Security - nginx size limits

Description

An nginx production webserver should prevent buffer attacks. While there are defaults for the different client request buffer setting and size limits it might be worth minimizing the as much as possible.

Solution

printf "client_body_buffer_size 1K;nclient_header_buffer_size 1k;nclient_max_body_size 1k;nlarge_client_header_buffers 2 1k;n" >/etc/nginx/conf.d/50-size-limits.conf

References

http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers

Check Script: security-nginx-size-limits.sh

#!/bin/bash

settings="
client_body_buffer_size
client_header_buffer_size
client_max_body_size
large_client_header_buffers
"

locations="/etc/nginx /usr/local/nginx/conf"

for dir in $locations; do
	if [ -d $dir ]; then
		for s in $settings; do
			if ! rgrep -q "$s[[:space:]][[:space:]]*[1-9]" $dir/*-enabled $dir/conf.d; then
				result_failed "$s is not set anywhere in $locations"
			fi
		done
	fi
done

Comment on Disqus