Nginx Proxy Manager (NPM) is a powerful open source software that provides a user-friendly interface that allows users to easily manage Nginx reverse proxy configuration. Through NPM, you can quickly build a high-performance and secure reverse proxy server, realize load balancing, automatic application of SSL certificates, custom configuration, configure web application firewalls, and prevent common web attacks and other functions.
1. Installation
First, make sure Docker and Docker Compose are installed, and then start with the following stepsnginx-proxy-managerServe.
1. Create a file
# Create the required foldermkdir -p /home/docker/npm # Enter the installation directorycd /home/docker/npm # Create a filevim
In the file, add the following configuration:
# Default login name and password# Email: admin@
# Password: changeme
services:
app:
image: '/jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- /home/docker/npm/data:/data
- /home/docker/npm/letsencrypt:/etc/letsencrypt
After the configuration is complete, save and exit the editor (pressiEnter editing mode and pressEscExit edit mode and enter:wqSave and exit).
2. Start the service
You can start the service with the following command:
docker-compose up -d
so,nginx-proxy-managerIt will be launched in the background and will pass by defaultadmin@andchangemeAs a login credential.
3. Chinese mirror
-
English mirror:
jc21/nginx-proxy-manager -
Chinese mirror:
chishin/nginx-proxy-manager-zh
You can switch the mirror according to your needs. The Chinese mirror is a Chinese interface, suitable for Chinese users.
2. Configuration
Nginx Proxy Manager allows you to customize Nginx configuration by mounting custom configuration files. Here are some common custom configuration file paths and usage methods:
1. Configure path
In Nginx Proxy Manager, you can/data/nginx/customAdd a custom configuration file to the folder and introduce it to the main configuration file as needed:
/data/nginx/custom/root_top.conf # included at the top of/data/nginx/custom/ # Included at the end of/data/nginx/custom/http_top.conf # Included at the top of the http block/data/nginx/custom/ # Included at the end of the http block/data/nginx/custom/ # Contained at the end of events block/data/nginx/custom/ # Contained at the end of the stream block/data/nginx/custom/server_proxy.conf # Contained at the end of the proxy server block/data/nginx/custom/server_redirect.conf # Contained at the end of the redirect server block/data/nginx/custom/server_stream.conf # Contained at the end of the streaming server block/data/nginx/custom/server_stream_tcp.conf # Contained at the end of the TCP Stream Server block/data/nginx/custom/server_stream_udp.conf # Contained at the end of the UDP streaming server block
- Configuration file example
# Nginx main configuration file
# ==========================
# 1. Global configuration: root_top.conf# ==========================
# Contains global basic configuration (such as module loading, log path, etc.)include /data/nginx/custom/root_top.conf;
# ==========================
# 2. Event configuration:# ==========================
events {
include /data/nginx/custom/;
}
# ==========================
# 3. Main HTTP configuration block: http_top.conf and# ==========================
http {
include /data/nginx/custom/http_top.conf;
server_tokens off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/ main;
error_log /var/log/nginx/ warn;
# Server Configuration server {
listen 80;
server_name ;
include /data/nginx/custom/server_proxy.conf;
}
server {
listen 80;
server_name ;
include /data/nginx/custom/server_redirect.conf;
return 301 https://$host$request_uri;
}
include /data/nginx/custom/;
}
# ==========================
# 5. Mainstream configuration:# ==========================
stream {
include /data/nginx/custom/;
server {
listen 3306;
proxy_pass backend_tcp_servers;
include /data/nginx/custom/server_stream.conf;
}
server {
listen 3307;
proxy_pass backend_tcp_servers;
include /data/nginx/custom/server_stream_tcp.conf;
}
server {
listen 53 udp;
proxy_pass backend_udp_servers;
include /data/nginx/custom/server_stream_udp.conf;
}
}
# ==========================
# 9. End of global configuration:# ==========================
include /data/nginx/custom/;
2. Anti-theft chain is installed on the picture bed
To prevent unauthorized external sites from directly referring to your image resources, anti-theft links can be enabled in Nginx configuration. Here is a simple diagram bed anti-theft link configuration example:
location ~* \.(gif|jpg|png|bmp)$ {
valid_referers none blocked *. ~\.google\. ~\.bing\. ~\.baidu\.;
if ($invalid_referer) {
return 403;
}
proxy_pass ;
}
-
Matching rules: This configuration will match all
.gif,.jpg,.pngand.bmpdocument. -
Legal citation: Specify which sources are legal, illegal sources will be returned
403 Forbidden。 -
Proxy forwarding: Requests that meet the rules will be forwarded to
Processing.
3. Prevent malicious query of parameters
For enhanced security, the following is a configuration example to prevent malicious query parameters:
- http_top.confAdded to the file:
# Define malicious query modemap $query_string $blocked {
default 0;
# XSS Defense "~*(alert\(|<script>|</script>|on\w+=|javascript:|<img\s+src=|<svg\s+οnlοad=)" 1;
# SQL Injection Defense "~*(--|or\s1=1|union\sselect|select\s.*from|drop\s+table|insert\s+into|update\s+set|delete\s+from|;--|#|0x|char\(|unhex\()" 1;
# File contains attack defense "~*(/etc/passwd|/proc/self/environ|php://input|php://filter|file\://|ftp://|http://)" 1;
# Command Inject Defense "~*(\|&|\&\||;|`|exec\(|system\(|passthru\(|shell_exec\(|popen\()" 1;
# Webshell Feature Defense "~*(base64_encode\(|eval\(|gzinflate\(|gzuncompress\(|assert\(|create_function\(|function_exists\()" 1;
# Malicious User-Agent or Referer are forbidden "~*(bot|spider|crawl|wget|curl|nmap|nikto|sqlmap|libwww|httrack)" 1;
# Command execution keyword defense "~*(rm\s-rf|chmod\s777|chown\s|chgrp\s)" 1;
}
- server_proxy.confAdded to the file:
if ($blocked) {
return 405;
}
4. Restricted areas
To restrict access to specific countries, you can use the GeoIP2 module for geolocation restrictions. Here is a configuration example:
- root_top.confEnable the GeoIP2 module in the file:
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
- http_top.confLoad the GeoLite2 database into the file (download the database by yourself and upload it to the corresponding directory):
geoip2 /data/nginx/custom/ {
$geoip2_data_country_code country iso_code;
$geoip2_data_country_name country names en;
}
- server_proxy.confRestrict access in the file according to IP (for example, only Chinese IPs are allowed):
if ($geoip2_data_country_code != "CN") {
return 403;
}
- It can also be found in the Proxy Host panelAdvancedIn the configuration, add similar restrictions:
if ($geoip2_data_country_code != "CN") {
return 403;
}
Test output
To ensure that the GeoIP2 module and other protections work properly, you can verify that access is restricted as expected by configuring a test URL. Here is an example configuration for the output test:
- root_top.conf: Enable the GeoIP2 module (already configured earlier):
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
- http_top.conf: Configure the log format and load the GeoLite2 database:
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$geoip2_data_country_code" "$geoip2_data_country_name"';
geoip2 /data/nginx/custom/ {
$geoip2_data_country_code country iso_code;
$geoip2_data_country_name country names en;
}
-
server_proxy.conf: Add one
/show-geoipRouting, used to output geolocation information, only requested access from China is allowed:
location /show-geoip {
# Only allow access to Chinese IP addresses if ($geoip2_data_country_code != "CN") {
return 403; # If it is not a Chinese IP, return 403 No access }
default_type text/plain;
echo "Country Code: $geoip2_data_country_code";
echo "Country Name: $geoip2_data_country_name";
}
- By visit
http://your-server-ip/show-geoip, you should be able to see outputs similar to the following (if your request comes from China):
Country Code: CN Country Name: China
If the request comes from another country, Nginx will return403 ForbiddenError, ensure that only users who meet the geographical location requirements can access the page.
3. Others
In addition to the GeoIP2 geolocation restrictions and malicious query protection above, Nginx can also enhance security through other measures. Here are some additional protection and optimization suggestions:
1. Disable unnecessary HTTP methods
server {
listen 80;
server_name ;
if ($request_method !~ ^(GET|POST|HEAD|OPTIONS)$) {
return 405;
}
#Other configurations...}
2. Enable HTTP security header
Configure some HTTP security headers to enhance the security of the website and prevent XSS, Clickjacking and other attacks:
server {
listen 443 ssl;
server_name ;
# Prevent Clickjacking add_header X-Frame-Options "SAMEORIGIN" always;
# Prevent XSS attacks add_header X-XSS-Protection "1; mode=block" always;
# Prevent MIME type sniffing add_header X-Content-Type-Options "nosniff" always;
# Disable cache of sensitive content add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
# Enable strict transmission security (HSTS) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
#Other configurations...}
3. Rate Limiting
To prevent brute-breaking and DDoS attacks, you can configure request rate limits:
http {
# Define a restriction rule limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
server {
listen 80;
server_name ;
# Enable rate limiting limit_req zone=one burst=10 nodelay;
#Other configurations... }
}
This will limit the maximum number of requests per IP address to initiate up to 30 requests per minute, and requests exceeding this limit will be denied.
4. Enable SSL/TLS encryption
Make sure your Nginx configuration has SSL/TLS encryption enabled to ensure that all traffic is encrypted and prevents man-in-the-middle attacks (MITM). Here is the basic configuration to enable SSL:
server {
listen 443 ssl;
server_name ;
ssl_certificate /etc/letsencrypt/live//;
ssl_certificate_key /etc/letsencrypt/live//;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
# Force HTTPS redirection if ($scheme != "https") {
return 301 https://$host$request_uri;
}
#Other configurations...}
4. Summary
Through the above configuration and steps, you can effectively configure and optimize yournginx-proxy-manager, enhance the security and performance of the system. Key steps include:
- GeoIP2 Restrictions: Restrict access sources by loading a GeoIP2 database, allowing only requested access from a specific country.
-
Malicious query protection: Using Nginx
mapandifDirective to prevent malicious query parameters (such as XSS, SQL injection, etc.). - Anti-theft chain: Configure the anti-theft link of the map bed to ensure that only requests from legal sources can access your static resources.
- SSL/TLS encryption: Enable HTTPS to encrypt traffic to ensure data security.
- HTTP Security Header: Configure HTTP security headers to prevent common web attacks.
- Request rate limit: Prevent brute-breaking and DDoS attacks.
With these optimizations, you can improve the security of your reverse proxy server, protect your network assets from malicious attacks, and improve access performance.
This is the article about Nginx Proxy Manager configuring Web WAF application firewall. For more information about Nginx Proxy Manager configuring firewall, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!