Web Server Security 2026
Nginx Hardening
Enterprise Web Server Security
TLS 1.3, Security Headers, Rate Limiting, ModSecurity, Brotli, OCSP Stapling & CIS Benchmarks
TLS 1.3HSTSCSPModSecurity
Nginx Security Grundlagen
Nginx ist der meistgenutzte Web Server weltweit. Falsche Konfiguration führt zu Datenlecks, DDoS-Anfälligkeit und Compliance-Verstößen. Dieser Guide zeigt Production-Grade Hardening.
Risiken
- • Weak TLS/SSL
- • Missing Headers
- • No Rate Limiting
- • Version Leakage
Schutz
- • TLS 1.3 Only
- • Security Headers
- • Rate Limiting
- • WAF Integration
Compliance
- • PCI DSS
- • SOC 2
- • CIS Benchmark
- • GDPR
TLS 1.3 Konfiguration
nginx.conf - SSL/TLS Hardening
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# SSL Certificates
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
# TLS 1.3 Only (Disable older versions)
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# TLS 1.3 Ciphers (automatic, but explicit for compliance)
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;
# Session Configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/chain.crt;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;
}Rate Limiting & DDoS Protection
Rate Limiting Config
# Rate Limit Zones (http block)
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
# General rate limiting
location / {
limit_req zone=general burst=20 nodelay;
limit_conn addr 10;
proxy_pass http://backend;
}
# API stricter limits
location /api/ {
limit_req zone=api burst=10 nodelay;
proxy_pass http://api_backend;
}
# Login very strict
location /login {
limit_req zone=login burst=3 nodelay;
proxy_pass http://auth_backend;
}
# Return 429 instead of 503
limit_req_status 429;
limit_conn_status 429;
}ModSecurity WAF Integration
ModSecurity + OWASP CRS
# Build Nginx with ModSecurity
# ./configure --add-module=/path/to/ModSecurity-nginx
server {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;
location / {
proxy_pass http://backend;
}
}
# /etc/nginx/modsecurity.conf
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecResponseBodyAccess On
SecResponseBodyLimit 524288
# Include OWASP CRS
Include /etc/modsecurity/crs/crs-setup.conf
Include /etc/modsecurity/crs/rules/*.confBrotli Compression
Brotli Config (better than gzip)
# http block
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/javascript application/json image/svg+xml;
# Static pre-compressed files
location ~ \.(css|js)$ {
brotli_static on;
try_files $uri$ext $uri =404;
}
# Compare: gzip vs brotli
# CSS: 14KB → gzip 4KB → brotli 2.5KB
# JS: 50KB → gzip 15KB → brotli 10KBNginx Security Assessment
Validieren Sie Ihre Nginx-Konfiguration gegen CIS Benchmarks.
Security Check