Last active
February 22, 2023 06:01
-
-
Save amolvishwakarma/3af2364be09e10083690af2795b85fed to your computer and use it in GitHub Desktop.
Best Security Practices For Apache/Nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <IfModule mod_headers.c> | |
| # HSTS - force redirect to HTTPS at the browser level. | |
| Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" env=HTTPS | |
| # X-Xss-Protection | |
| Header always set X-XSS-Protection "1; mode=block" | |
| # Stop clickjacking by only allowing us to frame our own site | |
| # Allowed values are DENY, SAMEORIGIN, ALLOW-FROM="https://example.com" | |
| Header always set X-Frame-Options "SAMEORIGIN" | |
| # Avoid MIMEtype attacks | |
| Header always set X-Content-Type-Options: "nosniff" | |
| # Allow Cross-Origin Resource Sharing (CORS) | |
| # Don't use "*" it allows the code from any origin | |
| Header always set Access-Control-Allow-Origin "https://example.com" | |
| # Content Security Policy | |
| # Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS | |
| # Content Security Policy Report Only | |
| # Get mixed-content warnings | |
| Header set Content-Security-Policy-Report-Only "default-src https: 'unsafe-eval' 'unsafe-inline'; font-src https: data:; img-src https: data:; \ | |
| report-uri https://example.com/default/csp/reportOnly" | |
| # Remove PHP version | |
| Header unset X-Powered-By | |
| </IfModule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1.) Hide Directory Listing | |
| Note: Take backup of existing vhost confs | |
| To disable directory listing open apache2.conf use below configuration: | |
| sudo nano /etc/apache2/apache2.conf | |
| Edit as below: | |
| <Directory /var/www/> | |
| Options -Indexes | |
| AllowOverride All | |
| Require all granted | |
| </Directory> | |
| 2.) Web Server Banner Disclosure. | |
| Need to install modsecurity to hide server name & version info of apache to prevent attacks using the vulnerable database. | |
| sudo apt install libapache2-mod-security2 | |
| sudo a2enmod security2 | |
| Note: Comment out existing ServerTokens and ServerSignature . | |
| sudo nano /etc/apache2/conf-enabled/security.conf | |
| Add these in configuration: | |
| ServerTokens Prod | |
| SecServerSignature "Example" | |
| 3.) To Prevent Host Header Injection add the below in the vhost conf in sites-enabled. | |
| UseCanonicalName On | |
| 4.) Use http2 instead of http. | |
| Note: HTTP/2 is only supported over HTTPS. Issue the below command to enable the http2 module. | |
| sudo a2enmod http2 | |
| Note: Add the below line in the vhost conf in sites-enabled. | |
| Protocols h2 http/1.1 | |
| 5.) Enable TLS 1.3 | |
| SSLEngine on | |
| SSLProtocol -all +TLSv1.2 +TLSv1.3 | |
| SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | |
| SSLHonorCipherOrder On |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1.) Hide nginx version | |
| nano /etc/nginx/nginx.conf | |
| Note: Under the # HTTP Options and ## lines, add a new line: | |
| server_tokens off; | |
| 2.) Customize Server Name from nginx to something else. | |
| Need to install nginx-extras to do this use the below command to install it. | |
| sudo apt-get install nginx-extras | |
| nano /etc/nginx/nginx.conf | |
| Note: Under the # HTTP Options add below the server_tokens off: | |
| more_set_headers 'Server: Anonymous '; | |
| Note: Please make sure to reload nginx service to reflect the configuration changes. | |
| Note: To verify that the nginx version & nginx server is removed from the response use the below curl command. | |
| curl --head yourdomain.com | |
| 3.) Adding the security headers in nginx vhost configuraton. | |
| add_header Strict-Transport-Security "max-age=31536000; preload"; | |
| add_header X-Frame-Options SAMEORIGIN; | |
| add_header X-Xss-Protection "1; mode=block" always; | |
| add_header X-Content-Type-Options nosniff; | |
| add_header 'Access-Control-Allow-Origin' 'https://example.com'; | |
| Note: You need to customize the csp headers for every site it will be different. | |
| add_header Content-Security-Policy "default-src 'self';" always; | |
| 4.) Use http2 instead of http. | |
| Note: HTTP/2 is only supported over HTTPS. | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| 5.) Enable TLS 1.3 | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
| ssl_prefer_server_ciphers on; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment