-
-
Save tied/fbc76b990b8d700d8ebe65f6a82b260b to your computer and use it in GitHub Desktop.
Simple script to harden an nginx webserver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Firewall Seup: | |
| apt-get install ufw | |
| ufw default deny incomming | |
| ufw default allow outgoing | |
| ufw allow from $yourIP to any port 22 | |
| ufw allow 443 | |
| #Nginx Versionen verbergen | |
| sed -i "s/# server_tokens off;/server_tokens off;/g" /etc/nginx/nginx.conf | |
| #ETags entfernen | |
| sed -i 's/server_tokens off;/server_tokens off;\netag off;/' /etc/nginx/nginx.conf | |
| #Standardseite entfernen | |
| echo "" > /var/www/html/index.html | |
| #Starke Kryptographie verwenden | |
| sed -i "s/ssl_prefer_server_ciphers on;/ssl_prefer_server_ciphers on;\nssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;/" /etc/nginx/nginx.conf | |
| #SSL session timeout | |
| sed -i "s/ssl_prefer_server_ciphers on;/ssl_prefer_server_ciphers on;\nssl_session_timeout 5m;/" /etc/nginx/nginx.conf | |
| #SSL session cache | |
| sed -i "s/ssl_session_timeout 5m;/ssl_session_cache shared:SSL:10m;\nssl_session_timeout 5m;/" /etc/nginx/nginx.conf | |
| #Aktivieren von HttpOnly and Secure flags | |
| sed -i "s|^\s*try_files \\\$uri \\\$uri/ =404;|try_files \\\$uri \\\$uri/ =404;\nproxy_cookie_path / \"/; secure; HttpOnly\";|" /etc/nginx/sites-available/default | |
| #Clickjacking Attack Protection | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header X-Frame-Options DENY;|" /etc/nginx/sites-available/default | |
| #XSS Protection | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header X-XSS-Protection \"1; mode=block\";|" /etc/nginx/sites-available/default | |
| #Sichere Verbindungen zum erzwingen | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubdomains;\";|" /etc/nginx/sites-available/default | |
| #MIME sniffing Schutz | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header X-Content-Type-Options nosniff;|" /etc/nginx/sites-available/default | |
| #XXS erschweren | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header Content-Security-Policy \"default-src 'self';\";|" /etc/nginx/sites-available/default | |
| #X-Robots-Tag setzen | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header X-Robots-Tag none;|" /etc/nginx/sites-available/default | |
| #Ngnix neustarten | |
| service nginx restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment