Nginx: Advanced Techniques

Rate Limiting and DDoS Protection#

Nginx provides built-in rate limiting capabilities to prevent abuse and mitigate DDoS attacks. By limiting the number of requests a client can make within a specific timeframe, you can protect your server from excessive load.

Limiting the Number of Requests per IP#

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    server {
        location / {
            limit_req zone=one burst=5;
        }
    }
}

• rate=1r/s limits each IP to one request per second.
• burst=5 allows short bursts of up to five requests before applying rate limiting.

Blocking Excessive Connections#

Nginx can also limit the number of simultaneous connections per IP:

limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
    limit_conn addr 10;
}

• Limits each client to 10 concurrent connections.

Implementing fail2ban for DDoS Protection#

• Fail2ban monitors Nginx logs and blocks abusive IPs.
• Example fail2ban configuration for Nginx HTTP auth failures:

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
logpath  = /var/log/nginx/error.log
maxretry = 5
bantime  = 3600

Advanced Security Configurations#

Preventing Clickjacking Attacks#

Clickjacking exploits frame embedding to trick users into interacting with malicious content.

add_header X-Frame-Options DENY;

• DENY prevents the page from being embedded in any frame.

Enabling Content Security Policy (CSP)#

CSP helps mitigate XSS (Cross-Site Scripting) attacks by controlling resource loading.

add_header Content-Security-Policy "default-src 'self'";

Disabling Unnecessary HTTP Methods#

To prevent method-based attacks, restrict access to only necessary methods.

location / {
    if ($request_method !~ ^(GET|POST|HEAD)$ ) {
        return 405;
    }
}

Access Control and Authentication Methods#

IP Whitelisting for Restricted Access#

Restrict sensitive areas (like an admin panel) to a specific IP range.

location /admin {
    allow 192.168.1.0/24;
    deny all;
}

Basic Authentication with htpasswd#

Creating a Password File#

sudo apt install apache2-utils
htpasswd -c /etc/nginx/.htpasswd admin

Configuring Basic Authentication in Nginx#

location /secure {
    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Implementing Web Application Firewall (WAF) with Nginx#

A Web Application Firewall (WAF) helps block malicious traffic, SQL injections, and known vulnerabilities.

Installing ModSecurity with Nginx#

sudo apt install libnginx-mod-security2

Enabling ModSecurity in the Nginx Configuration#

server {
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

Using OWASP ModSecurity Core Rule Set (CRS)#

• The OWASP CRS provides preconfigured security rules against SQL injection, XSS, and other attacks.
• Install CRS:

git clone https://github.com/coreruleset/coreruleset.git /etc/nginx/modsec/

• Enable the rules in ModSecurity config.

Hands-On Exercise#

• Implement rate limiting and test request throttling.
• Configure IP-based access control for restricted areas.
• Enable basic authentication for a protected directory.
• Install and configure ModSecurity WAF to block malicious traffic.

By implementing these advanced security techniques, you’ll significantly enhance the protection and resilience of your Nginx server against modern cyber threats.