secure and top performance config for /etc/nginx/nginx.conf

[Navid]

Hi, I hope you are be fine. Kindly guide me on how can make a high secure and top performance config for 

 /etc/nginx/nginx.conf 

which help the server against attacker and keep server more secure and mitigate attacks.

Kindly share the whole ngnix.conf here with full details.

thank you very much.

[Sandeep B.]

Hi what you're looking specifically?

[Navid]

HI, I mean on how can hardening the server by nginx.conf more than usual

user nobody;
worker_processes auto;
#worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log crit;
pid                     /var/run/nginx.pid;

events {
	worker_connections  1024;
	use                 epoll;
	multi_accept        on;

}
http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	client_header_timeout 3m;
	client_body_timeout 3m;
	client_max_body_size 256m;
	client_header_buffer_size 4k;
	client_body_buffer_size 256k;
	large_client_header_buffers 4 32k;
	send_timeout 3m;
	keepalive_timeout 60 60;
	reset_timedout_connection       on;
	server_names_hash_max_size 1024;
	server_names_hash_bucket_size 1024;
	ignore_invalid_headers on;
	connection_pool_size 256;
	request_pool_size 4k;
	output_buffers 4 32k;
	postpone_output 1460;

	include mime.types;
	default_type application/octet-stream;

	# Compression gzip
	gzip on;
	gzip_vary on;
	gzip_disable "MSIE [1-6]\.";
	gzip_proxied any;
	gzip_min_length 512;
	gzip_comp_level 6;
	gzip_buffers 8 64k;
	gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

	# Proxy settings
	proxy_redirect      off;
	proxy_set_header    Host            $host;
	proxy_set_header    X-Real-IP       $remote_addr;
	proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header   Set-Cookie;
	proxy_connect_timeout   300;
	proxy_send_timeout  300;
	proxy_read_timeout  300;
	proxy_buffers       32 4k;
	proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
	proxy_cache_key "$host$request_uri $cookie_user";
	proxy_temp_path  /var/cache/nginx/temp;
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_valid any 1d;

	open_file_cache_valid 120s;
	open_file_cache_min_uses 2;
	open_file_cache_errors off;
	open_file_cache max=5000 inactive=30s;
	open_log_file_cache max=1024 inactive=30s min_uses=2;

	# SSL Settings
	ssl_session_cache   shared:SSL:10m;
	ssl_protocols       TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

	# Logs
	log_format  main    '$remote_addr - $remote_user [$time_local] $request '
		                '"$status" $body_bytes_sent "$http_referer" '
		                '"$http_user_agent" "$http_x_forwarded_for"';
	log_format  bytes   '$body_bytes_sent';
	#access_log          /var/log/nginx/access.log main;
	access_log off;

	# Cache bypass
	map $http_cookie $no_cache {
		default 0;
		~SESS 1;
		~wordpress_logged_in 1;
	}

	# Include additional configuration
	include /etc/nginx/cloudflare.inc;
	include /etc/nginx/conf.d/*.conf;
}

I mean what else we have to add to the above config file to make it more secure and highly performance

kindly guide us. thank you

[Sandeep B.]

hi replace these lines :

worker_rlimit_nofile    65535;
	worker_connections  5000;

final config :

user nobody;
worker_processes auto;
worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log crit;
pid                     /var/run/nginx.pid;

events {
	worker_connections  5000;
	use                 epoll;
	multi_accept        on;

}
http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	client_header_timeout 3m;
	client_body_timeout 3m;
	client_max_body_size 256m;
	client_header_buffer_size 4k;
	client_body_buffer_size 256k;
	large_client_header_buffers 4 32k;
	send_timeout 3m;
	keepalive_timeout 60 60;
	reset_timedout_connection       on;
	server_names_hash_max_size 1024;
	server_names_hash_bucket_size 1024;
	ignore_invalid_headers on;
	connection_pool_size 256;
	request_pool_size 4k;
	output_buffers 4 32k;
	postpone_output 1460;

	include mime.types;
	default_type application/octet-stream;

	# Compression gzip
	gzip on;
	gzip_vary on;
	gzip_disable "MSIE [1-6]\.";
	gzip_proxied any;
	gzip_min_length 512;
	gzip_comp_level 6;
	gzip_buffers 8 64k;
	gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

	# Proxy settings
	proxy_redirect      off;
	proxy_set_header    Host            $host;
	proxy_set_header    X-Real-IP       $remote_addr;
	proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header   Set-Cookie;
	proxy_connect_timeout   300;
	proxy_send_timeout  300;
	proxy_read_timeout  300;
	proxy_buffers       32 4k;
	proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
	proxy_cache_key "$host$request_uri $cookie_user";
	proxy_temp_path  /var/cache/nginx/temp;
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_valid any 1d;

	open_file_cache_valid 120s;
	open_file_cache_min_uses 2;
	open_file_cache_errors off;
	open_file_cache max=5000 inactive=30s;
	open_log_file_cache max=1024 inactive=30s min_uses=2;

	# SSL Settings
	ssl_session_cache   shared:SSL:10m;
	ssl_protocols       TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

	# Logs
	log_format  main    '$remote_addr - $remote_user [$time_local] $request '
		                '"$status" $body_bytes_sent "$http_referer" '
		                '"$http_user_agent" "$http_x_forwarded_for"';
	log_format  bytes   '$body_bytes_sent';
	#access_log          /var/log/nginx/access.log main;
	access_log off;

	# Cache bypass
	map $http_cookie $no_cache {
		default 0;
		~SESS 1;
		~wordpress_logged_in 1;
	}

	# Include additional configuration
	include /etc/nginx/cloudflare.inc;
	include /etc/nginx/conf.d/*.conf;
}

 

[Navid]

Hi, dear Sandeep you're always very helpful, God Bless you.

 

I added the config like below: 

user nobody;
worker_processes auto;
#worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log crit;
pid                     /var/run/nginx.pid;

events {
	worker_connections  1024;
	use                 epoll;
	multi_accept        on;

}
http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	client_header_timeout 3m;
	client_body_timeout 3m;
	client_max_body_size 256m;
	client_header_buffer_size 4k;
	client_body_buffer_size 256k;
	large_client_header_buffers 4 32k;
	send_timeout 3m;
	keepalive_timeout 60 60;
	reset_timedout_connection       on;
	server_names_hash_max_size 1024;
	server_names_hash_bucket_size 1024;
	ignore_invalid_headers on;
	connection_pool_size 256;
	request_pool_size 4k;
	output_buffers 4 32k;
	postpone_output 1460;
    server_tokens off;

	include mime.types;
	default_type application/octet-stream;

	# Compression gzip
	gzip on;
	gzip_vary on;
	gzip_disable "MSIE [1-6]\.";
	gzip_proxied any;
	gzip_min_length 512;
	gzip_comp_level 6;
	gzip_buffers 8 64k;
	gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

	# Proxy settings
	proxy_redirect      off;
	proxy_set_header    Host            $host;
	proxy_set_header    X-Real-IP       $remote_addr;
	proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header   Set-Cookie;
	proxy_connect_timeout   300;
	proxy_send_timeout  300;
	proxy_read_timeout  300;
	proxy_buffers       32 4k;
	proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
	proxy_cache_key "$host$request_uri $cookie_user";
	proxy_temp_path  /var/cache/nginx/temp;
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_valid any 1d;

	open_file_cache_valid 120s;
	open_file_cache_min_uses 2;
	open_file_cache_errors off;
	open_file_cache max=5000 inactive=30s;
	open_log_file_cache max=1024 inactive=30s min_uses=2;

	# SSL Settings
	ssl_session_cache   shared:SSL:10m;
	ssl_protocols       TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

	# Logs
	log_format  main    '$remote_addr - $remote_user [$time_local] $request '
		                '"$status" $body_bytes_sent "$http_referer" '
		                '"$http_user_agent" "$http_x_forwarded_for"';
	log_format  bytes   '$body_bytes_sent';
	#access_log          /var/log/nginx/access.log main;
	access_log off;

	# Cache bypass
	map $http_cookie $no_cache {
		default 0;
		~SESS 1;
		~wordpress_logged_in 1;
	}

	# Include additional configuration
	include /etc/nginx/cloudflare.inc;
	include /etc/nginx/conf.d/*.conf;
}

and added those line you recommend and the below line as well:  server_tokens off;

 

kindly recommend us more to make is more secure and stable and high perfromance please

 

regards.

[overseer]

What is your use case? Nginx has specific "recipes" you can replicate for various CMS platforms if you want to tune it to better support the platform you are using. I have some WordPress sites, a Drupal site, and a Joomla site running under different Nginx vhosts, so each is tuned for its specific use. Or are you looking for a general purpose performance boost?