NginxHow-ToBeginner · 4 min read

How to Secure Nginx: Best Practices and Configuration

To secure nginx, enable SSL/TLS for encrypted connections, restrict access using allow and deny directives, and add security headers like Content-Security-Policy. Also, keep nginx updated and disable unnecessary modules to reduce attack surface.

📐

Syntax

The main directives to secure nginx include:

listen 443 ssl; - Enables HTTPS with SSL/TLS.
ssl_certificate and ssl_certificate_key - Specify your SSL certificate files.
allow and deny - Control IP access to restrict unwanted visitors.
add_header - Add security headers like Strict-Transport-Security and Content-Security-Policy.
server_tokens off; - Hide nginx version to avoid information leaks.

nginx

server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    server_tokens off;

    allow 192.168.1.0/24;
    deny all;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self'" always;

    location / {
        root /var/www/html;
        index index.html;
    }
}

💻

Example

This example shows a secure nginx server block that uses SSL, restricts access to a local network, hides version info, and adds security headers.

nginx

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    server_tokens off;

    allow 10.0.0.0/24;
    deny all;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;
    add_header Content-Security-Policy "default-src 'self'" always;

    location / {
        root /usr/share/nginx/html;
        index index.html index.htm;
    }
}

⚠️

Common Pitfalls

Not enabling SSL leads to unencrypted traffic vulnerable to interception.
Using self-signed certificates without proper trust causes browser warnings.
Forgetting to restrict access with allow and deny can expose sensitive areas.
Missing security headers leaves your site open to clickjacking and content injection.
Leaving server_tokens on reveals nginx version, aiding attackers.

nginx

## Wrong: No SSL and version info shown
server {
    listen 80;
    server_name example.com;
}

## Right: Enable SSL and hide version
server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    server_tokens off;
}

📊

Quick Reference

Keep these tips in mind to secure your nginx server:

Always use valid SSL certificates and redirect HTTP to HTTPS.
Restrict access to trusted IPs with allow and deny.
Add security headers like Strict-Transport-Security, X-Frame-Options, and Content-Security-Policy.
Disable server_tokens to hide version info.
Keep nginx updated and remove unused modules.

✅

Key Takeaways

Enable SSL/TLS to encrypt traffic and protect data.

Use allow and deny directives to restrict access by IP.

Add security headers to prevent common web attacks.

Turn off server_tokens to hide your nginx version.

Keep your nginx software updated and remove unused features.