Ubuntu & Linux

How to Secure Nginx Web Server and Enable Anti-DDoS Protection

duyanh
By duyanh

How to secure Nginx web Server and Enable Anti-DDoS Protection helps to increase the reliability and load capacity of the system, and protect the website from dangerous cyber attacks.

Nginx security is an important part of keeping your website safe and secure. Nginx is a popular and powerful web server used to handle HTTP requests and provide web services. However, with the development of increasingly sophisticated cyberattacks, Nginx security configuration becomes an important factor to prevent DDoS attacks, SQL injection, and cross-site scripting (XSS) attacks. and many other forms of attack that can harm your website and data.

How to Secure Nginx Web Server and Enable Anti-DDoS Protection

How to Secure Nginx Web Server and Enable Anti-DDoS Protection

Step 1: Set timeout and release resources

client_body_timeout 5s;
client_header_timeout 5s;

Both setup client_body_timeoutand client_header_timeoutin the Nginx configuration involve setting timeout limits for parts of the request from the client side. Here is a detailed explanation of each setting:

client_body_timeout 5s: When a client submits a POST or PUT request with data (e.g. form information), the Nginx server will wait within 5 seconds to receive the request data. If no data is received from the client during this time, the Nginx server will close the connection with the client. This Secure Nginx Web Server configuration helps prevent hanging connections and free up server resources.

client_header_timeout 5s: When the client sends a request (e.g. User-Agent, Accept-Language) it is attached. Nginx server will wait within 5 seconds to receive request header from client. If no request headers are received within this time, the Nginx server will close the connection. This helps prevent hanging connections and ensures that the server doesn’t have to wait indefinitely.

While timeout values ​​can be adjusted, setting the timeout too low can cause problems such as the connection being closed before the request is completed. Therefore, it is recommended to set the values timeout​​suitable for the request type and network environment to ensure stable operation of the website.

Step 2: Hide Nginx version information

Hide Nginx version information
server_tokens off;

This is the setting to hide Nginx’s version information returned in the “Server” HTTP header. By disabling server_tokens, Nginx will not display information about Nginx version but only “ Server: nginx” without a specific version.

Step 3: Block direct access to protected folders in Nginx

autoindex off;

This configuration disables the autoindex functionality in Nginx, which prevents users from directly accessing the server’s directory and file list through the browser. Instead, it will return a 403 error code to the user. This secure Nginx web server configuration is essential for ensuring the security of the site.

Block direct access to protected directories in Nginx

Step 4: Prevent attacks via HTTP, MIME sniffing, clickjacking, JavaScript

add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

add_header X-Frame-Options SAMEORIGIN;: This line of code adds the “X-Frame-Options” HTTP header to the Nginx response. The “SAMEORIGIN” policy specified in this header restricts web pages from being embedded in frames from different origins. This security measure helps protect against attacks such as clickjacking and enhances the anti-DDoS protection of the website.

add_header Strict-Transport-Security "max-age=31536000";: This line of code adds the HTTP header “Strict-Transport-Security” to the Nginx response. This header recommends that the browser only access the site over an HTTPS connection for a specified period of time (here, 31536000 seconds, equivalent to 1 year). This enhances the secure Nginx web server and prevents HTTP attacks.

add_header X-Content-Type-Options nosniff;: This line of code adds the “X-Content-Type-Options” HTTP header to the Nginx response. The value “ nosniff” in this header indicates that the browser should not determine the file’s content type automatically, but only use the content type declared in the “Content-Type” header. This helps prevent ddos ​​website MIME sniffing.

add_header X-XSS-Protection "1; mode=block";: This line of code adds the “X-XSS-Protection” HTTP header to the Nginx response. The “ ” value in this header turns on the browser’s built-in 1; mode=blockXSS ( ) protection. cross-site scriptingIf the browser detects XSS attacks, it intercepts and prevents the execution of malicious JavaScript code.

Step 5: Block access to Nginx Server by IP

How to block direct IP access to your Nginx web server

Configuration to block direct IP access to the Nginx server is necessary to protect the system from direct attacks and increase security by forcing users to use the official domain name.

Step 6: Prevent DDOS Attacks

Implementing robust anti-DDoS protection measures is crucial to safeguard your website against DDoS attacks. These measures help mitigate the impact of such attacks by detecting and blocking malicious traffic originating from hijacked IP addresses. By employing effective anti-DDoS protection strategies, you can enhance the security and resilience of your website, ensuring uninterrupted access for legitimate users.

Configure Nginx to limit sending requests to Server

You can limit the rate at which NGINX accepts incoming requests to a value typical for real users. For example, you might decide that a real user who visits the login page can only make a request every 2 seconds. You can configure NGINX to allow a single client IP address to attempt to login every 2 seconds (equivalent to 30 requests per minute):

limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
server {
    # ...
    location /login.html {
        limit_req zone=one;
    # ...
    }
}

Handling bursts limits the number of valid accesses coming in at the same time

To handle bursts and limit multiple valid accesses at the same time, you can use additional options and configurations in the “limit_req” module of Nginx. The example below will help you understand how:

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    limit_req_zone $binary_remote_addr zone=burst:10m burst=10 nodelay;

    server {
        ...
        
        location / {
            limit_req zone=one burst=5;
            limit_req zone=burst burst=10 nodelay;
            ...
        }
    }
}


In the above example, we have created two request-bound areas. The “one” zone has a rate limit of 1 request per second, and the “burst” zone with a burst option of 10 (the number of temporarily acceptable requests for a short period of time).

