Bug 1330708

Summary: Extend " Securing the Apache HTTP Server" to cover Nginx
Product: Red Hat Enterprise Linux 7 Reporter: Martin Prpič <mprpic>
Component: doc-Security_GuideAssignee: Mirek Jahoda <mjahoda>
Status: CLOSED CURRENTRELEASE QA Contact: Joe Orton <jorton>
Severity: unspecified Docs Contact: Martin Prpič <mprpic>
Priority: unspecified    
Version: 7.2CC: bnater, bperkins, cperry, dkutalek, jkaluza, jorton, mjahoda, mprpic, rhel-docs, szidek, yjog
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-12 15:11:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1470091    

Description Martin Prpič 2016-04-26 18:19:02 UTC 
Document URL:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html

The "4.3.8. Securing the Apache HTTP Server" section covers various hardening rules for httpd. Since we ship Nginx via RHSCL and it's one of the most used web servers out there, how about we rename this section to "Securing HTTP Servers", provide general recommendations, and include configuration examples for both Apache httpd and Nginx.

Just of the top of my head, the general recommendations could include: disabling version strings (already covered ServerTokens in httpd, server_tokens in nginx), sending security related headers for each response [1], or not accepting potentially dangerous HTTP methods like TRACE or OPTIONS [2].

[1] https://www.owasp.org/index.php/List_of_useful_HTTP_headers
[2] https://www.owasp.org/index.php/Test_HTTP_Methods_%28OTG-CONFIG-006%29
Comment 7 Martin Prpič 2017-12-01 12:04:54 UTC 
Mirek, below is the proposed content. I hope the format (markdown) is OK for you. If you need to convert it to DocBook, you can use pandoc. Feel free to adjust the styling and structure as you see fit.

I'm not sure what the current policy is wrt to linking to external resources but I feel both of them (SSL Labs, Mozilla SSL config generator) are trustworthy and contain valuable information. If we have a policy against linking to external sites though, you can remove them of course.

Let me know if you have any other questions.

------------------8<------------------
4.3.9. Securing the NGINX HTTP Server

NGINX is a high-performance HTTP and proxy server. The following sections
briefly document extra steps that can be taken to harden your NGINX
configuration. All of the configuration options should be added to the
`server` section(s) of your NGINX configuration files

Disabling Version Strings

To prevent attackers from learning the version of NGINX running on your
server, use the following configuration option:

```
server_tokens        off;
```

This has the effect of removing the version number and simply reporting the
string `nginx` in all requests served by NGINX:

```
> curl -sI http://localhost | grep Server
Server: nginx
```

Security-related Headers

Each request served by NGINX can include additional HTTP headers that
mitigate certain known web application vulnerabilities:

* `add_header X-Frame-Options SAMEORIGIN;` -- This option denies any page
  outside of your domain to frame any content served by NGINX, effectively
  mitigating clickjacking attacks.

* `add_header X-Content-Type-Options nosniff;` -- This option prevents
  MIME-type sniffing in certain older browsers.

* `add_header X-XSS-Protection "1; mode=block";` -- This option enables
  Cross-Site Scripting (XSS) filtering, preventing the browser from
  rendering potentially malicious content included in a response by NGINX.

Disable Potentially Harmful HTTP Methods

If enabled, some of the HTTP methods may allow an attacker to perform
actions on the web server that were designed for developers to test web
applications. For example, the TRACE method is known to allow Cross-Site
Tracing (XST).

Your NGINX server can disallow these harmful HTTP methods as well as any
arbitrary methods by whitelisting only those that should be allowed.
For example:

```
# Allow GET, PUT, POST; return "405 Method Not Allowed" for all others.
if ( $request_method !~ ^(GET|PUT|POST)$ ) {
    return 405;
}
```

Configuring SSL

To protect the data served by your NGINX web server, you should consider
serving it over HTTPS only. To generate a secure configuration profile for
enabling SSL in your NGINX server, see the [Mozilla SSL Configuration
Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/).
The generated configuration will assure that known vulnerable protocols
(for example, SSLv2 or SSLv3) and ciphers and hashing alrogithms (for
example, 3DES or MD5) are disabled.

You can use the [SSL Server Test](https://www.ssllabs.com/ssltest/) to
verify that your configuration meets modern security requirements.
------------------8<------------------
Comment 14 Mirek Jahoda 2018-04-12 15:11:48 UTC 
The update is available on the Customer Portal:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_services#sec-Securing_HTTP_Servers