Nginx configurations

Hardening guideline for Nginx web server are recommended by the vendor, and optional steps to MetaDefender Core product. Please only follow them when applicable.

Those guidelines are supported since MetaDefender Core version 4.19.0 or above.

Restrictions

Only allow access to our domain only

Copy

Deny certain user-agents

Blocking user-agents i.e. scanners, bots, and spammers who may be abusing your server.

Copy

Block referral spam

Only direct access is allowed

Copy

How to configure

1.) Create a .conf file (create “built-in” folder if not existed)

  • On Windows, under <Installation Directory>\nginx\built-in\
  • On Linux, under /etc/ometascan/nginx.d/built-in/

Here is sample .conf file. Choose what meets to your scenario and update .conf file

Copy

2.) A restart of the “OPSWAT Metadefender Core” service is required.

#OSCP - Online Certificate Status Protocol

1.) Modify “ssl.conf” file (create new if not existed)

  • On Windows, under <Installation Directory>\nginx\
  • On Linux, under /etc/ometascan/nginx.d/

Modify ssl.conf file with following recommended settings

Copy

2.) A restart of the “OPSWAT Metadefender Core” service is required.

SELinux Secured Policy

By default, SELinux (Linux security system based on role access, available on RedHat and CentOS) does not protect the Nginx web server. The following instruction will help you setup and turn on the protection.

1.) First, install required SELinux compile-time support:

Copy

2.) The download targeted SELinux policies to harden the Nginx web server on Linux servers from the

selinuxnginx project page:

Copy

3.) Untar the same:

Copy

4.) Compile the same

Copy

Sample output:

Copy

5.) Install the resulting nginx.pp SELinux module:

Copy
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard