Close access to files that may be of high interest:
location ~ /.svn/ {
deny all;
}
You can allow/deny access to files only from certain ip-addresses using allow and deny directives:
location /server-status {
allow 111.111.111.111;
allow 11.11.11.11;
deny all;
}
You can also use directives auth_basic and auth_basic_user_file to differentiate access to files - in this case user will have to enter login/password for access:
location /admin/ {
auth_basic "Enter password to access";
auth_basic_user_file /etc/nginx/basic.auth;
}
You can also combine these two methods:
location /admin/ {
satisfy any;
allow 111.111.111.111;
allow 11.11.11.11;
deny all;
auth_basic "Enter password to access";
auth_basic_user_file /etc/nginx/basic.auth;
}
To protect against requests to non-existent files on Nginx you can do the following:
location ~\.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ {
try_files $uri =404;
}
After that we restart Nginx with one of the commands:
systemctl reload nginx
service nginx reload
Depending on the specific IP address, Nginx can perform actions such as redirecting:
location / {
if ($remote_addr != 111.111.111.111) {
return 301 https://$host$request_uri;
}
}
- In this example we redirect all visitors to the path https://$host$request_uri, except requests from IP-address 111.111.111.111.
Protection against password brute-forcing can be arranged using iptables:
Blocking IP for a time if the number of requests per second exceeds a reasonable amount
iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW
-m recent --name bhttp --set
iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW
-m recent --name bhttp --update --seconds 120
--hitcount 360 -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -j ACCEPT