Hello,

I have installed nginx on a freebsd server running octopress (via unicorn unix socket). Octopress servers static content but features some javascript, at least the theme I used and modified.

I would like to know what is the best way to secure nginx. I can use firewalls and maybe some additional nginx modules (if any). Since I post to website using SSH, SSL is not needed.

Is there anything else I can do to secure nginx?

Note that I cannot use jails because it's running on an embedded system which will not cope well with the ram needed by a jail.

Best regards

The most obvious thing I can think of is file and directory permissions. Unless [b]absolutely necessary[/b], the user and group assigned to nginx should never have write permissions to anything. That reduces the risk of someone possibly discovering a bug or whole somewhere that lets them upload some script that messes up your server.

As strange a suggestion as it may be for us UNIX fans, I'd also suggest running an antivirus daemon (such as ClamAV's clamscan daemon to scan files being accessed, and freshclam daemon for auto update) for "just in case" someone does manage to upload something.

nmap can be a great tool to test your firewall. Run every check nmap has on your home computer (with home firewall disabled during the nmap scan only, to prevent interference) to make sure you've truly blocked what you don't need open.

Keep everything up-to-date, especially if a security update came out.

The only other suggestion I have is to review the configuration for nginx, php (if needed), database software (if needed), and anything else accessible to the outside, just to make sure it is configured correctly. Also, if you have the time and patience, review the code (HTML, PHP, etc.) for your web site.

--
Piki