Explore

Security Configuration and Implementation Report

NGINX Configuration Documentation

Overview

This document provides a detailed explanation of the changes and enhancements made to the NGINX configuration for the www.wisewalletai.com server. The configuration focuses on optimizing security, performance, and access control. It includes the implementation of IP-based restrictions, HTTPS enforcement, custom error pages, and efficient logging for better debugging and maintenance.

⁠

1. Objectives

Enforce HTTPS for secure connections.

Restrict access to specific resources (/report.html) by IP address.

Implement custom error pages for better user experience and troubleshooting.

Hide server version information for security.

Log access and errors in a detailed and structured format.

Optimize performance through NGINX best practices.

⁠

2. Configuration Changes

2.1 General Configuration

Set User and Worker Processes:

Why: Defines the NGINX user (www-data) and automatically adjusts worker processes based on available CPU cores for optimal performance.

Configuration:

user www-data;

worker_processes auto;

pid /run/nginx.pid;

Optimize Events Block:

Why: Configures event handling for high-performance and multi-acceptance connections.

Configuration:

events {

worker_connections 1024;

use epoll;

multi_accept on;

}

2.2 HTTP Block

Hide Server Tokens:

Why: Prevents exposing the NGINX version in responses, reducing the risk of targeted attacks.

Configuration:

server_tokens off;

Logging:

Why: Structured access and error logs help in troubleshooting and analytics.

Configuration:

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" "$http_user_agent"';

access_log /var/log/nginx/access.log main;

error_log /var/log/nginx/error.log warn;

Performance Optimizations:

Why: Improves file transfer performance and reduces latency.

Configuration:

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 15;

⁠

2.3 HTTP Server Block

Restrict Access to /report.html:

Why: Limits access to sensitive resources based on IP addresses for added security.

Configuration:

location /report.html {

root /usr/share/nginx/html;

index report.html;

allow 206.84.167.234;

allow 84.68.111.180;

deny all;

}

Redirect All HTTP Traffic to HTTPS:

Why: Ensures all traffic is encrypted and secure.

Configuration:

location / {

return 301 https://$host$request_uri;

}

Custom Error Page for 403 Forbidden:

Why: Provides a user-friendly response for restricted access attempts.

Configuration:

error_page 403 /custom_403.html;

location = /custom_403.html {

root /usr/share/nginx/html;

internal;

}

⁠

2.4 HTTPS Server Block

Enable SSL for Secure Connections:

Why: Protects data in transit using SSL certificates.

Configuration:

ssl_certificate /etc/ssl/wisewalletai/wisewalletai.com_ssl_certificate.cer;

ssl_certificate_key /etc/ssl/wisewalletai/_.wisewalletai.com_private_key.key;

Custom Error Pages for 403 and 404:

Why: Provides user-friendly error responses for restricted and not-found resources.

Configuration:

error_page 403 /custom_403.html;

location = /custom_403.html {

root /usr/share/nginx/html;

internal;

}

error_page 404 /404.html;

location = /404.html {

root /usr/share/nginx/html;

internal;

}

Restrict Access to /report.html:

Configuration:

location /report.html {

root /usr/share/nginx/html;

index report.html;

allow 206.84.167.234;

allow 84.68.111.180;

deny all;

}

Fallback Location for General Requests:

Why: Serves the requested resource or returns a 404 error if not found.

Configuration:

location / {

try_files $uri $uri/ =404;

}

⁠

3. Key Benefits

Security Enhancements:

IP-based restrictions and hidden server tokens reduce attack surfaces.

HTTPS ensures secure communication.

User-Friendly Error Handling:

Custom error pages provide better user experience and debugging support.

Performance Optimization:

Efficient event handling and file transfer mechanisms improve server responsiveness.

Simplified Maintenance:

Structured logs enable easier troubleshooting and analytics.

⁠

4. Deployment Instructions

Save Configuration: Save the updated configuration to /etc/nginx/nginx.conf.

Test Configuration: Run the following command to validate:

sudo nginx -t

Reload NGINX: Apply the changes:

sudo systemctl reload nginx

Here is the entire NGINX configuration file rewritten for www.wisewalletai.com, reflecting all the discussed enhancements:

⁠

Complete nginx.conf

user www-data;

worker_processes auto;

pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {

worker_connections 1024;

use epoll;

multi_accept on;

}

http {

# Hide server version

server_tokens off;

# Log format for access logs

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" "$http_user_agent"';

access_log /var/log/nginx/access.log main;

error_log /var/log/nginx/error.log warn;

# Basic performance optimizations

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 15;

types_hash_max_size 4096;

include /etc/nginx/mime.types;

default_type application/octet-stream;

include /etc/nginx/conf.d/*.conf;

# HTTP server block

server {

listen 80;

server_name www.wisewalletai.com;

# Custom error page for 403 Forbidden

error_page 403 /custom_403.html;

location = /custom_403.html {

root /usr/share/nginx/html;

internal;

}

location /report.html {

root /usr/share/nginx/html;

index report.html;

# Restrict access by IP

allow 206.84.167.234;

allow 84.68.111.180;

deny all;

}

# Redirect all other HTTP traffic to HTTPS

location / {

return 301 https://$host$request_uri;

}

# HTTPS server block

server {

listen 443 ssl;

server_name www.wisewalletai.com;

ssl_certificate /etc/ssl/wisewalletai/wisewalletai.com_ssl_certificate.cer;

ssl_certificate_key /etc/ssl/wisewalletai/_.wisewalletai.com_private_key.key;

root /usr/share/nginx/html;

index index.html report.html;

# Custom error page for 403 Forbidden

error_page 403 /custom_403.html;

location = /custom_403.html {

root /usr/share/nginx/html;

internal;

}

location /report.html {

root /usr/share/nginx/html;

index report.html;

# Restrict access by IP

allow 206.84.167.234;

allow 84.68.111.180;

deny all;

}

location / {

try_files $uri $uri/ =404;

}

error_page 404 /404.html;

location = /404.html {

root /usr/share/nginx/html;

internal;

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

root /usr/share/nginx/html;

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.