Articles in this section

See more

NGINX Hardening (Enforcing HSTS, TLS/SSL Cipher Hardening, and Masking Internal Network Name)

Important Notes

  • Configuration Files: The following steps require editing your unique NGINX configuration files located in /etc/nginx/conf.d/. You can open them all using: 
    sudo vi /etc/nginx/conf.d/*.conf
  • Deployment: Newer JetPatch deployments may already have some hardening measures enabled by default. Verify your configuration and adjust as needed.
  • Custom Paths: If your configuration files are stored on custom mounts or non‑default paths, update the paths in these instructions accordingly.
  • Backup: Always back up your configuration before making changes. For Example: 
    sudo cp -r /etc/nginx /tmp/nginx_backup

Enforcing HSTS

HSTS (HTTP Strict Transport Security) forces browsers to use HTTPS for your site, reducing downgrade attack risks. To enforce HSTS:

  1. Open your HTTPS server block configuration (commonly in /etc/nginx/conf.d/intigua.nginx.conf).
  2. Add the following line after the second server { tag and before any error page definitions (e.g., before error_page 502 /static/502.html): 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    • max-age=31536000 sets HSTS for one year.
    • includeSubDomains applies the policy to all subdomains.

TLS/SSL Cipher Hardening

To protect data in transit, ensure that only modern TLS protocols and strong cipher suites are used. In your SSL configuration (typically found in your HTTPS server block in /etc/nginx/conf.d/intigua.nginx.conf or an included SSL file), update the settings as follows:

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';

Placement:
These directives must be placed within the SSL context of your server block (i.e., where you have listen 443 ssl;). This ensures they apply to all secure connections.

Mask Internal Network Names / Private IP Addresses

To prevent leaking internal hostnames or IP addresses in responses, modify your main configuration file:

  1. Open /etc/nginx/nginx.conf in an editor.
  2. Within the http {} block, add a default server block as follows: 
    http {
    ...
    server {
    listen 80 default_server;
    server_name localhost;
    return 404;
    }
    ...
    }

This configuration forces NGINX to use “localhost” in any responses where an internal name might otherwise be exposed.

Hide the NGINX Version

Hiding the NGINX version in responses helps reduce the information available to attackers.

  1. In /etc/nginx/nginx.conf, within the http {} block, add: 
    server_tokens off;

This directive removes version details from the Server header and error pages.

Test and Restart NGINX

After applying the changes, test your configuration:

sudo nginx -t

If the output confirms that the configuration syntax is OK, reload or restart NGINX:

sudo systemctl restart nginx

If you receive any warnings (e.g., about deprecated directives), update or remove the indicated lines as needed.

Related articles

Comments

0 comments

Please sign in to leave a comment.