In the location / block, we have implemented request rate limiting using limit_req a zone named ‘one’ and a burst limit of 5. This secure Nginx web server configuration helps prevent excessive requests by limiting the maximum number of requests to 5 within a short timeframe. Additionally, we have also utilized limit_req a zone named burst, a burst limit of 10, and optionally enabled nodelay to handle sudden bursts of requests without delay, ensuring a secure Nginx web server setup.

nginx ddos protection prevent ddos attacks website 3

Using the above configuration allows you to limit the number of requests in a period of time, while handling burstsvalid accesses dynamically. You can adjust the values ​​of burst and rate limit ( rate) to suit the needs and load of your application.

Queue processing without delay request (Queueing with No Delay)

The approach of preventing DDoS attacks by utilizing the ‘burst’ parameter mentioned above helps in smoothing out the traffic flow, ensuring a secure Nginx web server setup. However, it is important to consider that this method may result in perceived slowness of your website.

In our example, the 20th request in the queue needs to wait for 2 seconds to be processed, which can negatively impact the user experience. To address this issue and maintain a smooth user experience, you can employ the nodelay parameter alongside burst in your secure Nginx web server configuration.

location /login/ {
    limit_req zone=mylimit burst=20 nodelay;
    proxy_pass https://itsmeit.biz;
}

The above configuration applies the request limit ( limit_req) to an area ( zone) called “mylimit” in locationthe path of /login/. This means that any access requests to URLs starting with /login/will be limited to the specified rate and burst.

  • burst=20: Specifies that for a short period of time, Nginx will accept up to 20 requests (bursts) from the IP address sending the request before the limit is applied.
  • nodelay: This option allows immediate processing of burst requests without waiting, meaning there is no delay between requests.

After applying the request limit, if an IP address sends more requests than the burst limit (in this case, 20 requests) in a short period of time, further requests will be rejected (returned error code 503). Valid requests will be forwarded ( proxy_pass) to https://itsmeit.biz, handled by upstream server.

This helps limit server uploads and protects against DDoS attacks or resource abuse by applying a request limit on the /login/.

Configure Nginx to limit the number of connections

Another DDoS ​​defense and secure Nginx web server is to limit the number of connections that can be opened by a client IP address. For example, you can allow each user’s IP address (client)to open no more than 10 connections to your site:

limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
    # ...
    location /store/ {
        limit_conn addr 10;
        # ...
    }
}

Configure to deny 1 incoming IP on Nginx

[Security] How to Configure Secure Nginx Web Server | VPS

If your site is under DDOS you can identify the IP addresses that are attacking and deny incoming connections server. For example, we have identified IP 123.123.123.0 port 28 is making continuous calls requetsto the server and the way to configure anti-ddos website with Nginx is to add IP block list.

location / {
    deny 123.123.123.0/28;
    # ...
}

If you have identified multiple IPs, you can configure them as follows:

location / {
    deny 123.123.123.3;
    deny 123.123.123.5;
    deny 123.123.123.7;
    # ...
}

The above instructions demonstrate how to configure DDoS prevention for your website and secure your Nginx web server. Additionally, you can enhance your DDoS protection by leveraging CloudFlare, which offers effective anti-DDoS capabilities.

– Advertising –

Share this Article
Leave a comment
Previous Article How to Configure to Secure a WordPress Site with Nginx How to Configure to Secure a WordPress Site with Nginx
Next Article Set password for rar zip file on Ubuntu and Linux How to set password for rar zip file on Ubuntu & Linux

You Might Also Like

How to install Composer on Ubuntu 20.04 | 22.04 & Linux

How to Configure Redis Cache to Speed ​​Up WordPress Site

Install Ibus-bamboo or Ibus-unikey for Accented Letters on Ubuntu 22.04

How to install MariaDB on Ubuntu 22.04, 20.04 and Debian

How to Install Android Studio on Ubuntu 22.04 or 20.04

Stay Connected

Popular Posts

Download Plugin Product Video Gallery for Woocommerce v1.5.0
Plugin Product Video Gallery for Woocommerce v1.5.0
8 Views
Download Prevent Spam Register Plugin - Block WordPress Spam Accounts
Prevent Spam Register Plugin – Block WordPress Spam Accounts
4 Views
Elementor PRO v3.17.0 Plugin (Full Templates Pack + Demo)
Download Plugin Elementor PRO 3.17.0 (+Full Templates Pack)
18 Views
Download Newspaper v12.6.1 - WordPress theme News Magazine
Download Newspaper v12.6.1 – WordPress theme News Magazine
10 Views
JNews v11.1.3 - WordPress newspaper magazine blog AMP
JNews v11.1.3 – WordPress newspaper magazine blog AMP
8 Views
Download Keyword Tool v2.3.3: SEO WordPress Keyword Research Plugin
Keyword Tool v2.3.3: SEO WordPress Keyword Research Plugin
9 Views
Register Lost your password?