Serverspace Black Friday
VB
May 18, 2023
Updated June 3, 2023

Nginx security. Control Resources and Limits

NGINX

Nginx is one of the best popular webservers today. Its popularity is due to the fact that it is very fast and easy to set up. Other side of this popularity - nginx is often being a target of malicious attacks. So, if your nginx is not limited by available resources, your server may totally "fall" when nginx spent all system resources. That's why you should control and limit resources Nginx consumed.

All limits are sets in nginx configuration file. I will describe it on Ubuntu 20.04 as example. All changes will be made in /etc/nginx/nginx.conf file. Each directive should end with a semicolon. I will describe the most important parameters further.

Global settings

These settings will affect on whole server. Parameters description is:

  • worker_connections - this option defines how many simultaneous connections are possible for one worker (special "unit" which communicate between nginx and operation system core). Workers count it depends of how much CPU cores and RAM available on your server;
  • multi_accept - this directives allows workers to handle a few processes simultaneously. It will create processes queue, tasks will be handled one-by-one;
  • mutex_accept_delay - this parameter defines a delay between restart of handled tasks;
  • use - a method of processing. The best set for Linux servers is epoll;
  • limit_conn - this directive will limit connections. It may be set in various places, all restrictions will be working. On the screenshot below I set total connections as 5 per one IP and 2 for /download folder:

pic1

Disk operations

These settings define how to nginx operate with disk drive:

  • sendfile on - this option allows to webserver to "exchange" small files data in kernel space, without sending it to the app space. It makes nginx data handling much faster;
  • aio on - this directive provide multi-thread read/write disk operations.

pic3

Compression and caching

You may cache some data to do nginx faster. Compression will reduce traffic flow:

  • gzip on - this option turn compression on;
  • gzip_comp_level - compression level. Higher count is much compression;
  • gzip_types - define of types of files to be compressed. E.g. text is good to compress, but pictures is not.
  • open_file_cache - allow file caching;
  • open_file_cache_valid - time to store cache;
  • open_file_cache_errors - this option allows caching errors like "access denied". It may be helpful to prevent massive simultaneous connects attack;

pic5

Security settings

You may restrict access for scrapers, bots, downloaders etc. Just add construct like below to restricted location:

if ($http_user_agent ~* LWP::curl|wget|*bot) {

return 403;

}

pic7

Also, you can allow access to some website areas via defined IPs only. It could be useful to restrict access to admin area e.g.:

location /admin/ {
## allow access from your IP
allow xxx.xxx.xxx.xxx/32;
## drop all other connections
deny all;
}

pic8

Conclusion

In this article I described how to optimize your nginx works and gave some advices about base security improvements.

You may be also interested in

Vote:
5 out of 5
Аverage rating : 5
Rated by: 1
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300

You might also like...

We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.