Nginx

Configure HSTS (HTTP Strict Transport Security) for Apache and Nginx

HTTP Strict Transport Security (HSTS) is a security capability to force clients to use HTTPS. In this article, we implement HSTS for Apache and Nginx.

Summary of Configure HSTS (HTTP Strict Transport Security) for Apache and Nginx

HTTP Strict Transport Security (or HSTS) is a security capability to force web clients using HTTPS. The idea behind HSTS is that clients which always should communicate as safely as possible. At achieve this, the web server and web browser will prefer the HTTPS protocol instead of HTTP. Benefits The clear benefit of “forcing” a client to use HTTPS directly, is decreasing the risk of sharing any sensitive information via a protocol which can be snooped upon.

Read the full article…

Hiding the nginx version number

Security professionals usually don't advise to use "security through obscurity". Still, it's wise to hide the nginx version number.

Summary of Hiding the nginx version number

If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.

Read the full article…

How the web changes with HTTP/2: Performance and Security

The web changes and so does one of the most important underlying protocols HTTP. Learn about HTTP/2 and what it means for performance and security.

Summary of How the web changes with HTTP/2: Performance and Security

On invitation by the Dutch consultancy firm Snow, I attended their Snow Unix Event (SUE). It was the third time in a row, with again an impressive lineup of speakers. As I worked previously for the company, I expected no less than that. The theme was about knowledge sharing. That sounds like an invitation to also share some of the biggest insights I learned. Let’s start with the HTTP/2 insights by Daniel Stenberg.

Read the full article…

How to block POST requests in nginx

Want to block all HTTP POST requests in nginx? There are multiple ways to achieve this and within this article we look at the best fit.

Summary of How to block POST requests in nginx

Why block POST requests in the first place? Some websites or resources don’t need POST requests, such as a statically generated website. It looks like POST requests also take some CPU time within nginx to process them compared with static files. This becomes visible when using the $request_time variable to customize the access log. 2024-04-02T10:14:39+00:00 404 a.b.c.d “POST /xmlrpc.php HTTP/1.1” 562 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.

Read the full article…

How to log only some requests to a log file in nginx

Nginx is flexible when it comes to what should be logged in the access.log. With the combination of a map and if-statement, this can be achieved very easily!

Summary of How to log only some requests to a log file in nginx

Nginx is flexible when it comes to what should be logged in the access.log. With the combination of a map and if-statement, this can be achieved very easily!" Log only some events by HTTP status Creating a map using $status The $status variable contains the HTTP status code that is normally returned to each request. We can leverage this status code to set a so-called boolean (true/false, or 1/0). Let’s define first the map and use the HTTP status.

Read the full article…

How to see all virtual hosts in nginx

Want to see all configured virtual hosts on a server running nginx? Here is a method to achieve this quickly by using a default configuration option.

Summary of How to see all virtual hosts in nginx

How to display the configured hosts by filtering out the server_name entries

Nginx security hardening guide

Learn how to secure your nginx configuration with this hardening guide. It includes examples and tips to implement security measures step by step.

Summary of Nginx security hardening guide

Learn how to secure your nginx configuration with this hardening guide. It includes examples and tips to implement security measures step by step.

Optimize SSL/TLS for Maximum Security and Speed

Everyone loves secure websites, as long as they are quick. Let's configure our website for maximum security and performance, at the same time.

Summary of Optimize SSL/TLS for Maximum Security and Speed

Recently we changed our corporate website into a “HTTPS only” version. Most of the content is not secret information, still we have some sensitive areas. The ordering section and downloads, and additional our portal. While some areas were already covered with a lock, we felt it was time to make the jump to cover it all. Additionally, we believe that we doing everything we can on our website, practicing security hardening ourselves.

Read the full article…

Pre-compress static assets with Brotli and Gzip

Let's make the web a smaller place by pre-compressing static assets with Brotli and Gzip. Here are some useful tips to get started.

Summary of Pre-compress static assets with Brotli and Gzip

Gzip Gzip is well-known and around for some time. Almost all web clients support it and the savings are typically very high. Compressing a file with gzip is simple, especially with the command often already installed on Linux systems. gzip --best --force filename.html This compresses the file as good as it can (–best) and overwrite a .gz file if it already exists (–force). Brotli Brotli is a fairly new kid on the block when it comes to compressing files.

Read the full article…

Protect against the BEAST attack in Nginx

The BEAST attack showed up in 2011 and some servers are still vulnerable to it. With the right protocols, ciphers and preference, we can keep the BEAST out.

Summary of Protect against the BEAST attack in Nginx

What is this BEAST? BEAST, or “Browser Exploit Against SSL/TLS” is an attack against the cipher block chaining (CBC) method used with SSL/TLS. The weakness was discovered in 2002, but finally proven in 2011 by security researchers Thai Duong and Juliano Rizzo. With real proof of concept code, they showed it was no longer a theoretical attack. To successfully perform the BEAST attack, there are some conditions which needs to be met:

Read the full article…

Securing nginx configurations: implementing OCSP stapling

OCSP stapling is a logical follow-up on Online Certificate Status Protocol. With newer versions of Nginx we can enable OCSP stapling and enable testing.

Summary of Securing nginx configurations: implementing OCSP stapling

OCSP stapling is a logical follow-up on Online Certificate Status Protocol. OCSP itselfs just checks if certificate is still valid by determining if it is on a revocation list. The original OCSP protocol forces the client to check for the status of a certificate. This results in a lot of traffic for the CA behind the certificate. OCSP stapling moves the check to the owner of the certificate. On a regular basis the Nginx server will perform the check, receiving a new OCSP response.

Read the full article…