Posts Securing Nginx with IP Whitelist, Rate Limit and Basic Auth
Post
Cancel

Securing Nginx with IP Whitelist, Rate Limit and Basic Auth

Jan 3, 2018 2018-01-03T20:31:00+05:30 by Asif Mohammad Mollah
3 min

Nginx is a robust web server and reverse proxy that also functions as a powerful access control gateway. When exposing sensitive areas like admin dashboards, internal APIs, or dev environments, it’s vital to apply layered security.

This guide walks you through three key protection mechanisms on an Ubuntu server:

  1. Installation
  2. IP Whitelisting
  3. Basic Authentication
  4. Rate Limiting
  5. SSL/TLS Encryption

1. Installation

To install Nginx on an Ubuntu server, follow these steps:

  1. Update the package list: 
    1

    sudo apt update
  2. Install Nginx: 
    1

    sudo apt install nginx
  3. Check default configuration is present in /etc/nginx/sites-available/default.conf.
  4. Check symbolic link to default configuration: 
    1

    sudo ls -l /etc/nginx/sites-enabled/
  5. Test default configuration: 
    1

    sudo nginx -t
  6. Reload Nginx to apply changes: 
    1

    sudo systemctl reload nginx
  7. Check in browser http://localhost is working.

2. IP Whitelisting

This will restrict access to trusted IPs only.

  1. Open the Nginx configuration file: 
    1

    sudo nano /etc/nginx/sites-available/default.conf
  2. Add the following lines inside the server block: 
    1
2
3
4
5
6
7
8
9
10
11
12

    server {
 listen 80;
 server_name example.com;

 location / {
     allow 192.168.1.100;
     allow 192.168.1.101;
     deny all;

     proxy_pass http://localhost:8080;
 }
}
  3. Save and exit the file.
  4. Test the configuration: 
    1

    sudo nginx -t
  5. Reload Nginx to apply changes: 
    1

    sudo systemctl reload nginx

3. Basic Authentication

This will allow to add password protection using htpasswd.

  1. Install htpasswd: 
    1

    sudo apt install apache2-utils
  2. Create a password file: 
    1

    sudo htpasswd -c /etc/nginx/.htpasswd admin
  3. Open the Nginx configuration file: 
    1

    sudo nano /etc/nginx/sites-available/default.conf
  4. Add the following lines inside the server block: 
    1
2
3
4
5
6
7
8
9
10
11
12
13
14

    server {
 listen 80;
 server_name example.com;

 location / {
     proxy_pass http://localhost:8080;
 }

 location /admin {
     auth_basic "Restricted";
     auth_basic_user_file /etc/nginx/.htpasswd;
     proxy_pass http://localhost:3000;
 }
}
  5. Save and exit the file.
  6. Test the configuration: 
    1

    sudo nginx -t
  7. Reload Nginx to apply changes: 
    1

    sudo systemctl reload nginx

4. Rate Limiting

This will limit the number of requests per IP address.

  1. Open the Nginx configuration file: 
    1

    sudo nano /etc/nginx/sites-available/default.conf
  2. Write the following lines to add rate limit based on IP address, it always 5 requests per minute and burst of 3 requests before rejecting: 
    1
2
3
4
5
6
7
8
9
10

    limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=5r/m;
server {
  	listen 80;
 server_name example.com;

 location / {
     limit_req zone=auth_limit burst=3 nodelay;
     proxy_pass http://localhost:8080;
 }
}
  3. Write the following lines if you want rate limit based on user agent: 
    1
2
3
4
5
6
7
8
9
10

    limit_req_zone $binary_remote_addr zone=user_agent_limit:10m rate=10r/m;
server {
  	listen 80;
 server_name example.com;

 location / {
     limit_req zone=user_agent_limit burst=5 nodelay;
     proxy_pass http://localhost:8080;
 }
}
  4. Save and exit the file.
  5. Test the configuration: 
    1

    sudo nginx -t
  6. Reload Nginx to apply changes: 
    1

    sudo systemctl reload nginx

5. SSL/TLS Encryption

This will encrypt traffic between clients and the server.

  1. Generate a self-signed certificate (If you don’t have a valid certificate): 
    1

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
  2. Open the Nginx configuration file: 
    1

    sudo nano /etc/nginx/sites-available/default.conf
  3. Add the following lines inside the server block: 
    1
2
3
4
5
6
7
8
9
10

    server {
 listen 443 ssl;
 server_name example.com;
 ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
 ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

 location / {
     proxy_pass http://localhost:8080;
 }
}
  4. Save and exit the file.
  5. Test the configuration: 
    1

    sudo nginx -t
  6. Reload Nginx to apply changes: 
    1

    sudo systemctl reload nginx

7. Let’s Combine Together

  1. Open the Nginx configuration file: 
    1

    sudo nano /etc/nginx/sites-available/default.conf
  2. Add the following lines inside the server block: 
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

    # Rate limiting
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=5r/m;
# server block
server {
 listen 443 ssl;
 server_name example.com;

 ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
 ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

 location /admin {
     allow 192.168.1.100;
     allow 192.168.1.101;
     deny all;

     auth_basic "Restricted";
     auth_basic_user_file /etc/nginx/.htpasswd;

     limit_req zone=auth_limit burst=3 nodelay;

     proxy_pass http://localhost:3000;
 }
}
# Redirect HTTP to HTTPS
server {
 listen 80;
 server_name example.com;

 return 301 https://$host$request_uri;
}
  3. Save and exit the file.
  4. Test the configuration: 
    1

    sudo nginx -t
  5. Reload Nginx to apply changes: 
    1

    sudo systemctl reload nginx
DevOps, Security
ubuntu linux nginx
Recent Update
Contents

Install docker on Ubuntu Server

SendMail setup on ubuntu server