Nginx Installation and Configuration

Nginx is installed as part of the installation script which is part of the installation package for SaltMiner. Configuration of Nginx is determined in the configuration file nginx.conf. By default, the file is found in /etc/nginx

A default configuration file nginx.conf for nginx is included in the Salminer Download which includes default recommended security settings. To make changes to the configuration file from the CLI:
sudo vi /etc/nginx/nginx.conf

Nginx Security

Key entries for security in nginx.conf are listed below.

We recommend returning as little information as possible about the nginx server.

In Linux the standard security solution is to hide NGINX version information and OS information by adding the following:

# do not return nginix version info or OS info

server_tokens off;

 

In RHEL you can hide the Server header completely using third-party modules.

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm

sudo yum -y install nginx-module-security-headers

Now you can adjust your nginx.conf like this:

load_module modules/ngx_http_security_headers_module.so;

http {
…
hide_server_tokens on;
…
}

Content Security Policy (CSP)


# Content Security Policy (CSP) directive guards the loading and execution of JavaScript.
add_header Content-Security-Policy "default-src 'self';" always;


Only Permit HTTPS Connections

We suggest that you disable the HTTP protocol by forwarding all requests to HTTPS
(from port 80 to port 443):

server {

listen 80 default_server;
listen [::]:80 default_server;

location / {
return 301 https://$host$request_uri;
}
}

 

In the HTTPS server section (port 443) set the following:

# Set accepted protocols. Dropping SSLv3, ref: POODLE

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

 

# Specify accepted ciphers, exluding weak ciphers.

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

 

# Specify that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.

ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)

add_header Strict-Transport-Security “max-age=63072000” always;

 

After making changes to the configuration, restart nginx:

sudo systemctl restart nginx

Set caching
The Cache-Control HTTP header field holds directives (instructions) — in both requests and responses — that control caching in browsers and shared caches. WE recommend setting the Cache-control Header to no-cache.

# Default Cache control

add_header Cache-Control "no-cache";

Mozilla provides recommended settings with various parameters here: https://ssl-config.mozilla.org/

Note: Further details for the nginx installation can be found at nginx.org

Other notes on Manual Installation or reinstallation for Nginx:

Beginner’s Guide