Learn about Centmin Mod LEMP Stack today
Register Now

Nginx Nginx configuration for improved security

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Sunka, Feb 2, 2016.

Tags:
  1. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    10:27 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    This lines are disabled in nginx domain conf by default. For first and last I understand why, but why other three are disabled too?
    I am just asking, trying to learn something new for nginx (y)


    Code:
    ####add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      ####spdy_headers_comp 5;

    add_header Alternate-Protocol 443:npn-spdy/3;
    is not used if not using spdy (aka using http2)

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    Why is disabled?
    add_header X-Content-Type-Options "nosniff";
    Why is disabled?
    add_header X-Frame-Options DENY;
    Why is disabled?
    spdy_headers_comp 5;
    This module was superseded by the ngx_http_v2_module module in 1.9.5.

     
  2. eva2000

    eva2000 Administrator Staff Member

    55,153
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    6:27 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For HSTS read centminmod.com/nginx_domain_dns_setup.html#hsts and precautions as you can mess up your site if you do not understand what enabling HSTS means for your visitors and any other subdomain web site you run off the same *.domain.com

    these 2 are still there as nginx 1.9.3-1.9.5 versions were where disabling HTTP/2 mean using SPDY/3.1 so Centmin Mod can actually auto detect if your Nginx version is using SPDY or HTTP/2 module and auto uncomment or comment out these 2 values depending on if Nginx used HTTP/2 or SPDY/3.1. If you removed those commented out settings, Centmin Mod won't be able to auto switch between them. Nginx 1.9.5+ now removed SPDY so no fall back just either with or without HTTP/2.

    The rest need revising as I really should have these 3 setup not just for HTTPS but HTTP if you know what you're doing
    Code:
      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
     
  3. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    10:27 AM
    1.9.12
    10.0.23
    I do not know what I'm doing - yes, your read it right.. But your statement tells me - should have - so do I just add the following 3 lines in both the ssl.conf and .conf files of my site?

    Code:
      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
     
  4. eva2000

    eva2000 Administrator Staff Member

    55,153
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    6:27 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  5. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    10:27 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    And that is way I am just asking (y)

    I had to put
    Code:
    add_header X-Frame-Options SAMEORIGIN;
            add_header X-Content-Type-Options nosniff;
    into conf (location internal_data), but denay all setting clashed... then another aproach wth another addon, but there was more complicated solution for me cause this part was enigma for me (I think that I do not use fastcgi at all)
    Code:
    location ~ [^/]*\.php$ {
            try_files $fastcgi_script_name =404;
            include fastcgi.conf;
            fastcgi_pass_header Etag;
        }