Skip to content

Instantly share code, notes, and snippets.

@dustyfresh
Last active May 10, 2022 12:53
Show Gist options
  • Save dustyfresh/5ed0e4226253ad91450c8c8fcb63a661 to your computer and use it in GitHub Desktop.
Save dustyfresh/5ed0e4226253ad91450c8c8fcb63a661 to your computer and use it in GitHub Desktop.
Hardened nginx config
# Security enhancements and custom Nginx server header
#
# Requirements:
# $ apt install nginx vim
# $ apt install libnginx-mod-http-headers-more-filter
# $ vim /etc/nginx/sites-enabled/default
#
# Further reading http://docs.hardentheworld.org/Applications/Nginx/
#
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _changeme_;
server_tokens off;
# don't forget you need the nginx more headers package
# apt install libnginx-mod-http-headers-more-filter
more_set_headers "Server: _changeme_";
# disabled directory indexing
autoindex off;
# https://nginx.org/en/docs/http/ngx_http_ssi_module.html
ssi off;
# Enables XSS protection
add_header X-XSS-Protection "1; mode=block";
# prevent browser from interpreting files as something else than
# declared by the content type in the http header
add_header X-Content-Type-Options nosniff;
# Deny illegal Host headers.
if ($host !~* ^(_changeme_)$ ) {
return 444;
}
# Security enhancements
location / {
try_files $uri $uri/ =404;
if ($request_uri ~* '\.\.\/|\-\-|union|<|>|\'|\"|;|eval|%|passwd|null|busybox|wget|shell|\.sh|wget') { return 444; }
if ($http_user_agent ~* 'bot|acunetix|burp|requests|perl|python|java|curl|wget|scan|grab|php|go\-|nikto|map') { return 444; }
}
# Do not return specific nginx error responses, instead we return a newline character
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /error;
location /error {
return 200 '\n';
add_header Content-Type text/plain;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/cert;
ssl_certificate_key /etc/nginx/ssl/key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _changeme_;
server_tokens off;
# don't forget you need the nginx more headers package
# apt install libnginx-mod-http-headers-more-filter
more_set_headers "Server: _changeme_";
# disabled directory indexing
autoindex off;
# https://nginx.org/en/docs/http/ngx_http_ssi_module.html
ssi off;
# Enables XSS protection
add_header X-XSS-Protection "1; mode=block";
# prevent browser from interpreting files as something else than
# declared by the content type in the http header
add_header X-Content-Type-Options nosniff;
# Deny illegal Host headers.
if ($host !~* ^(_changeme_)$ ) {
return 444;
}
# Security enhancements
location / {
try_files $uri $uri/ =404;
if ($request_uri ~* '\.\.\/|\-\-|union|<|>|\'|\"|;|eval|%|passwd|null|busybox|wget|shell|\.sh|wget') { return 444; }
if ($http_user_agent ~* 'bot|acunetix|burp|requests|perl|python|java|curl|wget|scan|grab|php|go\-|nikto|map') { return 444; }
}
# Do not return specific nginx error responses, instead we return a newline character
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /error;
location /error {
return 200 '\n';
add_header Content-Type text/plain;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment