Best practices of Nginx
If you choose to implement the Nginx web server, there are few things that we should take a look at to endure the longevity of your web service.
From a security perspective, your web server could be accessible to the whole world, everyone. For this reason, we should ensure that some basic security threats are protected:
- SELinux: Ensure that we have set SELinux to
Enforcingon our CentOS system that hosts Nginx. - DocumentRoot: Mount the DocumentRoot structure independently as its own filesystem, ensuring that malicious writes will not crash the Linux host if the disk fills, and secondly the partition or disk can be mounted with minimal rights, for example,
LABEL=web /var/www ext4 ro,nosuid,noexec,nodev,noatime 0 2. - Use a host-based firewall: Allow only incoming TCP ports
80and443. Often, only outgoing UDP port123along with outgoing dynamic TCP ports need to be open, with port123being for time synchronization. - Restrict HTTP methods available to Nginx. The RFC 2616...
