Installing and Securing Nginx
Installing and Securing Nginx
Nginx installation focuses on performance and security from the start:
# Ubuntu/Debian
sudo apt install nginx
sudo systemctl stop nginx
# CentOS/RHEL
sudo yum install epel-release
sudo yum install nginx
sudo systemctl stop nginx
Configure Nginx security in /etc/nginx/nginx.conf:
user www-data; # Or nginx user on CentOS
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Basic Settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off; # Hide Nginx version
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# SSL Settings (prepare for later)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
# Logging Settings
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Gzip Settings
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml application/atom+xml;
gzip_disable "msie6";
# Security Limits
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1M;
large_client_header_buffers 2 1k;
# Include additional configurations
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}