Secure Your Nginx for Magento
Igor Furseev Avatar

Recent security patches have covered many security leaks. Some of the changes were added via .htaccess files either in Magento root or in specific directories (e.g. shell directory). These fixes will be applied automatically, if your Magento 1.x installation is running on Apache 2, but it won’t work if you prefer Nginx. In this post we will show you the proper Nginx config which provides the same result with a few additions.

Let’s start with the general content of Nginx config file. It should be found by the following path (may vary from your Nginx installation path): /etc/nginx/sites-available/your-site-name and, sometimes, it may be under /etc/nginx/sites-available/default. So the content of this file with all our modifications should look like in the example below:

server {

    listen 80;
    listen 443 default ssl;
    ssl_certificate /etc/ssl/private/ssl-certificate-name.cer;
    ssl_certificate_key /etc/ssl/private/ssl-certificate-key.key;

	#disabling SSLv3 in order to avoid poodle attack
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	#Weak Diffie-Hellman and the Logjam Attack
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/dhparams.pem;

    server_name website.com;
    root /path/to/magento/root;

    # Gzip Settings
    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length  1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types       text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss;

   location / {
        index index.html index.php; ## Allow a static html file to be shown first
        try_files $uri $uri/ @handler; ## If missing pass the URI to Magento's front handler
        expires 30d; ## Assume all files are cachable
    }

    location @handler {
        rewrite /   /index.php;
    }

    location ~ \.php(/.*)? {
        if (!-e $request_filename) {
            rewrite / /index.php break;
        }
        expires off;

        fastcgi_pass unix:/var/run/php5-fpm.sock;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        root /path/to/magento/root;
        fastcgi_param  SCRIPT_FILENAME  /path/to/magento/root$fastcgi_script_name;
        fastcgi_index index.php;
        fastcgi_read_timeout 18000; #set phpscript executing timeout
        include fastcgi_params;
    }

    location /api {
            rewrite ^/api/rest /api.php?type=rest;
    }

    location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml|txt)$ {
        root /path/to/magento/root;
        access_log        off;
        expires           max;
    }
    ##downloader directory password
    location /downloader {
            auth_basic            "Halt! Please, confirm your identity";
            auth_basic_user_file  /etc/nginx/.htpasswd;
            index index.php;
    }
	##restrict var, dev and .git directory from external access
	##restrict cron.php from external access
	location ^~ /.git/ { return 403; }
	location ^~ /cron.php { return 403; }
	location ^~ /dev/ { return 403; }
	location ^~ /var/ { return 403; }
}

Let’s check further details.

First of all, we need to restrict our store from using SSL protocols in order to avoid their vulnerabilities. We will use TLS only:

#disabling SSLv3 in order to avoid poodle attack
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

We also need to use stronger key for Diffie-Hellman encryption:

#Weak Diffie-Hellman and the Logjam Attack
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;

For that purpose, we need to generate two-kilobytes crypt key in the specified path. That can be done from bash shell:

sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048

We also should restrict downloader directory with htpassword protection:

##downloader directory password
location /downloader {
        auth_basic            "Halt! Please, confirm your identity";
        auth_basic_user_file  /etc/nginx/.htpasswd;
        index index.php;
}

For that purpose generate /etc/nginx/.htpasswd file from the bash shell:

htpasswd -c /etc/nginx/.htpasswd username

At last, restrict web access for var and dev (Magento 1.9.1.x) directories and cron.php. If you use git for version control (which is not recommended for production servers), you should also restrict .git directory:

##restrict var, dev and .git directory from external access
##restrict cron.php from external access
location ^~ /.git/ { return 403; }
location ^~ /cron.php { return 403; }
location ^~ /dev/ { return 403; }
location ^~ /var/ { return 403; }

That is all. Nginx should be restarted after all the above mentioned changes:

sudo service nginx restart

In order to check the results (and it is better to check both before and after the changes), you may use magereport.com and ssllabs.com for SSL vulnerability check.

Also, file contents provided in this post may be used for your Nginx config file if necessary (we assume that all the paths and domain names were updated properly). Thanks for reading us!