Questions tagged [nginx]

nginx [engine x] is an HTTP and reverse proxy server, written by Igor Sysoev

nginx (pronounced engine-x) is a popular BSD-licensed HTTP and reverse proxy server, written by Igor Sysoev.

165 questions
68
votes
7 answers

Trying to make a Django-based site use HTTPS-only, not sure if it's secure?

The EFF recommends using HTTPS everywhere on your site, and I'm sure this site would agree. When I asked a question about using Django to implement HTTPS on my login page, that was certainly the response I got :) So I'm trying to do just that. I…
John C
  • 1,207
  • 2
  • 11
  • 15
56
votes
4 answers

Strange requests to web server

I have a Linode VPS running Nginx, which currently serves only static content. Once I was looking at the log and noticed some strange requests: XXX.193.171.202 - - [07/Aug/2013:14:04:36 +0400] "GET /user/soapCaller.bs HTTP/1.1" 404 142 "-" "Morfeus…
Michael Pankov
  • 671
  • 1
  • 5
  • 6
51
votes
5 answers

What exploit are these user agents trying to use?

I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (Nginx with PHP). The 1 in front of it is just how many times the user agent was seen in…
Alexis Evelyn
  • 583
  • 1
  • 4
  • 9
38
votes
7 answers

Recommended ssl_ciphers for security, compatibility - Perfect Forward secrecy

I'm currently using nginx with the following ciphers: ssl_ciphers HIGH:!aNULL:!eNULL:!LOW:!ADH:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; I would like to maintain compatibility to older browsers, especially also older mobile browsers and therefore not…
binaryanomaly
  • 1,291
  • 3
  • 13
  • 21
23
votes
2 answers

SSL/TLS: How to fix "Chain issues: Contains anchor"

I just ran a quick test at ssllabs.com: got A+, which I'm happy about. However there's one thing I don't know how to "fix": My site supports OCSP stapling and ssllabs keeps telling me: Chain issues: Contains anchor. I know this is just a "warning"…
Ben Richard
  • 3,006
  • 5
  • 16
  • 18
20
votes
1 answer

Is every hash format that nginx accepts for HTTP Basic Auth weak against brute force?

According to http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html nginx can read password hashes of these types: crypt(), apr1, SHA1 & SSHA. This is how I understand how these hashes work and what the problem with them is: crypt() discards…
ahofmann
  • 303
  • 1
  • 2
  • 6
20
votes
4 answers

Dealing with SSL Certificates on Products

We are developing a product (device / system) that will be installed on customer sites. Many of our customers will (should) be concerned about security, and should be thinking about it seriously. Our product provides an API via HTTPS, which is used…
Attie
  • 303
  • 1
  • 7
19
votes
3 answers

Nginx and HSM integration to hold private keys

We are using Nginx and storing private keys in a file on the server. We would like to move our private keys to an HSM so that SSL keys are stored in the HSM and never leave the HSM. All crypto operations required during SSL termination can be done…
GG01
  • 369
  • 5
  • 7
16
votes
6 answers

Server compromised for 2nd time, cannot locate source of attack

I need some help tracing a vulnerability on my server. For the second time, my server has been compromised with files being replaced with virus-ridden downloads. According to the filesystem dates, over a period of 45 minutes 4 exe files on my server…
16
votes
1 answer

Current State of BREACH (GZIP SSL Attack)?

It has been one year since BREACH made our way into our hearts, and there does not seem to be any articles or posts or patches since then, is my Google-fu weakening? Has BREACH been mitigated or patched in Apache/nginx? Can we enable GZIP on SSL if…
jnovack
16
votes
4 answers

nginx - How to prevent processing requests with undefined server names with HTTPS

How do I avoid nginx processing a request with an undefined server name using the https protocol. The following configuration makes this work for normal http requests. It resets the connection for requests with empty host headers which equals to…
binaryanomaly
  • 1,291
  • 3
  • 13
  • 21
14
votes
3 answers

How can I explain to the client that rfc2385 TCP MD5 Checksums can't be turned on for linux webservers?

I've had a long running conversation with a client where they perform a Rapid7 security scan which then warns about TCP MD5 checksums missing on port 80. This is what I think I know: RFC 2385 was designed to protect BGP, and by extension BGP-type…
Kit Sunde
  • 241
  • 2
  • 7
13
votes
3 answers

What can I do after an attack to our system that hit our login route?

This morning I checked our nginx logs. 46.x.x.90 - - [17/Jul/2017:05:51:31 +0000] "HEAD http://x.x.71.1:80/PMA2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-" 46.x.x.90 - - [17/Jul/2017:05:51:31 +0000] "HEAD http://x.x.71.1:80/PMA2012/…
12
votes
2 answers

What are the dangers of storing webserver temp files in the /tmp/ folder?

I have configured my first publicly accessible nginx server. I have configured it to use a /tmp/nginx folder to store temp files. This includes the body of http requests, proxy files etc. The /tmp folder is on external partition with nosuid,…
Galmi
  • 223
  • 2
  • 5
9
votes
1 answer

Any security risk with raising client_max_body_size nginx?

i was wondering if there is any securitiy risk involved with raising the client_max_body_size in nginx from 1MB to 20GB?
1
2 3
10 11