Top 12 Proven Strategies to Secure Your Nginx Web Server

Nginx is a lightweight web server, reverse proxy, and mail proxy released under a BSD‑like license. It is memory‑efficient and handles high concurrency, powering major Chinese sites such as Baidu, JD, Sina, NetEase, Tencent, and Taobao. The following tips help improve its security and stability.

1: Keep Nginx Up‑to‑Date

The current stable version is 1.14.0; upgrading to the latest release fixes many bugs. While binary packages are easier to install, compiling from source lets you add extra modules (e.g., more_header, mod_security) and often provides newer versions.

2: Remove Unused Nginx Modules

When compiling, add configuration flags to exclude unnecessary modules.

./configure --without-module1 --without-module2 --without-module3

./configure --without-http_dav_module --without-http_spdy_module

Ensure the disabled modules do not contain directives you need by checking the Nginx documentation.

3: Disable server_tokens

Leaving server_tokens on reveals the Nginx version on error pages, which attackers can exploit. Set it off in the http block.

server {
    listen 192.168.0.25:80;
    server_tokens off;
    server_name tecmintlovesnginx.com www.tecmintlovesnginx.com;
    access_log /var/www/logs/tecmintlovesnginx.access.log;
    error_log /var/www/logs/tecmintlovesnginx.error.log error;
    root /var/www/tecmintlovesnginx.com/public_html;
    index index.html index.htm;
}

# Restart Nginx for the change to take effect.

4: Block Malicious HTTP User Agents

Create a file (e.g., /etc/nginx/blockuseragents.rules) listing unwanted agents and map them to a variable.

map $http_user_agent $blockedagent {
    default 0;
    ~*malicious 1;
    ~*bot 1;
    ~*backdoor 1;
    ~*crawler 1;
    ~*bandit 1;
}

Include the file in the server block and use an if statement to block matching requests.

5: Disable Unnecessary HTTP Methods

if ($request_method !~ ^(GET|HEAD|POST)$) {
    return 444;
}

6: Set Buffer Size Limits

client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;

These limits prevent buffer‑overflow attacks.

7: Limit Maximum Connections

limit_conn_zone $binary_remote_addr zone=addr:5m;
limit_conn addr 1;

8: Configure Log Monitoring

Use grep to filter logs for connection limits and other details such as client IP, browser type, request method, request content, and server response.

grep addr /var/www/logs/tecmintlovesnginx.error.log --color=auto

9: Prevent Image Hotlinking

location /img/ {
    valid_referers none blocked 192.168.0.25;
    if ($invalid_referer) { return 403; }
}

10: Disable SSL, Use TLS Only

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

11: Enable HTTPS with Certificates

# openssl genrsa -aes256 -out tecmintlovesnginx.key 1024
# openssl req -new -key tecmintlovesnginx.key -out tecmintlovesnginx.csr
# cp tecmintlovesnginx.key tecmintlovesnginx.key.org
# openssl rsa -in tecmintlovesnginx.key.org -out tecmintlovesnginx.key
# openssl x509 -req -days 365 -in tecmintlovesnginx.csr -signkey tecmintlovesnginx.key -out tecmintlovesnginx.crt

server {
    listen 192.168.0.25:443 ssl;
    server_tokens off;
    server_name tecmintlovesnginx.com www.tecmintlovesnginx.com;
    root /var/www/tecmintlovesnginx.com/public_html;
    ssl_certificate /etc/nginx/sites-enabled/certs/tecmintlovesnginx.crt;
    ssl_certificate_key /etc/nginx/sites-enabled/certs/tecmintlovesnginx.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

12: Redirect HTTP to HTTPS

return 301 https://$server_name$request_uri;

Conclusion

The article shares practical techniques for hardening an Nginx web server. Readers are encouraged to comment with additional suggestions and share their experiences.