BestHub
Sign in
Operations 11 min read

Boost Nginx Security: Essential Configurations You Must Apply

This article outlines practical Nginx security settings—including hiding version info, enabling HTTPS, configuring allow/deny lists, basic authentication, request method restrictions, user‑agent blocking, hotlink protection, connection limits, buffer size tweaks, timeout adjustments, and secure response headers—to help harden your web server against common attacks.

Efficient Ops
Efficient Ops
Efficient Ops
Boost Nginx Security: Essential Configurations You Must Apply
Security is no small matter; start with Nginx configuration.

Following the previous article on common Nginx configurations, this post summarizes security‑related settings.

Hide Version Number

http {
    server_tokens off;
}

Hiding the Nginx version helps mitigate version‑specific vulnerabilities; of course, keep the server updated.

Enable HTTPS

server {
    listen 443;
    server_name ops-coffee.cn;

    ssl on;
    ssl_certificate /etc/nginx/server.crt;
    ssl_certificate_key /etc/nginx/server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
}

ssl on : enable HTTPS.

ssl_certificate : path to the certificate.

ssl_certificate_key : path to the key.

ssl_protocols : specify allowed SSL protocol versions.

ssl_ciphers : specify encryption algorithms.

Add Allow/Deny Lists

Whitelist example:

location /admin/ {
    allow   192.168.1.0/24;
    deny    all;
}
The above allows only the 192.168.1.0/24 network and denies all others.

Blacklist example:

location /ops-coffee/ {
    deny   192.168.1.0/24;
    allow    all;
}

When requests pass through proxies, you can filter by $http_x_forwarded_for:

set $allow false;
if ($http_x_forwarded_for = "211.144.204.2") { set $allow true; }
if ($http_x_forwarded_for ~ "108.2.66.[89]") { set $allow true; }
if ($allow = false) { return 404; }

Add Basic Authentication

server {
    location / {
        auth_basic "please input user&passwd";
        auth_basic_user_file key/auth.key;
    }
}
Details on basic authentication are covered in the previous article.

Restrict Request Methods

if ($request_method !~ ^(GET|POST)$ ) {
    return 405;
}

The variable $request_method holds the HTTP method; the configuration permits only GET and POST.

Block Malicious User‑Agents

if ($http_user_agent ~* LWP::Simple|BBBike|wget|curl) {
    return 444;
}

Returning status 444 makes the client see no response, effectively hiding the site from automated scanners.

Prevent Image Hotlinking

location /images/ {
    valid_referers none blocked www.ops-coffee.cn ops-coffee.cn;
    if ($invalid_referer) {
        return 403;
    }
}

You can also redirect invalid requests to a placeholder image:

location /images/ {
    valid_referers blocked www.ops-coffee.cn ops-coffee.cn
    if ($invalid_referer) {
        rewrite ^/images/.*\.(gif|jpg|jpeg|png)$ /static/qrcode.jpg last;
    }
}

Limit Concurrent Connections

Use the ngx_http_limit_conn_module to restrict connections per IP:

http {
    limit_conn_zone $binary_remote_addr zone=ops:10m;

    server {
        listen 80;
        server_name ops-coffee.cn;

        root /home/project/webapp;
        index index.html;

        location / {
            limit_conn ops 10;
        }

        access_log /tmp/nginx_access.log main;
    }
}

limit_conn_zone defines a shared memory zone for storing connection counters; limit_conn applies the limit to a specific zone.

http {
    limit_conn_zone $binary_remote_addr zone=ops:10m;
    limit_conn_zone $server_name zone=coffee:10m;

    server {
        listen 80;
        server_name ops-coffee.cn;

        root /home/project/webapp;
        index index.html;

        location / {
            limit_conn ops 10;
            limit_conn coffee 2000;
        }
    }
}

The first limit restricts each IP to 10 connections; the second limits total connections for the virtual server to 2000.

Mitigate Buffer Overflow Attacks

client_body_buffer_size  1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;

These directives control the size of request bodies and headers, helping to prevent buffer overflow and large‑request attacks.

Adjust timeout settings as needed:

client_body_timeout   10;
client_header_timeout 10;
keepalive_timeout     5 5;
send_timeout          10;

client_body_timeout and client_header_timeout define how long Nginx waits for the body or header; keepalive_timeout sets the idle keep‑alive period; send_timeout limits the time to transmit a response.

Secure Response Headers

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

These headers protect against clickjacking, XSS, MIME sniffing, and enforce HTTPS usage.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Configurationaccess controlSecurityNginxHTTPS
Efficient Ops
Written by

Efficient Ops

This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment