I have always used apache or iis in the past, but never Nginx. Anyways, I thought I would give it a go on my dev web server and see how I feel. I am basically following a few different guides from online - I will make sure to link in the credits. As I say, I am no expert in this application and I don’t want to mess it up. If you’re interested I wrote a different blog post on my server setup for this machine, so I guess that would be step one here - Roll a new Virtual Server in KVM.

Install it

This seems relatively straight forward. The Ubuntu PPA is apparently maintained by some volunteers and has both a stable and dev branch. I am going to stick with stable as I really don’t need any fancy features (use development in the add repository line for the other). I did have to run the first line on my Ubuntu box to get the add-apt-repository command. From the looks of things on the internet, you may not have to install both of those - I think some come preloaded depending on how you installed Ubuntu.

sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:nginx/stable
sudo apt-get update
sudo apt-get install nginx

Fire up the browser

Sure enough, I seem to have a working web server here. The index page reads “Welcome to nginx on Debian!". I then run a -V to validate the version I just installed and it is latest stable 1.8.0.

nginx -V

Configure, Clean, and Secure…

1. nginx.conf

So my first step is to go into the main config file /etc/nginx/nginx.conf and do some pretty basic setup stuff. In the HTTP section, I uncomment all of the gzip_ settings and add a min length line in so that gzip isnt used for small file sizes. I am just ensuring that the web server isnt working any harder than it should, but saving bandwidth when it can.

gzip_min_length 1100;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

In the Basic settings I go ahead and uncomment server tokens off, so that it stops broadcasting server version number on error messages.

server_tokens off;

Also in the Basic settings I go ahead and add the following lines. These all speak to how it communicates with clients and how quickly it gives up on slow clients. By reducing the size of request it accepts and dropping the default amount of time it spends trying to talk to clients, it makes the server a lot less susceptible to DDOS. Not insusceptible, but it is still a good idea to set these values as low as you can within the tolerance of your clients.

client_max_body_size  4096k;
client_header_timeout 10;
client_body_timeout   10;
keepalive_timeout     10 10;
send_timeout          10;

2. default, what default

Next I setup my own site in nginx. The default site configuration file is in /etc/nginx/sites-available with a symbolic link over to sites-enabled. This default site is called default, so I am going to copy that config over to my new www site and remove the symbolic link from default, leaving the default config file in place (just in case).

cd /etc/nginx/sites-available
sudo cp default www

cd /etc/nginx/sites-enabled
sudo rm default
sudo ln -s /etc/nginx/sites-available/www /etc/nginx/sites-enabled/www

In the www configuration file (/etc/nginx/sites-available/www), anywhere inside the server block I add the following lines to prevent scripts from being executed in writable directories. This is way overkill for what I am doing here, but I really like this as this would prevent a number of escalation attacks I have used against targets.

# deny scripts inside writable directories
    location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
    return 403;
    error_page 403 /403_error.html;
    }

3. Reload, Repent, or something

Lastly I am just reloading the web server with all my new options setup. I validate that the site is still working and I’m good to go here. I will probably document the TLS process for setting up HTTPS on this thing another time.

sudo /etc/init.d/nginx reload

Credits:

NGINXTips has a very comprehensive list of hardening tips that I barely used as most don’t apply to me. Ars Technica did a fabulous walk-through on this whole process on a slightly older version of the OS and nginx.

4. Post-install

This may not have much to do with this setup, but in order to scp files the way I want to from my desktops up to my servers, I had to change permissions from the default. On this server I already had a group called admin, so I simply changed the www folder permissions to allow users in that group the ability to write to that folder.

sudo chown -R :admin /var/www
sudo chmod -R g=rwx /var/www