Web

Introduction Nginx is still a popular web server and powering a part of the web. Wouldn’t it be great if we could secure it a little bit more? In this article we use the security features to secure systemd units and services and apply it to nginx. If you are not familiar yet with the unit settings of systemd, then this document would be a good introduction into the subject.

Learn how to use curl to test if your web server is properly caching static files

Learn how to define the Expires header in nginx to improve the caching of static assets.

Download files and troubleshoot issues faster with curl

How to display the configured hosts by filtering out the server_name entries

Fresh look at RSS after a migration This blog had a RSS feed since its inception about 10 years ago. It was (and is) an easy way for readers to quickly discover released and updated articles. Although a lot has changed in 10 years, including a migration from WordPress to Hugo, the RSS feed is still available. Recently, as part of the migration, we looked again at all individual layers that makes this blog possible.

Nginx is flexible when it comes to what should be logged in the access.log. With the combination of a map and if-statement, this can be achieved very easily!" Log only some events by HTTP status Creating a map using $status The $status variable contains the HTTP status code that is normally returned to each request. We can leverage this status code to set a so-called boolean (true/false, or 1/0). Let’s define first the map and use the HTTP status.

To improve websites and the underlying webserver configuration, we collect useful tips to enhance your systems. Let’s build a better web together!

Gzip Gzip is well-known and around for some time. Almost all web clients support it and the savings are typically very high. Compressing a file with gzip is simple, especially with the command often already installed on Linux systems. gzip --best --force filename.html This compresses the file as good as it can (–best) and overwrite a .gz file if it already exists (–force). Brotli Brotli is a fairly new kid on the block when it comes to compressing files.

Why block POST requests in the first place? Some websites or resources don’t need POST requests, such as a statically generated website. It looks like POST requests also take some CPU time within nginx to process them compared with static files. This becomes visible when using the $request_time variable to customize the access log. 2024-04-02T10:14:39+00:00 404 a.b.c.d “POST /xmlrpc.php HTTP/1.1” 562 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.

After migrating this blog to Hugo we performed some optimization steps to ensure it is as quick as possible. Pages are slim and small in size, but still can be compressed. Normally we would do this on the end of the web server, by enabling dynamic compression. So each time a client requested a compressed page, the web server would compress is and send over the data. This time we turned things around.

On invitation by the Dutch consultancy firm Snow (now SUE), I attended their Snow Unix Event (SUE). It was the third time in a row, with again an impressive lineup of speakers. As I worked previously for the company, I expected no less than that. The theme was about knowledge sharing. That sounds like an invitation to also share some of the biggest insights I learned. Let’s start with the HTTP/2 insights by Daniel Stenberg.

Delete a HSTS Key Pin in Chrome Key pinning can be tricky and sometimes you might encounter a website having an incorrect key pin. This is usually caused by renewing certificates. In that case the duration time of the key pin might overlap the expire time of the moment of renewal. Chrome Error You will be seeing an error something like: Your connection is not private Attackers might be trying to steal your information from domain.

HPKP Key Pins in Firefox HPKP is a great technology to pin a certificate to a website. On first use of a domain, the browser of the client checks if key pinning is available. Upon a next visit, the browser applies an additional check if the certificate(s) provided is available in the previous list of white-listed sites. HPKP error Sometimes things go wrong with HPKP and you won’t be able to access a particular page.

For years, WordPress is used as a platform for blogging. Last years, more and more companies have even built their website in WordPress. Unfortunately, this also means it is more often targetted by scripts, searching for their next victim. The primary reasons for a WordPress hack, are often disclosed information and outdated software components. This is applicable to the WordPress version itself and modules, like the plugins. In this article, we have a look at dealing with unwanted information disclosure, and how we can reduce revealing too much.

The end of Adobe’s Flash Player is near. Most of the remaining Flash on the web are advertisements or “fancy” movies, created years ago. If you don’t need Flash any longer, these steps help you to disable it in Chrome. Step 1: Open plugins Go to chrome://plugins This will show an overview of all your plugins. Step 2: Disable Abode Flash Player Press Disable on the Adobe Flash Player. Adobe Flash Player is disabled

Important Note This is an older blog post and we no longer advise using Web of Trust. See pcmag for more details. Protecting the web browser Usually we focus on the blog on the server side of things, helping to protect the data of users, customers and ourselves. What we commonly overlook is the end of the connection, the web browser of the user. In the upcoming posts we will look at alternative measures we can take, to protect data there as well.

Recently we changed our corporate website into a “HTTPS only” version. Most of the content is not secret information, still we have some sensitive areas. The ordering section and downloads, and additional our portal. While some areas were already covered with a lock, we felt it was time to make the jump to cover it all. Additionally, we believe that we doing everything we can on our website, practicing security hardening ourselves.

OCSP stapling is a logical follow-up on Online Certificate Status Protocol. OCSP itselfs just checks if certificate is still valid by determining if it is on a revocation list. The original OCSP protocol forces the client to check for the status of a certificate. This results in a lot of traffic for the CA behind the certificate. OCSP stapling moves the check to the owner of the certificate. On a regular basis the Nginx server will perform the check, receiving a new OCSP response.

Protecting against the POODLE attack The POODLE attack has entered the news a few times now. The issue behind the POODLE attack is serious, as it abuses a weakness in the protocol, not the implementation. This means the only proper fix is abandoning the SSLv3 protocol and use the newer TLS protocols. Disable SSLv2 and SSLv3 Lighttpd commonly has its configuration settings stored in /etc/lighttpd/lighttpd.conf. Open this file and add the following two statements, to disable both protocols:

Configure Apache or Nginx to use HTTP Strict Transport Security (HSTS)

If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.