MihaiN Posted February 6, 2019 Report Posted February 6, 2019 Hello community, Can anyone, please, point me into the right direction on how to strengthen the security for a standard Nginx on Ubuntu 18.04 when it comes to install Revive ? I saw into documentation that in case of no .htaccess files, extra security steps need to be done. Thank you very much, Quote
Fritex Posted January 12, 2020 Report Posted January 12, 2020 (edited) Which Nginx version are you using? Use 775 rather than 777 on directories: var var/cache var/plugins var/templates_compiled plugins www/admin/plugins www/images Setup robots.txt - block search engines and bots to follow and index: User-agent: * Disallow: / Use the newest version of Nginx, PHP and Revive AdServer. Prefer to use HTTPS. Add HSTS header too. Use Gzip or Brotli, and add Cache headers (expiries, etag, cache-control for html, js, css, images ...). This can help too for security: location ~* \.(git|rb|inc|ht|bak|htaccess|sql|log|htpasswd|engine|info|install|test|po|sh|theme|pl|cgi|py|lua)$ { deny all; # log_not_found off; access_log off; } location ~ /\. { deny all; # log_not_found off; access_log off; } # XSS add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } if ($http_user_agent ~ (Acunetix|libwww|libwww-perl|sqlmap|WinHttp.WinHttpRequest|WinHTTP|Zeus|curl|wget|scan|winhttp|HTTrack|havij|WVS) ) { return 403; } if ( $request_method ~* ^(TRACE|DELETE|TRACK)$ ) { return 403; } set $susquery 0; if ($args ~* "\.\./") { set $susquery 1; } if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; } if ($args ~* "etc/passwd") { set $susquery 1; } if ($args ~* "boot.ini") { set $susquery 1; } if ($args ~* "ftp:") { set $susquery 1; } if ($args ~* "http:") { set $susquery 1; } if ($args ~* "https:") { set $susquery 1; } if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; } if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; } if ($args ~* "base64_encode") { set $susquery 1; } if ($args ~* "(%24&x)") { set $susquery 1; } if ($args ~* "(127.0)") { set $susquery 1; } if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; } if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; } if ($args !~ "^loggedout=true"){ set $susquery 0; } if ($args !~ "^action=jetpack-sso"){ set $susquery 0; } if ($args !~ "^action=rp"){ set $susquery 0; } if ($http_referer !~ "^http://maps.googleapis.com(.*)$"){ set $susquery 0; } if ($susquery = 1) { return 403; } location = /robots.txt { allow all; # log_not_found off; access_log off; } location ~ /nginx.conf { deny all; access_log off; # log_not_found off; } You can also use .htpasswd to protect the filder where your Revive Adserver is installed. So, if wrong user/pass, the visitor/client would get 401 error. Edited January 12, 2020 by Fritex htpasswd protected folder Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.