This content originally appeared on DEV Community and was authored by Ramer Labs
Introduction
If you’re a DevOps lead tasked with keeping a public‑facing web service reliable and secure, Nginx is often the front‑line reverse proxy you’ll rely on. While Nginx excels at performance, it also needs a solid security posture to survive the modern threat landscape. This tutorial walks you through seven practical steps to lock down Nginx using TLS, Fail2Ban, and a Web Application Firewall (WAF). The focus is on actionable configuration snippets you can drop into your existing setup.
1. Enforce Strong TLS Settings
TLS is the first line of defense. A weak cipher suite or an outdated protocol version can expose you to downgrade attacks.
- Disable SSLv2/SSLv3 and TLS 1.0/1.1
- Prefer TLS 1.3 when the client supports it
-
Use a modern cipher suite (e.g.,
TLS_AES_256_GCM_SHA384) - Enable OCSP stapling to speed up certificate validation
Add the following block to your nginx.conf or a dedicated tls.conf file:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers \
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Restart Nginx after editing:
sudo systemctl reload nginx
2. Harden HTTP Headers
Security‑focused headers reduce the attack surface for XSS, click‑jacking, and MIME sniffing.
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self'" always;
Apply them in a server block that serves your public site.
3. Limit Request Size and Rate
Large bodies can be abused for DoS attacks, and rapid request bursts may indicate brute‑force attempts.
client_max_body_size 2M;
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
limit_req zone=mylimit burst=20 nodelay;
Adjust the rate and burst values based on typical traffic patterns.
4. Deploy ModSecurity as a WAF
ModSecurity provides a rule‑based engine that can block common web exploits (SQLi, XSS, etc.). Install it via your package manager and enable the OWASP Core Rule Set (CRS).
# Ubuntu/Debian example
sudo apt-get install libnginx-mod-http-modsecurity
sudo apt-get install owasp-modsecurity-crs
Then include the module in Nginx:
modsecurity on;
modsecurity_rules_file /etc/modsecurity/crs/crs-setup.conf;
Fine‑tune the CRS by disabling rules that generate false positives for your application.
5. Set Up Fail2Ban for Nginx Logs
Fail2Ban can automatically ban IPs that repeatedly trigger 4xx/5xx responses. Create a jail that watches the Nginx error log.
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600
Place the file in /etc/fail2ban/jail.d/nginx.conf and restart Fail2Ban:
sudo systemctl restart fail2ban
You can also add a custom filter (/etc/fail2ban/filter.d/nginx-http-auth.conf) that matches patterns like "401" or "403".
6. Separate Static and Dynamic Content
Running static assets (images, CSS, JS) from a dedicated location reduces the attack surface of your application backend.
server {
listen 443 ssl http2;
server_name static.example.com;
root /var/www/static;
location / {
try_files $uri $uri/ =404;
}
# Re‑use TLS block from earlier
include /etc/nginx/conf.d/tls.conf;
}
By isolating static content, you can apply stricter rate limits and even serve it from a CDN.
7. Automate Certificate Renewal
Manual certificate updates are a recipe for downtime. Use certbot with a systemd timer to keep your certs fresh.
sudo apt-get install certbot python3-certbot-nginx
sudo certbot renew --dry-run
Create a timer if your distro doesn’t provide one:
[Unit]
Description=Renew Let's Encrypt certificates
[Timer]
OnCalendar=weekly
Persistent=true
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --deploy-hook "systemctl reload nginx"
Place the file at /etc/systemd/system/certbot-renew.timer and enable it:
sudo systemctl enable --now certbot-renew.timer
Conclusion
Hardening Nginx is a layered process: strong TLS, security headers, request limiting, a WAF, automated bans, and diligent certificate management all work together to keep your service resilient. Implement these seven steps incrementally, test each change in a staging environment, and monitor logs for unexpected behavior. When you need a quick sanity check or a deeper dive into any of these topics, the community resources at https://lacidaweb.com can provide useful references and real‑world examples.
This content originally appeared on DEV Community and was authored by Ramer Labs
Ramer Labs | Sciencx (2025-09-25T07:00:23+00:00) 7 Tips for Hardening Nginx: TLS, Fail2Ban, and WAF Configuration. Retrieved from https://www.scien.cx/2025/09/25/7-tips-for-hardening-nginx-tls-fail2ban-and-waf-configuration/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.