Highest Voted 'nginx' Questions - IT Security Stack Exchange

68

votes

7 answers

Trying to make a Django-based site use HTTPS-only, not sure if it's secure?

The EFF recommends using HTTPS everywhere on your site, and I'm sure this site would agree. When I asked a question about using Django to implement HTTPS on my login page, that was certainly the response I got :) So I'm trying to do just that. I…

tls url-redirection nginx

asked Nov 16 '11 at 20:46

John C

1,207
2
11
15

56

votes

4 answers

Strange requests to web server

I have a Linode VPS running Nginx, which currently serves only static content. Once I was looking at the log and noticed some strange requests: XXX.193.171.202 - - [07/Aug/2013:14:04:36 +0400] "GET /user/soapCaller.bs HTTP/1.1" 404 142 "-" "Morfeus…

webserver nginx

asked Aug 08 '13 at 17:06

Michael Pankov

671
1
5
6

51

votes

5 answers

What exploit are these user agents trying to use?

I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (Nginx with PHP). The 1 in front of it is just how many times the user agent was seen in…

exploit webserver web nginx

asked Apr 02 '19 at 18:44

Alexis Evelyn

583
1
4
9

38

votes

7 answers

Recommended ssl_ciphers for security, compatibility - Perfect Forward secrecy

I'm currently using nginx with the following ciphers: ssl_ciphers HIGH:!aNULL:!eNULL:!LOW:!ADH:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; I would like to maintain compatibility to older browsers, especially also older mobile browsers and therefore not…

tls nginx forward-secrecy

asked Apr 01 '14 at 17:55

binaryanomaly

1,291
3
13
21

23

votes

2 answers

SSL/TLS: How to fix "Chain issues: Contains anchor"

I just ran a quick test at ssllabs.com: got A+, which I'm happy about. However there's one thing I don't know how to "fix": My site supports OCSP stapling and ssllabs keeps telling me: Chain issues: Contains anchor. I know this is just a "warning"…

tls nginx ocsp

asked Jan 19 '15 at 15:07

Ben Richard

3,006
5
16
18

20

votes

1 answer

Is every hash format that nginx accepts for HTTP Basic Auth weak against brute force?

According to http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html nginx can read password hashes of these types: crypt(), apr1, SHA1 & SSHA. This is how I understand how these hashes work and what the problem with them is: crypt() discards…

hash http nginx

asked Dec 12 '13 at 16:12

ahofmann

303
1
2
6

20

votes

4 answers

Dealing with SSL Certificates on Products

We are developing a product (device / system) that will be installed on customer sites. Many of our customers will (should) be concerned about security, and should be thinking about it seriously. Our product provides an API via HTTPS, which is used…

tls certificates nginx

asked Mar 31 '17 at 13:54

Attie

303
1
7

19

votes

3 answers

Nginx and HSM integration to hold private keys

We are using Nginx and storing private keys in a file on the server. We would like to move our private keys to an HSM so that SSL keys are stored in the HSM and never leave the HSM. All crypto operations required during SSL termination can be done…

tls openssl nginx hsm

asked Jun 11 '15 at 12:38

GG01

369
5
7

16

votes

6 answers

Server compromised for 2nd time, cannot locate source of attack

I need some help tracing a vulnerability on my server. For the second time, my server has been compromised with files being replaced with virus-ridden downloads. According to the filesystem dates, over a period of 45 minutes 4 exe files on my server…

linux webserver php nginx

asked Nov 28 '11 at 05:47

Mahmoud Al-Qudsi

279
2
7

16

votes

1 answer

Current State of BREACH (GZIP SSL Attack)?

It has been one year since BREACH made our way into our hearts, and there does not seem to be any articles or posts or patches since then, is my Google-fu weakening? Has BREACH been mitigated or patched in Apache/nginx? Can we enable GZIP on SSL if…

apache tls nginx

asked Aug 15 '14 at 10:07

jnovack

16

votes

4 answers

nginx - How to prevent processing requests with undefined server names with HTTPS

How do I avoid nginx processing a request with an undefined server name using the https protocol. The following configuration makes this work for normal http requests. It resets the connection for requests with empty host headers which equals to…

tls web-scanners nginx

asked Apr 14 '14 at 21:15

binaryanomaly

1,291
3
13
21

14

votes

3 answers

How can I explain to the client that rfc2385 TCP MD5 Checksums can't be turned on for linux webservers?

I've had a long running conversation with a client where they perform a Rapid7 security scan which then warns about TCP MD5 checksums missing on port 80. This is what I think I know: RFC 2385 was designed to protect BGP, and by extension BGP-type…

apache tcp security-theater nginx

asked Oct 23 '14 at 07:33

Kit Sunde

241
2
7

13

votes

3 answers

What can I do after an attack to our system that hit our login route?

This morning I checked our nginx logs. 46.x.x.90 - - [17/Jul/2017:05:51:31 +0000] "HEAD http://x.x.71.1:80/PMA2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-" 46.x.x.90 - - [17/Jul/2017:05:51:31 +0000] "HEAD http://x.x.71.1:80/PMA2012/…

nginx bot

asked Jul 17 '17 at 08:57

Andrew Graham-Yooll

241
1
2
6

12

votes

2 answers

What are the dangers of storing webserver temp files in the /tmp/ folder?

I have configured my first publicly accessible nginx server. I have configured it to use a /tmp/nginx folder to store temp files. This includes the body of http requests, proxy files etc. The /tmp folder is on external partition with nosuid,…

php unix file-system permissions nginx

asked Feb 11 '12 at 20:34

Galmi

223
2
5

9

votes

1 answer

Any security risk with raising client_max_body_size nginx?

i was wondering if there is any securitiy risk involved with raising the client_max_body_size in nginx from 1MB to 20GB?

webserver nginx

asked Jul 21 '15 at 05:27

Daniel Guldberg Aaes

215
2
5

Questions tagged [nginx]