Created
October 16, 2015 14:06
-
-
Save rroethof/58d5c46c128c26f4603c to your computer and use it in GitHub Desktop.
nginx hardening tips
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Stop Hotlinking: don’t let other websites steal your content (images, media files, etc), | |
| that will cause additional load to your webserver and also more bandwidth consumption. | |
| ''' | |
| location ~ .(gif|png|jpe?g)$ { | |
| valid_referers none blocked mywebsite.com *.mywebsite.com; | |
| if ($invalid_referer) { | |
| return 403; | |
| } | |
| } | |
| ''' | |
| Deny execution of scripts inside certain directories. | |
| This can be used to protect your websites from being hacked denying execution of scripts inside certain directories (such as tmp, cache, logs, etc), often the ones that need writing permissions. | |
| One easy way to secure is the following: | |
| # deny scripts inside writable directories | |
| ''' | |
| location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ { | |
| return 403; | |
| error_page 403 /403_error.html; | |
| } | |
| ''' | |
| Block attackers based on GeoIP countries | |
| Specify where the GeoIP database is located on your system, you can place this directive inside your http {} configuration block: | |
| '''geoip_country /etc/nginx/GeoIP.dat;''' | |
| Next, let’s tell Nginx which countries are gonna be blocked: | |
| ''' | |
| if ($geoip_country_code ~ (CN|KR|UK) ) { | |
| return 403; | |
| } | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment