harden nginx

[afeld]

From @maverickquant:

---

Other General Nginx Security concerns and recommendations:

• [ ] Disable Unwanted HTTP Methods in Nginx

  if ($request_method !~ ^(GET|HEAD|POST)$) {
    return 444;
  }

• [ ] Disable weak cipher suites-Enable Strong TLS Ciphers

  Set your cipher strength to something secure, yet compatible. Add following under server block in ssl.conf file:

  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SH

  Not sure if there is a GSA standard for this ciphers-.Will confirm and let you know.

• [x] Avoid self-signed certs especially in prod.

• [ ] Remove Unnecessary Modules in Nginx -if any

• [ ] Setup Monitor Logs for Nginx

• [ ] proxy_ssl_verify: on :: ensure on:: Verifies the validity of certificates.

• [ ] Restrict Access by IP from Nginx.

• [ ] Limit Input Traffic via IPTables.

• [x] Disable server_tokens Directive in Nginx. The server_tokens directive tells Nginx to display its current version on error pages.

---

Crossed off items that I don't believe are applicable.

[afeld]

Likely of interest: https://github.com/dev-sec/ansible-nginx-hardening

[afeld]

@maverickquant Are any of these blockers to deploying in our real environment? Hoping we can come back to some/most later.

Restrict Access by IP from Nginx. Limit Input Traffic via IPTables.

/cc https://github.com/GSA/ISE-Security-Benchmarks/issues/4

[maverickquant]

Definitely .Those blockers can be revisited.

[afeld]

Question from the ISE SecDevOps Survey:

What does current content align to, i.e. (CIS, vendor, other resource)?