How to make nginx secure

TL; DR: there are no absolutely stable systems, so the answer is no way. But you can make your life much easier with a Docker container. bunkerized-nginx… Let’s talk about how it differs from the standard nginx image and what interesting things it can do under the cut.

Bunker Server

In general, my word bunkerized in relation to the server is associated exclusively with Cyberbunker, and here this analogy is, in principle, appropriate. French team Bunkerity develops ready-made secure images for nginx, mariadb, php and phpmyadmin, promising protection against penetration, bots and indexers, brute force and dangerous files, as the owners of the pirate bunker once guaranteed security and anonymity.

image
Scanners cannot see the server https://demo-nginx.bunkerity.com/although it is available in the browser

Real features

In addition to the standard advantages of nginx in docker, we get:

  • HTTPS support with Let’s Encrypt auto-renewal,
  • Up-to-date web protection: HTTP security headers, php.ini hardening, memory leak prevention and more
  • Built-in Modsecurity Firewall with OWASP Core Rule Set
  • Automatic blocking of suspicious activities through fail2ban
  • Protection against bot attacks – mandatory verification by captcha / cookies / custom js (analogue of Attack mode in Cloudflare)
  • Blocking onion connections, proxies, by suspicious / banned user agent, and even by country of request
  • Automatic IP check in DNSBL blacklist
  • Protection against brute force (limit on requests)
  • Detecting dangerous / corrupted files with ClamAV
  • Compact configuration via environment variables
  • Support for non-standard architectures like arm32v7

Something looks trite, some may seem superfluous (why should I rebuild nginx if I run the container on x86_64?), But thanks to flexible configuration, almost everything can be customized to your taste and to your needs.

Running

Installation

docker pull bunkerity/bunkerized-nginx

HTTP server with default settings

docker run -p 80:80 -v /path/to/web/files:/www bunkerity/bunkerized-nginx

The files are served from the / www directory.

HTTPS server with automatic Let’s Encrypt management

docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -v /where/to/save/certificates:/etc/letsencrypt -e SERVER_NAME=www.yourdomain.com -e AUTO_LETS_ENCRYPT=yes -e REDIRECT_HTTP_TO_HTTPS=yes bunkerity/bunkerized-nginx

The certificates are stored in the / etc / letsencrypt directory. You can prevent the server from listening to HTTP by adding LISTEN_HTTP: no… Don’t forget to set up a redirect because Let’s Encrypt needs port 80 open.

The following variables were used here:

SERVER_NAMEFQDN (fully qualified domain name) of your server
AUTO_LETS_ENCRYPT – automatically creates and renews Let’s Encrypt certificates
REDIRECT_HTTP_TO_HTTPS – redirects HTTP to HTTPS (cap)

Working in reverse proxy mode

The actual configuration of the reverse proxy falls on the user:

  location / {
    if ($host = www.website1.com) {
      proxy_pass http://192.168.42.10$request_uri;
    }
  
    if ($host = www.website2.com) {
      proxy_pass http://192.168.42.11$request_uri;
    }
  }

All configuration files (.conf) in the / server-confs directory will be included in the server context. It is enough just to mount the volume with configs to the container:

docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_FILES=no -e DISABLE_DEFAULT_SERVER=yes -v /path/to/server/conf:/server-confs bunkerity/bunkerized-nginx

Here:

SERVER_NAME – list of valid Host headers sent by the client
SERVE_FILES – allows (yes) or disallows (no) nginx to serve files from / www
DISABLE_DEFAULT_SERVER – nginx will not respond to requests for which Host is not in the list SERVER_NAME
Here you can find more flexible customization tools

Working behind a reverse proxy

docker run -p 80:80 -v /path/to/web/files:/www -e PROXY_REAL_IP=yes bunkerity/bunkerized-nginx

When turned on PROXY_REAL_IP: yes nginx module is activated ngx_http_realip_module to get the real IP of the client from behind the proxy.

Mandatory anti-bot check

docker run -p 80:80 -v /path/to/web/files:/www -e USE_ANTIBOT=captcha bunkerity/bunkerized-nginx

When USE_ANTIBOT: captcha all users will be forced to go through the captcha upon entering. Also available options cookie, javascript, recaptcha… Docks here

There are also examples in the repository, here

Conclusion

bunkerized-nginx is a convenient option for those who need to quickly launch nginx and not worry about its security, vulnerability fixing and privacy in the future. Literally in one line, you can launch a ready-made container and forget about it. At the same time, despite the simple start, it is still a full-fledged nginx with its huge functionality, which allows you to configure everything as flexibly as possible.


Advertising

Epic servers – this is virtual servers which are perfect for hosting a variety of sites. Crazy performance with powerful AMD EPYC processors and super fast Intel NVMe drives. Be sure to order!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *