How to make nginx secure
TL; DR: there are no absolutely stable systems, so the answer is no way. But you can make your life much easier with a Docker container. bunkerized-nginx… Let’s talk about how it differs from the standard nginx image and what interesting things it can do under the cut.
Bunker Server
In general, my word bunkerized in relation to the server is associated exclusively with Cyberbunker, and here this analogy is, in principle, appropriate. French team Bunkerity develops ready-made secure images for nginx, mariadb, php and phpmyadmin, promising protection against penetration, bots and indexers, brute force and dangerous files, as the owners of the pirate bunker once guaranteed security and anonymity.
Scanners cannot see the server https://demo-nginx.bunkerity.com/although it is available in the browser
Real features
In addition to the standard advantages of nginx in docker, we get:
- HTTPS support with Let’s Encrypt auto-renewal,
- Up-to-date web protection: HTTP security headers, php.ini hardening, memory leak prevention and more
- Built-in Modsecurity Firewall with OWASP Core Rule Set
- Automatic blocking of suspicious activities through fail2ban
- Protection against bot attacks – mandatory verification by captcha / cookies / custom js (analogue of Attack mode in Cloudflare)
- Blocking onion connections, proxies, by suspicious / banned user agent, and even by country of request
- Automatic IP check in DNSBL blacklist
- Protection against brute force (limit on requests)
- Detecting dangerous / corrupted files with ClamAV
- Compact configuration via environment variables
- Support for non-standard architectures like arm32v7
Something looks trite, some may seem superfluous (why should I rebuild nginx if I run the container on x86_64?), But thanks to flexible configuration, almost everything can be customized to your taste and to your needs.
Running
Installation
docker pull bunkerity/bunkerized-nginx
HTTP server with default settings
docker run -p 80:80 -v /path/to/web/files:/www bunkerity/bunkerized-nginx
The files are served from the / www directory.
HTTPS server with automatic Let’s Encrypt management
docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -v /where/to/save/certificates:/etc/letsencrypt -e SERVER_NAME=www.yourdomain.com -e AUTO_LETS_ENCRYPT=yes -e REDIRECT_HTTP_TO_HTTPS=yes bunkerity/bunkerized-nginx
The certificates are stored in the / etc / letsencrypt directory. You can prevent the server from listening to HTTP by adding LISTEN_HTTP: no
… Don’t forget to set up a redirect because Let’s Encrypt needs port 80 open.
The following variables were used here:
SERVER_NAME
– FQDN (fully qualified domain name) of your serverAUTO_LETS_ENCRYPT
– automatically creates and renews Let’s Encrypt certificatesREDIRECT_HTTP_TO_HTTPS
– redirects HTTP to HTTPS (cap)
Working in reverse proxy mode
The actual configuration of the reverse proxy falls on the user:
location / {
if ($host = www.website1.com) {
proxy_pass http://192.168.42.10$request_uri;
}
if ($host = www.website2.com) {
proxy_pass http://192.168.42.11$request_uri;
}
}
All configuration files (.conf) in the / server-confs directory will be included in the server context. It is enough just to mount the volume with configs to the container:
docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_FILES=no -e DISABLE_DEFAULT_SERVER=yes -v /path/to/server/conf:/server-confs bunkerity/bunkerized-nginx
Here:
SERVER_NAME
– list of valid Host headers sent by the clientSERVE_FILES
– allows (yes) or disallows (no) nginx to serve files from / wwwDISABLE_DEFAULT_SERVER
– nginx will not respond to requests for which Host is not in the list SERVER_NAME
Here you can find more flexible customization tools
Working behind a reverse proxy
docker run -p 80:80 -v /path/to/web/files:/www -e PROXY_REAL_IP=yes bunkerity/bunkerized-nginx
When turned on PROXY_REAL_IP: yes
nginx module is activated ngx_http_realip_module
to get the real IP of the client from behind the proxy.
Mandatory anti-bot check
docker run -p 80:80 -v /path/to/web/files:/www -e USE_ANTIBOT=captcha bunkerity/bunkerized-nginx
When USE_ANTIBOT: captcha
all users will be forced to go through the captcha upon entering. Also available options cookie
, javascript
, recaptcha
… Docks here…
There are also examples in the repository, here…
Conclusion
bunkerized-nginx is a convenient option for those who need to quickly launch nginx and not worry about its security, vulnerability fixing and privacy in the future. Literally in one line, you can launch a ready-made container and forget about it. At the same time, despite the simple start, it is still a full-fledged nginx with its huge functionality, which allows you to configure everything as flexibly as possible.
Advertising
Epic servers – this is virtual servers which are perfect for hosting a variety of sites. Crazy performance with powerful AMD EPYC processors and super fast Intel NVMe drives. Be sure to order!