Usa SSL
[[HTTPS con Certbot]].
Desactiva la versiĆ³n de nginx
http {
server_tokens off;
# Other HTTP configurations options
}Desactiva las versiones TLS antiguas
http {
server {
ssl_protocols TLSv1.2 TLSv1.3;
}
}Define el set de cifrados
http {
server {
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
}
}Bloquea exploits comunes
/etc/nginx/conf.d/block_common_exploits.conf:
map $request_uri $is_blocked_common_exploits_path {
"~*//" 1;
"~*(boot.ini|etc/passwd|self/environ)" 1;
"~*(%2e%2e|%252e%252e|%u002e|%c0%2e)" 1;
"~*(\.\./\.\./|\.\.\.|%252e%252e%252e)" 1;
"~*(~|`|<|>|:|;|{|}|\[|\]|\(|\))" 1;
default 0;
}/etc/nginx/nginx.conf: