Introduction
If you’re a DevOps lead responsible for public‑facing services, Nginx is probably the front‑line web server or reverse proxy in your stack. While it’s lightning‑fast, a mis‑configured instance can become an easy target for attackers. This tutorial walks you through a practical, step‑by‑step hardening checklist that covers TLS best practices, firewall rules, and a few often‑overlooked Linux tweaks.
1. Obtain a Strong TLS Certificate
Use Let’s Encrypt for Automation
# Install certbot (Debian/Ubuntu example)
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
# Request a certificate for example.com and www.example.com
sudo certbot --nginx -d example.com -d www.example.com
- Certbot automatically edits your Nginx config to enable HTTPS.
- It also sets up a systemd timer for automatic renewal.
Prefer ECDSA Over RSA
If your client base includes modern browsers, generate an ECDSA key for better performance:
sudo openssl ecparam -genkey -name secp384r1 -out /etc/ssl/private/example.com.key
sudo openssl req -new -key /etc/ssl/private/example.com.key -out /etc/ssl/csr/example.com.csr
# Then use certbot with the --key-type ecdsa flag
sudo certbot --nginx --key-type ecdsa -d example.com -d www.example.com
2. Harden the Nginx TLS Configuration
Create a dedicated snippet called ssl-strong.conf and include it in your server blocks.
# /etc/nginx/snippets/ssl-strong.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers \
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
Then reference it:
server {
listen 443 ssl http2;
server_name example.com www.example.com;
include snippets/ssl-strong.conf;
# …rest of config…
}
3. Enable HTTP/2 and Brotli Compression
HTTP/2 reduces latency, while Brotli offers better compression ratios than gzip.
# Enable HTTP/2 in the listen directive (already shown above)
# Install Brotli module (Debian example)
sudo apt-get install -y nginx-module-brotli
# Add Brotli settings
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/javascript application/json image/svg+xml;
4. Restrict Access with a Host‑Based Firewall
Using UFW (Uncomplicated Firewall)
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (limit to 5 attempts per minute)
sudo ufw limit 22/tcp
# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Fine‑Grained iptables Example
If you need more control, drop traffic from known malicious IP ranges:
# Block a CIDR (example)
sudo iptables -A INPUT -s 185.220.101.0/24 -j DROP
# Log and drop malformed packets
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "[DROP NULL] "
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Persist rules with iptables-persistent or netfilter-persistent.
5. Deploy Fail2Ban for Brute‑Force Protection
Fail2Ban monitors log files and bans IPs that show malicious signs.
sudo apt-get install -y fail2ban
Create a custom jail for Nginx:
# /etc/fail2ban/jail.d/nginx-http-auth.conf
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
The built‑in nginx-http-auth filter catches repeated 401 responses.
6. Secure File Permissions and Ownership
# Nginx binary and config files should be owned by root:root
sudo chown -R root:root /etc/nginx
sudo chmod -R 644 /etc/nginx/*.conf
sudo chmod 600 /etc/ssl/private/*.key
# Serve static content with a non‑privileged user (www-data)
sudo chown -R www-data:www-data /var/www/html
Avoid running Nginx as root; the master process runs as root only to bind privileged ports, while workers run as www-data.
7. Automate Monitoring and Renewal
SSL Certificate Renewal
Certbot already creates a systemd timer, but verify it:
systemctl list-timers | grep certbot
Health Checks
Add a simple /healthz endpoint that returns 200 OK:
location = /healthz {
access_log off;
return 200 "OK";
add_header Content-Type text/plain;
}
Integrate this endpoint with your monitoring stack (Prometheus node exporter, UptimeRobot, etc.) to get instant alerts if Nginx crashes.
Conclusion
Hardening Nginx is a combination of cryptographic hygiene, network‑level gating, and disciplined operational practices. By following these seven tips—obtaining a strong TLS certificate, tightening cipher suites, enabling HTTP/2 and Brotli, locking down the firewall, adding Fail2Ban, tightening file permissions, and automating monitoring—you’ll dramatically reduce the attack surface of any web service.
If you’re looking for a reliable partner to review your Nginx hardening checklist or need hands‑on assistance with cloud‑native deployments, consider checking out https://lacidaweb.com for practical guidance and support.
Top comments (0)