Last active
May 10, 2022 12:53
-
-
Save dustyfresh/5ed0e4226253ad91450c8c8fcb63a661 to your computer and use it in GitHub Desktop.
Hardened nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Security enhancements and custom Nginx server header | |
# | |
# Requirements: | |
# $ apt install nginx vim | |
# $ apt install libnginx-mod-http-headers-more-filter | |
# $ vim /etc/nginx/sites-enabled/default | |
# | |
# Further reading http://docs.hardentheworld.org/Applications/Nginx/ | |
# | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
root /var/www/html; | |
# Add index.php to the list if you are using PHP | |
index index.html index.htm index.nginx-debian.html; | |
server_name _changeme_; | |
server_tokens off; | |
# don't forget you need the nginx more headers package | |
# apt install libnginx-mod-http-headers-more-filter | |
more_set_headers "Server: _changeme_"; | |
# disabled directory indexing | |
autoindex off; | |
# https://nginx.org/en/docs/http/ngx_http_ssi_module.html | |
ssi off; | |
# Enables XSS protection | |
add_header X-XSS-Protection "1; mode=block"; | |
# prevent browser from interpreting files as something else than | |
# declared by the content type in the http header | |
add_header X-Content-Type-Options nosniff; | |
# Deny illegal Host headers. | |
if ($host !~* ^(_changeme_)$ ) { | |
return 444; | |
} | |
# Security enhancements | |
location / { | |
try_files $uri $uri/ =404; | |
if ($request_uri ~* '\.\.\/|\-\-|union|<|>|\'|\"|;|eval|%|passwd|null|busybox|wget|shell|\.sh|wget') { return 444; } | |
if ($http_user_agent ~* 'bot|acunetix|burp|requests|perl|python|java|curl|wget|scan|grab|php|go\-|nikto|map') { return 444; } | |
} | |
# Do not return specific nginx error responses, instead we return a newline character | |
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /error; | |
location /error { | |
return 200 '\n'; | |
add_header Content-Type text/plain; | |
} | |
} | |
server { | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
ssl on; | |
ssl_certificate /etc/nginx/ssl/cert; | |
ssl_certificate_key /etc/nginx/ssl/key; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; | |
root /var/www/html; | |
# Add index.php to the list if you are using PHP | |
index index.html index.htm index.nginx-debian.html; | |
server_name _changeme_; | |
server_tokens off; | |
# don't forget you need the nginx more headers package | |
# apt install libnginx-mod-http-headers-more-filter | |
more_set_headers "Server: _changeme_"; | |
# disabled directory indexing | |
autoindex off; | |
# https://nginx.org/en/docs/http/ngx_http_ssi_module.html | |
ssi off; | |
# Enables XSS protection | |
add_header X-XSS-Protection "1; mode=block"; | |
# prevent browser from interpreting files as something else than | |
# declared by the content type in the http header | |
add_header X-Content-Type-Options nosniff; | |
# Deny illegal Host headers. | |
if ($host !~* ^(_changeme_)$ ) { | |
return 444; | |
} | |
# Security enhancements | |
location / { | |
try_files $uri $uri/ =404; | |
if ($request_uri ~* '\.\.\/|\-\-|union|<|>|\'|\"|;|eval|%|passwd|null|busybox|wget|shell|\.sh|wget') { return 444; } | |
if ($http_user_agent ~* 'bot|acunetix|burp|requests|perl|python|java|curl|wget|scan|grab|php|go\-|nikto|map') { return 444; } | |
} | |
# Do not return specific nginx error responses, instead we return a newline character | |
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /error; | |
location /error { | |
return 200 '\n'; | |
add_header Content-Type text/plain; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment