BestHub
Sign in
Information Security 8 min read

Nginx Security Configuration: Rate Limiting, Access Restrictions, DDoS Mitigation, and SSL/TLS Hardening

This article explains how to secure an Nginx web server by configuring rate limiting, restricting access to sensitive directories, mitigating DDoS attacks, and strengthening SSL/TLS settings, providing detailed code examples and annotations for each security measure.

php中文网 Courses
php中文网 Courses
php中文网 Courses
Nginx Security Configuration: Rate Limiting, Access Restrictions, DDoS Mitigation, and SSL/TLS Hardening

With the growth of the Internet, web servers have become essential components of most website architectures, and Nginx is a high‑performance server widely used across sites of all scales. Proper security configuration is crucial to protect a website from attacks and malicious requests.

1. Rate Limiting – To prevent attackers from exhausting server resources, Nginx’s limit_req and limit_conn modules can be used. limit_req controls request rate, e.g., allowing only 30 requests per second with a burst of 5. limit_conn limits the number of simultaneous connections.

http{
    limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
    server{
        location /{
            limit_req zone=one burst=5 nodelay;
            //其他配置
        }
    }
}

Explanation: limit_req_zone defines a shared memory zone for rate limiting (binary IP address, 10 MiB, 30 r/m). limit_req applies the zone; excess bursts are rejected with a 503 status. limit_conn_zone and limit_conn work similarly for concurrent connections.

http{
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    server{
        location /{
            limit_conn addr 10;
            //其他配置
        }
    }
}

2. Denying Access to Certain Directories and Files – Sensitive files such as configuration or data files should not be publicly accessible. Nginx can deny requests to hidden files and specific directories.

http{
    server {
        location ~ /\. {
            deny all;
        }
        location ~* ^/(dir1|dir2|dir3)/ {
            deny all;
            return 404;
        }
    }
}

Explanation: The first location uses a regular expression to match any file or directory beginning with a dot and denies it. The second matches URLs starting with /dir1 , /dir2 , or /dir3 and returns a 404.

3. DDoS Protection – To defend against large‑scale request floods, the same limit_conn and limit_req modules can be combined with stricter limits.

http{
    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
    limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
    server{
        location / {
            limit_conn conn_limit 10;
            limit_req zone=req_limit burst=20;
            //其他配置
        }
    }
}

Explanation: The zones allocate 10 MiB each; the request rate is limited to 10 requests per second, and connections are capped at 10. Excess traffic is rejected.

4. Enabling HTTPS and Strengthening SSL/TLS – Encrypting traffic protects data in transit. Nginx can terminate SSL/TLS and enforce strong security headers.

http{
    server {
        listen 80;
        listen [::]:80;
        server_name example.com www.example.com;
        return 301 https://$server_name$request_uri;
    }
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name example.com www.example.com;
        ssl_certificate /etc/ssl/example.com/fullchain.pem;
        ssl_certificate_key /etc/ssl/example.com/privkey.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES128:EDH+AESGCM:EDH+CHACHA20:EDH+AES128:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!DSS:!SRP:!kECDH:!CAMELLIA:!SEED:!IDEA:!3DES';
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=31536000" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        //其他配置
    }
}

Explanation: The first server block redirects HTTP to HTTPS. The second enables SSL on port 443 with HTTP/2, specifies certificate files, session parameters, disables session tickets, sets strong DH parameters, selects TLS 1.2/1.3, defines a robust cipher suite, prefers server ciphers, and adds security‑enhancing response headers (HSTS, X‑Content‑Type‑Options, X‑XSS‑Protection, X‑Frame‑Options).

Conclusion – Implementing rate limiting, access restrictions, DDoS mitigation, and comprehensive SSL/TLS hardening are essential steps to secure Nginx. These measures protect the site’s confidential data, improve server stability, and enhance overall system efficiency.

configurationsecurityNginxRate LimitingDDoSSSL
php中文网 Courses
Written by

php中文网 Courses

php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment