Security Hardening
Defend against brute-force and DDoS attacks using Rate Limiting and Fail2ban.
Rate Limiting
Protect the server from excessive traffic by limiting the request rate.
Configuration Options
| Option | Description | Default |
|---|---|---|
| Requests Per Second (RPS) | Maximum requests allowed per second | 10 |
| Burst Size | Allowance for momentary traffic spikes | 20 |
| Limit Mode | IP, URI, IP+URI | IP |
| Response Code | Response returned when the limit is exceeded | 429 |
Limit Modes
| Mode | Description | When to Use |
|---|---|---|
| IP-based | Limit per client IP | General use |
| URI-based | Limit per request path | Protecting API endpoints |
| IP+URI | Combination of IP and URI | Fine-grained control |
Whitelisted IPs
Configure IPs that bypass Rate Limiting.
- Trusted internal IPs
- Monitoring system IPs
- Partner company IPs
Fail2ban Integration
Automatically block IPs based on failed requests.
Configuration Options
| Option | Description | Default |
|---|---|---|
| Max Retries | Number of failures allowed before blocking | 5 |
| Detection Window | Period over which failures are aggregated | 600s |
| Ban Duration | How long an IP stays blocked | 3600s |
| Trigger Status Codes | Status codes considered failures | 401, 403 |
How It Works
- The client receives a response with a configured status code
- Failures are aggregated within the detection window
- The IP is automatically blocked once max retries is exceeded
- The block is automatically lifted after the ban duration
Ban Types
| Type | Description |
|---|---|
| Temporary Ban | Automatically lifted after the configured duration |
| Permanent Ban | Requires manual removal |
IP Block Management
Blocked IP List
- View all currently blocked IPs
- Block source (Fail2ban, WAF, manual)
- Block time and expiration time
- Block reason
Manual IP Blocking
- Block an individual IP or CIDR range
- Permanent ban option
- Record block notes
IP Block History
All ban/unban events are recorded.
| Field | Description |
|---|---|
| Time | Time the event occurred |
| IP | Target IP address |
| Action | ban or unban |
| Source | fail2ban, waf_auto_ban, manual, api, expired |
| Reason | Block reason |
Block Statistics
- Total number of blocks
- Block distribution by source
- Block trends over time
- Block history for a specific IP
URI Blocking
Block access to specific URI patterns.
Per-Host URI Blocking
Configure independent URI blocking rules for each proxy host.
- Regular expression pattern support
- Wildcard support
- Priority configuration
Global URI Blocking
URI blocking rules applied commonly across all hosts.
- Block security vulnerability paths
- Protect admin pages
- Block access to sensitive files
URI Blocking Examples
# WordPress admin protection
/wp-admin/*
/wp-login.php
# Block sensitive files
/.env
/.git/*
/config/*
# Protect API endpoints
/api/internal/*
Exploit Blocking
Automatically block common attack patterns.
Rules are grouped by category and can be toggled per category or per rule.
Blocked Categories
| Category | Example Pattern |
|---|---|
| SQL Injection | UNION SELECT, ' OR '1'='1 |
| XSS / Code Injection | <script>, javascript: |
| Remote File Inclusion (RFI) | http://, php:// and other remote includes |
| Path Traversal | ../, ..%2f |
| Scanner / Tool Detection | Detection of known scanners and attack tools |
| HTTP Method | Block dangerous HTTP methods |
If a specific URI produces false positives, you can add a URI-scoped exception per rule so the rule is bypassed only on that path.
Advanced Configuration Security
Blocking Dangerous Directives
Block security-risky directives in Nginx advanced configuration.
load_module- Loading external moduleslua_*- Executing Lua scriptsperl_*- Executing Perl scriptsjs_*- Executing JavaScript- Shell commands within
proxy_pass
Configuration Validation
- Nginx configuration syntax check
- Security vulnerability pattern detection
- Dangerous configuration warnings
Config Rollback
Provides an automatic rollback mechanism to safely apply Nginx configuration changes.
How It Works
- Create Backup: Automatically back up the existing config file before making changes
- Generate New Config: Create a new Nginx config file with the changes
- Test Config: Check syntax and validity with
nginx -t - Conditional Apply: Run
nginx -s reloadonly if the test passes - Automatic Rollback: Immediately restore the backed-up config if the test fails
Rollback Targets
| File | Description |
|---|---|
| domain.conf | Proxy host configuration file |
| host_.conf | WAF configuration file (ModSecurity) |
| banned_ips.conf | IP block list |
| default.conf | Default server configuration |
Safety Guarantees
- Atomic Write: File writes with no intermediate state via temp file → fsync → rename
- Global Mutex: All Nginx operations are serialized with a mutex to prevent concurrent changes
- Fail-Safe: Never run an Nginx reload if
nginx -tfails
Security Headers
Security Header Presets
Provides predefined security header presets according to the security level.
| Preset | Security Level | Description |
|---|---|---|
| Strict | Highest | Includes HSTS preload, restrictive CSP, X-Frame-Options DENY |
| Moderate | Balanced | HSTS includeSubdomains, SAMEORIGIN, appropriate CSP |
| Relaxed | Compatibility | Basic security headers only, compatibility first |
Strict Preset
- HSTS: 1 year, includeSubDomains, preload enabled
- X-Frame-Options: DENY
- Content-Security-Policy: allow self source only
- Permissions-Policy: disable camera, microphone, etc.
Moderate Preset
- HSTS: 1 year, includeSubDomains, preload disabled
- X-Frame-Options: SAMEORIGIN
- Referrer-Policy: strict-origin-when-cross-origin
Relaxed Preset
- HSTS: 1 day, includeSubDomains disabled
- X-Frame-Options: SAMEORIGIN
- Referrer-Policy: no-referrer-when-downgrade
Custom Headers
In addition to presets, you can customize individual headers.
HSTS (HTTP Strict Transport Security)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content Security
| Header | Description |
|---|---|
| X-Content-Type-Options | nosniff - Prevents MIME sniffing |
| X-Frame-Options | DENY or SAMEORIGIN - Prevents clickjacking |
| X-XSS-Protection | 1; mode=block - XSS filter |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | Controls access to browser features |
Content-Security-Policy
- Restrict script sources
- Restrict style sources
- Restrict frame sources
- Restrict form actions
TLS Security
Protocol Versions
- Allow only TLS 1.2 and above
- Disable SSL 2.0/3.0, TLS 1.0/1.1
Cipher Suites
- Allow only strong encryption algorithms
- Disable weak ciphers
- Forward Secrecy support
OCSP Stapling
- Optimizes certificate status checking
- Protects client privacy