NGINX Use Case: Security

Table of Contents

Introduction

Read use cases for deploying NGINX in order to increase security for one or more web or application servers. NGINX is a free, open-source software package which can act as a web server, reverse proxy server, and load balancer. In addition to security improvements, NGINX has been designed for high performance, even under heavy traffic loads.

Use Case: Security

The users in the following scenarios are network and systems administrators in charge of one or more web or application servers. The users are faced with common security issues which they wish to prevent or solve.

The solutions in the following scenarios can be customized for any combination of servers:

  • Web servers
  • Application servers
  • A single stand-alone server
  • A cluster of servers

Scenario 1: Abstraction Layer

In this scenario, the user wants an abstraction layer between the public internet and the cluster of web and application servers which will be providing content. An abstraction layer adds an extra layer of security between the public internet and the content servers.

There are many ways in which this additional layer can increase security. NGINX can be configured to disable unwanted HTTP methods, pre-check requests for the correct syntax before passing them to application servers, inject custom HTTP headers to prevent "clickjacking" and cross-site scripting attacks, and more.

Scenario 2: Mask the IP Address and Server Details

In this scenario, the user wants to hide the source server's IP address and server details such as the operating system, PHP version, etc.

Using NGINX as a reverse proxy will hide the IP address of the source server or servers which NGINX is proxying. This simple step can help prevent many basic attacks and detection methods, and can protect servers which are not or should not be public-facing, while still delivering content from those servers.

Scenario 3: Mitigate DoS and DDoS Attacks

In this scenario, the user wants to mitigate the damage caused by application-layer (HTTP) Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. In these attacks, a large volume of HTTP requests are sent to a server. Without mitigation, this high volume of traffic can quickly overwhelm a server and prevent new connections from valid visitors, thus taking the server offline.

NGINX is inherently capable of handling DoS and DDoS attacks well, as it has been designed to manage large volumes of requests with ease. Additionally, NGINX can be configured to act as a "traffic cop," monitoring and limiting traffic by IP address. NGINX can restrict the number of requests and/or connections by IP address to the rate expected from a real user. This prevents malicious bots from overwhelming the server with requests.

NGINX can also be configured to limit buffer size. This prevents buffer overflow attacks which are often a component of DoS and DDoS attacks.

Related article: