Nginx configurations
Hardening guideline for Nginx web server are recommended by the vendor, and optional steps to MetaDefender Core product. Please only follow them when applicable.
Those guidelines are supported since MetaDefender Core version 4.19.0 or above.
Restrictions
Only allow access to our domain only
Deny certain user-agents
Blocking user-agents i.e. scanners, bots, and spammers who may be abusing your server.
Block referral spam
Only direct access is allowed
Block particular APIs
How to configure
1.) Create a .conf file (create “built-in” folder if not existed)
- On Windows, under <Installation Directory>\nginx\built-in\
- On Linux, under /etc/ometascan/nginx.d/built-in/
Here is sample .conf file. Choose what meets to your scenario and update .conf file
2.) A restart of the “OPSWAT Metadefender Core” service is required.
#OSCP - Online Certificate Status Protocol
1.) Modify “ssl.conf” file (create new if not existed)
- On Windows, under <Installation Directory>\nginx\
- On Linux, under /etc/ometascan/nginx.d/
Modify ssl.conf file with following recommended settings
2.) A restart of the “OPSWAT Metadefender Core” service is required.
SELinux Secured Policy
By default, SELinux (Linux security system based on role access, available on RedHat and CentOS) does not protect the Nginx web server. The following instruction will help you setup and turn on the protection.
1.) First, install required SELinux compile-time support:
2.) The download targeted SELinux policies to harden the Nginx web server on Linux servers from the
selinuxnginx project page:
3.) Untar the same:
4.) Compile the same
Sample output:
5.) Install the resulting nginx.pp SELinux module: