0x00 Foreword
Compared to the previous few of Apache security configuration , PHP security configuration , Mysql security configuration , less understanding of Nginx giant, did not know how Nginx used in addition to parsing vulnerabilities do not know what a
good start learning
0x01 Rights Management Account
1.1 Changing the default user name
nginx default nobody, change the default user name to prevent others from using
1.2 Add user
(1) a group by
the groupadd -g -R & lt Nginx 108
(2) Add user
the useradd -u 108 -g -R & lt Nginx 108
(. 3) ID Nginx
1.3 Limiting Account directory permissions
to prevent a large account permissions can be set in advance, as follows:
(1) or chmod -R / Let the account loses all rights
(2) chmod or -R html / directory permissions given to individual Web
(3) execute the command chmod 776 / bin / sh command to execute permissions to limit account
nginx default nobody
, no access to directory permissions, setting site directory for permission nobody is readable, executable. Upload directory directory and write permissions to read and write, not to execute permissions!
0x02 IP access restrictions
Open the configuration file, press the map set syntax to set block access to IP and IP to allow access
0x03 file directory settings
3.1 file permissions
by chmod
command web directory is set to an executable script, but can not write. A directory can not have write and execute permissions.
3.2 Directory Access restrictions
open nginx configuration file
autoindex on; // add this line directory list shows
3.3 execute permissions
to open the nginx configuration files to upload directory, for example, the following code is added to limit the upload directory.
3.4 limit TXT file is accessed
here refers to a specific file access is prohibited, you can also set other files
at the same time set up multiple file syntax:
location ~* \.(txt|doc)$ //表示禁止访问*.txt和*.doc文件
0x04 log file settings
4.1 open log default configuration
will be error_log
before the "#" removed, record the error log
will access_log
and log_format
before the "#" removed, access log records
- Supplementary: Nginx access logs for two main control parameters
- log_format # used to define the format of log (log format can define multiple, different names can be taken)
- access_log # is used to specify the path to the file and use what log format log
Detailed access log settings Reference: https://www.cnblogs.com/xuyuQAQ/p/8728773.html
4.2 log file limit
specific set above a txt file format
4.3 permission provided access log
if the log directory / app / logs, the authorization method is as follows:
chown -R root.root /app/logs
chown -R 700 /app/logs
Close 0x05 error message
Close Nginx version
Open the configuration file, the following code is inserted
0x06 WAF extension
Nginx There are three common vulnerabilities defense mode modsecurity
, Naxsi
and ngx_lua_waf
can be used to enhance security by installing these modules
emmmm to learn after leaving pit