Title
Create new category
Edit page index title
Edit category
Edit link
Nginx configurations
Hardening guideline for Nginx web server are recommended by the vendor, and optional steps to MetaDefender Core product. Please only follow them when applicable.
Those guidelines are supported since MetaDefender Core version 4.19.0 or above.
Restrictions
Only allow access to our domain only
if ($host !~ ^(metadefendercore.in|www.metadefendercore.in|images.metadefendercore.in)$ ) { return 444;}Deny certain user-agents
Blocking user-agents i.e. scanners, bots, and spammers who may be abusing your server.
## Block download agents ##if ($http_user_agent ~* LWP::Simple|BBBike|wget) { return 403;}## ## Block robots ##if ($http_user_agent ~* msnbot|scrapbot) { return 403;}##Block referral spam
Only direct access is allowed
## Deny certain Referers ###if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) { return 403;}##Block particular APIs
## Block particular api ###location ~ "^/admin/config/session$" { return 403;}##How to configure
1.) Create a .conf file (create “built-in” folder if not existed)
- On Windows, under <Installation Directory>\nginx\built-in\
- On Linux, under /etc/ometascan/nginx.d/built-in/
Here is sample .conf file. Choose what meets to your scenario and update .conf file
if ($host !~ ^(metadefendercore.in|www.metadefendercore.in|images.metadefendercore.in)$ ) { return 444;} if ($http_user_agent ~* LWP::Simple|BBBike|wget) { return 403;} if ($http_user_agent ~* msnbot|scrapbot) { return 403;} if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) { return 403;}2.) A restart of the “OPSWAT Metadefender Core” service is required.
#OSCP - Online Certificate Status Protocol
1.) Modify “ssl.conf” file (create new if not existed)
- On Windows, under <Installation Directory>\nginx\
- On Linux, under /etc/ometascan/nginx.d/
Modify ssl.conf file with following recommended settings
# Enable OCSP stapling, optimize session cachessl_ecdh_curve secp384r1;ssl_session_timeout 1d;ssl_session_cache shared:SSL:10m;ssl_session_tickets off;ssl_stapling on;ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certsssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; # replace with the IP address of your resolverresolver 127.0.0.1;2.) A restart of the “OPSWAT Metadefender Core” service is required.
SELinux Secured Policy
By default, SELinux (Linux security system based on role access, available on RedHat and CentOS) does not protect the Nginx web server. The following instruction will help you setup and turn on the protection.
1.) First, install required SELinux compile-time support:
yum -y install selinux-policy-targeted selinux-policy-devel2.) The download targeted SELinux policies to harden the Nginx web server on Linux servers from the
selinuxnginx project page:
cd /optwget 'http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc'3.) Untar the same:
tar -zxvf se-ngix_1_0_10.tar.gz4.) Compile the same
cd se-ngix_1_0_10/nginxmakeSample output:
Compiling targeted nginx module/usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp/usr/bin/checkmodule: policy configuration loaded/usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.modCreating targeted nginx.pp policy packagerm tmp/nginx.mod.fc tmp/nginx.mod5.) Install the resulting nginx.pp SELinux module:
/usr/sbin/semodule -i nginx.pp
