Nginx

Prerequisite
This guide was tested on Debian Jessie (stable), and Stretch (testing). For other distributions you might have some adjustments to do.

While not mandatory, the guide makes use of the following programs to enhance the security of the installation
 * nftables
 * Fail2Ban

Jessie
The version of nginx in Debian Jessie support the deprecated SPDY protocol. Using the version from jessie-backports allows to get support for HTTP/2.

nginx_modsite
nginx_modsite is a script that allows to activate or deactivate a site simply, without having to handle symlinks manually. In Debian, it is distributed in source form as part of the  package. The easiest is to download it directly from the source repository:

conf.d
The conf.d folder stores shared configuration shared between all the sites hosted on your server.

Create the following files: See documentation to install PHP.


 * Generate file  with

snippets
The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site. See Let’s Encrypt

Obviously, you need to replace the example IP addresses by the one of your server. You can get the IP of your server with the commands  and.

Create Password File
If the folder doesn't exist, you need to create it using

The create the user file If you want different website to have different users, you can create as many password files as you want.

Add User
To update a password user, just run the same command.

Nginx will pick the modified file automatically. There is nothing to restart.

Use
To restrict access to a site or part of it, add the following lines to a  or   config

Firewall
You need to open TCP ports 80 and 443 in your firewall.

httpoxy
The httpoxy security flow is a flow targeting CGI scripts using the Proxy HTTP header. It is possible to mitigate it by filtering out this header in fastcgi and proxy calls in Nginx.

Edit files  and   and add these lines Also edit file   add add these lines

/var/www/ permissions
Setting the setgid bit on the  allows to make sure that new files are readable by Nginx. This also revoke the default read permission to user outside the  group. They don't need it and some data might not be public here.

New Site
This section shows how to create a new website in your Nginx server. Instructions here a very generic and will need to be adapted for your specific case.

In the following sections, we are showing the conf for a site called mysite.example.org. You need to replace all occurrences of mysite.example.org by the name of the site you want to create.

Fail2Ban
Webservers are usually a good target for hackers. A lot of them contain outdated, insecure and misconfigured software and if your server run languages like PHP, the attacker would be able to execute pretty much any action once he cracked your server.

Warning: The rules described here protect against generic attacks on your webserver. If you install some specific software that has it's own authentication (owncoud, roundcube...) you need to create rules for it.

nginx-http-auth
First rule is pretty simple simple. It protect against http authentication (the ugly popups asking your password before you enter the site).

Create file

nginx-botsearch
This rule match 404 errors when bots try to find unsecure software on your server. While it should generally work fine, you should check ban report to make sure you don't lock out legitimate users.

Create file