #6458537 未加载

评论 #6460431 未加载

epistasis超过 11 年前

I hope this isn't too off topic, but this has to e the very worst mobile theme I've seen for a site. Everything is blurry! And I can't zoom in, and there are weird overlays hanging around. I wish people would stop putting in effort to make their site harder to read. I couldn't even get through the first paragraph, because I kept on reaching for my glasses on the nightstand, when they are already on my face.

评论 #6457382 未加载

评论 #6457510 未加载

jamespo超过 11 年前

It is fairly straightforward to compile nginx against the latest ssl tarball, rather than the extreme option of distro upgrade (which as pointed out is no good for Centos / RHEL) for the cipher support.

评论 #6457089 未加载

victorf超过 11 年前

This might be a good place to ask; is there a good way to get fail2ban and nginx to work nicely together? I keep getting shitbirds pecking away at /wpadmin on my website.

评论 #6462839 未加载

ChikkaChiChi超过 11 年前

Link should be named "A Good Starting Config for Learning nginx Security"If you don't know what each line of a config that is being spoon-fed to you off of some website is doing, you're doing it wrong. Research everything!

评论 #6459561 未加载

leeoniya超过 11 年前

i believe "ssl on" is redundant. "listen 443 ssl" already does this.

评论 #6459945 未加载

dholowiski超过 11 年前

> Internal Server ErrorThere is a good amount of irony here. The most secure system is a system that you can't access at all.

评论 #6456993 未加载

评论 #6457187 未加载

评论 #6456972 未加载

nkuttler超过 11 年前

Just unplug the server.Seriously though, any "best for security" article should be taken with a huge grain of salt as security isn't something static that's the same everywhere.

评论 #6461976 未加载