Welcome! Log In Create A New Profile

Advanced

Sanity check of my config - is it secure?

May 22, 2011 10:56AM
Hi

We had Nginx setup on a domain serving static content (images[0-9].domain.com). Recently we've made our main domain also use the same Nginx installation and proxy any php requests to Apache.

All is working fine. We've set it to serve all static content from our images.domain.com domains, and it will also catch any static content served from the main www.domain.com as well, before finally passing any dynamic php requests through to Apache.

What I want to check is that there are no problems with the configuration that would let someone view the source of our PHP pages or access restricted 'admin' directories, etc. I've not configured NGinx before so would appreciate some help checking my config?


user www;
worker_processes 6;

error_log /var/log/nginx-error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;


events {
worker_connections 1024;
}


http {
include mime.types;
default_type application/octet-stream;
#access_log logs/access.log main;

sendfile on;
#tcp_nopush on;

## Timeouts
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;

gzip on;
# gzip_static on;
gzip_comp_level 5;
gzip_http_version 1.0;
gzip_min_length 1000;
gzip_types text/plain text/css image/x-icon application/x-javascript;

server{
listen 80 default_server; #all other hosts deny
server_name _;
return 444;
}

server { #IMAGES DOMAIN
listen x.x.x.x:80;
server_name images.x.com images1.x.com images2.x.com stat

server_tokens off;
gzip_comp_level 9;
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}



# Only serve these locations
location ^~ /images/folder1/{

if ($request_uri ~* (^\/|\.ico|\.css|\.js|\.swf|\.gif|\.jp?g|\.png)$ ) {
break;
}

root /home/vhosts/x.com/httpdocs;
expires 7d;

}
location ^~ /images/folder2/{
root /home/vhosts/x.com/httpdocs;
expires 7d;

}

location ^~/images/ {
root /home/vhosts/x.com/httpdocs;


}


location ^~ /applets/{
root /home/vhosts/x.com/httpdocs;
expires max;
}
location ^~ /css/{
root /home/vhosts/x.com/httpdocs;
expires max;
}


location ~* \.(ico|css|js|swf|gif|jp?g|png)$ {
root /home/vhosts/x.com/httpdocs;

}
location ~* \.(php|html){
return 444; #should not happen, but just incase
}
if ($host !~ ^(images.x.com|images1.x.com|images2.x.com)){
return 444;
}
location ^~/admin/ {
deny all;


}



}

server { #MAIN DOMAIN - REDIRECT TO www.
listen x.x.x.x:80;
server_name x.com;
rewrite ^(.*) http://www.x.com$1 permanent;

}
server { #MAIN DOMAIN
listen x.x.x.x:80;
server_name www.x.com;

#access_log /var/log/nginx.access.log;
error_log /var/log/nginx.error.log;

location /nginx_status {

stub_status on;
access_log off;
allow x.x.x.x/24;
deny all;
}

location ^~ /images/folder1/{
root /home/vhosts/x.com/httpdocs;
expires 7d;

}
location ^~ /images/folder2/{
root /home/vhosts/x.com/httpdocs;
expires 7d;

}


location ^~/images/ {
root /home/vhosts/x.com/httpdocs;

}


location ^~ /applets/{
root /home/vhosts/x.com/httpdocs;
expires max;
}
location ^~ /css/{
root /home/vhosts/x.com/httpdocs;
expires max;
}


location ~* \.(ico|css|js|swf|gif|jp?g|png)$ {
root /home/vhosts/x.com/httpdocs;
#expires max;
}

location / {
proxy_pass http://127.0.0.1:8080;

#CACHING
#proxy_cache my-cache;
#proxy_cache_valid 200 302 1m;
#proxy_cache_valid 404 1m;

#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

client_max_body_size 200m; #max upload size

client_body_buffer_size 128k;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
#proxy_buffer_size 4k;
#proxy_buffers 4 32k;
#proxy_busy_buffers_size 64k;
#proxy_temp_file_write_size 64k;

}
}

}
Subject Author Posted

Sanity check of my config - is it secure?

benseb May 22, 2011 10:56AM

Re: Sanity check of my config - is it secure?

vesperto May 22, 2011 12:50PM

Re: Sanity check of my config - is it secure?

benseb May 22, 2011 01:24PM

Re: Sanity check of my config - is it secure?

Justin Cormack May 22, 2011 01:38PM

Re: Sanity check of my config - is it secure?

benseb May 22, 2011 02:37PM

Re: Sanity check of my config - is it secure?

Igor Sysoev May 27, 2011 01:40AM

Re: Sanity check of my config - is it secure?

benseb May 26, 2011 03:22PM

Re: Sanity check of my config - is it secure?

António P. P. Almeida May 26, 2011 03:34PM

Re: Sanity check of my config - is it secure?

benseb May 26, 2011 03:36PM

Re: Sanity check of my config - is it secure?

António P. P. Almeida May 26, 2011 03:48PM

Re: Sanity check of my config - is it secure?

benseb May 26, 2011 03:49PM

Re: Sanity check of my config - is it secure?

benseb May 26, 2011 04:10PM

Re: Sanity check of my config - is it secure?

António P. P. Almeida May 26, 2011 04:02PM

Re: Sanity check of my config - is it secure?

vesperto May 26, 2011 04:06PM

Re: Sanity check of my config - is it secure?

António P. P. Almeida May 26, 2011 04:20PM

Re: Sanity check of my config - is it secure?

António P. P. Almeida May 26, 2011 04:22PM

Re: Sanity check of my config - is it secure?

benseb May 26, 2011 04:30PM

Re: Sanity check of my config - is it secure?

António P. P. Almeida May 26, 2011 04:44PM

Re: Sanity check of my config - is it secure?

Aaron Starr May 26, 2011 05:08PM

Re: Sanity check of my config - is it secure?

benseb May 26, 2011 05:09PM

Re: Sanity check of my config - is it secure?

António P. P. Almeida May 26, 2011 04:26PM

Re: Sanity check of my config - is it secure?

Igor Sysoev May 27, 2011 01:42AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 70
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready