Nginx on Linux with a Web Application Firewall (WAF) is a critical security control plane for pre-production environments: it terminates TLS, mediates access, enforces content and traffic policies, and shields upstream services from abuse. In pre-production, the goals are to mirror production posture while enabling safe testing, rapid iteration, and early detection of misconfigurations and vulnerabilities—without exposing real data or production secrets. The following practices emphasize hardened hosts, least-privilege processes, robust crypto, strict HTTP and WAF controls, abuse resistance, strong observability, and change safety aligned with industry benchmarks (e.g., CIS Linux Benchmarks, OWASP ASVS/Cheat Sheets, NIST 800-53/800-190).
10 Security Best Practices
- Practice: Harden Linux Host Baseline and Enforce MAC
- Specific Description: Reduce host attack surface and enforce Mandatory Access Control (SELinux/AppArmor) suitable for reverse proxy/WAF workloads.
- Implementation Points:
- Minimal OS image; remove compilers, interpreters, and unused packages/services. Disable password SSH; use key-based auth and sudo with least privilege.
- Kernel/sysctl hardening (evaluate in your environment): enable TCP SYN cookies; disable source routing and ICMP redirects; enable reverse path filtering; restrict kernel pointers; protect hardlinks/symlinks; restrict unprivileged BPF/user namespaces if feasible.
- Examples: net.ipv4.tcp_syncookies=1; net.ipv4.conf.all.accept_redirects=0; net.ipv4.conf.all.send_redirects=0; net.ipv4.conf.all.accept_source_route=0; net.ipv4.conf.all.rp_filter=1; fs.protected_hardlinks=1; fs.protected_symlinks=1; kernel.kptr_restrict=2; kernel.unprivileged_bpf_disabled=1.
- Mount hardening: mount /tmp and /var/tmp with noexec,nosuid,nodev; ensure only required filesystems are enabled; mark config directories read-only except where necessary for runtime.
- Enforce SELinux or AppArmor in enforcing mode; apply or craft a strict profile/policy allowing only required file paths, network, and IPC for Nginx and WAF.
- Keep the kernel and packages patched on a defined cadence; use trusted repositories with signature verification.
- Security Value: Shrinks the attack surface, reduces privilege escalation paths, and confines Nginx/WAF processes to least privilege at the OS level.
- Practice: Process Isolation and Systemd Hardening
- Specific Description: Run Nginx/WAF as an unprivileged service with tightly scoped capabilities and OS sandboxing.
- Implementation Points:
- Dedicated non-root user/group; avoid running the master as root. If binding to privileged ports, grant only CAP_NET_BIND_SERVICE to the binary or unit.
- Systemd unit hardening (validate per distro): NoNewPrivileges=true; PrivateTmp=true; PrivateDevices=true; ProtectSystem=strict; ProtectHome=true; ReadWritePaths=/var/log/nginx /var/cache/nginx; CapabilityBoundingSet=CAP_NET_BIND_SERVICE; RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX; LockPersonality=true; RestrictSUIDSGID=true; SystemCallFilter to permit only needed syscalls (test carefully); MemoryDenyWriteExecute=true (unless a module requires JIT).
- Separate runtime, state, cache, and log directories via RuntimeDirectory/StateDirectory with restricted permissions.
- Security Value: Prevents lateral movement and mitigates the blast radius of a compromise by dropping privileges and constraining runtime capabilities.
- Practice: Network Segmentation and Host Firewalling
- Specific Description: Place Nginx in a controlled ingress tier with tight north-south and east-west controls, and minimal egress.
- Implementation Points:
- Inbound: only allow required ports (e.g., 80 for redirect, 443 for TLS). Deny admin and metrics endpoints from public networks; expose them only via management networks or bastion.
- Egress: default-deny outbound; explicitly allow only upstream backends, OCSP responders, package mirrors, and logging endpoints. Use FQDN pinning plus IP/port allowlists if possible.
- Inter-tier segmentation: isolate pre-production from production; prohibit any path from pre-prod to prod data stores. Use separate VPC/VNET/subnets and security groups or host firewalls (nftables) to enforce boundaries.
- Kernel anti-spoofing (rp_filter) and logging for dropped traffic. Prefer IPv6 parity and hardening if used.
- Security Value: Minimizes exposure, curtails data exfiltration channels, and blocks lateral pivoting.
- Practice: TLS/mTLS Hardening and Key Lifecycle
- Specific Description: Enforce modern TLS, protect keys, and enable upstream authentication where needed.
- Implementation Points:
- Protocols/ciphers: enable TLS 1.2 and 1.3; disable legacy protocols/ciphers; prefer AEAD ciphers and forward secrecy. Prefer server cipher order for TLS 1.2.
- Certificates: use environment-specific CAs for pre-prod; enforce short-lived certs; automate issuance/renewal. OCSP stapling enabled; robust stapling failure handling.
- Session handling: rotate TLS session ticket keys; consider disabling tickets if rotation is not feasible; prefer TLS 1.3 resumption semantics with rotation.
- Private key protection: file perms 600 owned by the Nginx user; isolate from backups; consider hardware-backed or OS keystore via PKCS#11 where feasible.
- Upstream mTLS: authenticate to backends with distinct client certs per service; validate upstream cert chains and SANs; pin expected CA.
- Security Value: Prevents downgrade and passive/active interception, thwarts MITM on upstream links, and reduces key compromise impact via rotation and isolation.
- Practice: HTTP Surface Minimization and Header Hygiene
- Specific Description: Constrain what clients can send and what responses expose; normalize and sanitize all trust boundaries.
- Implementation Points:
- Limit methods (allow only GET/HEAD/POST/PUT/DELETE as truly needed); reject TRACE/OPTIONS unless required and safe.
- Tight timeouts: client_header_timeout, client_body_timeout, keepalive_timeout short and reasonable; large_client_header_buffers tuned; request/response buffering strategy chosen to protect upstreams.
- Size limits: client_max_body_size, client_header_buffer_size, and header count limits appropriate for the application.
- Normalize URIs and reject ambiguous encoding; disable underscores_in_headers; ignore_invalid_headers on; validate Host header; disallow absolute URIs from external clients if not needed.
- Proxy header controls: drop client-supplied X-Forwarded-*; set them explicitly server-side; sanitize hop-by-hop headers.
- Response hardening: server_tokens off; add HSTS (in pre-prod only if domain isolation is guaranteed to avoid pinning mistakes), Content-Security-Policy (least permissive, use frame-ancestors), Referrer-Policy, Permissions-Policy, X-Content-Type-Options nosniff. Use proxy_cookie_flags to set Secure; HttpOnly; SameSite as appropriate for proxied apps.
- Cache safety: ensure cache keys incorporate auth context; bypass caching on Authorization; clear vary headers appropriately.
- Security Value: Reduces exploitability (injection, smuggling, cache poisoning), constrains protocol abuse, and limits sensitive metadata exposure.
- Practice: WAF Rule Lifecycle, Normalization, and Tuning-as-Code
- Specific Description: Treat WAF policies as code with rigorous testing, staged rollout, and continuous tuning to reduce false positives/negatives.
- Implementation Points:
- Rule management: version control, code review, and CI tests for rule packs; tag rules by OWASP category, app area, and risk.
- Normalization: enable strict canonicalization of URLs, encodings, and request bodies; limit decoding depth; turn on libinjection-like SQLi/XSS detectors if supported.
- Staging: deploy new/updated rules in Detection/Log-only in pre-prod; compare against a traffic baseline; promote to Blocking after false-positive burn-in and coverage validation.
- Positive security model: for high-risk endpoints, whitelist schemas (allowed methods, content types, parameter shapes, JSON schema enforcement).
- Virtual patching: rapidly block known exploit vectors targeting upstream vulnerabilities until patched; set expiration and review dates on temporary rules.
- Performance budget: cap per-request WAF processing time and inspect only necessary content types to avoid DoS via WAF overhead.
- Security Value: Increases detection fidelity and reduces operational risk by preventing both bypass and application-breaking false positives.
- Practice: DoS and Abuse Controls (Rate/Connection Limiting and Slow Attacks)
- Specific Description: Apply layered protections against volumetric and application-layer DoS and abuse patterns.
- Implementation Points:
- Rate limiting: per-IP and per-auth-subject request rate with bursts and token-bucket smoothing; return 429 with clear retry semantics.
- Connection limiting: limit_conn per IP and per zone to cap concurrency; low keepalive_timeout for public endpoints.
- Slowloris mitigation: enforce client_header_timeout/client_body_timeout; limit request body buffering time; drop slow senders.
- Request buffering: enable proxy_request_buffering for typical APIs to shield upstreams; consider disabling only for large file uploads with compensating controls.
- Kernel-level: enable TCP SYN cookies; tune backlog thresholds; ensure adequate file descriptor limits and worker_connections to avoid self-DoS.
- Static asset offload and caching to reduce dynamic backend pressure in pre-prod perf tests.
- Security Value: Preserves availability by curbing abusive clients and pathological traffic patterns before they impact upstream services.
- Practice: Authentication and Authorization for Admin/Internal Paths (Zero Trust at the Edge)
- Specific Description: Enforce strong identity at Nginx for sensitive routes; never trust client-provided identity headers.
- Implementation Points:
- Path isolation: separate server blocks or locations for admin, health, metrics, and internal APIs; never expose these publicly.
- Strong auth: prefer mTLS for admin networks; for end-user auth, integrate with a centralized identity provider via an auth subrequest pattern; validate JWTs or tokens server-side, not via client-supplied headers.
- Header sanitation: strip inbound Authorization and X-Forwarded-* from clients on public interfaces; set canonical X-Forwarded-Proto/Host/For internally; propagate only validated identity claims (e.g., via internal headers) to upstreams.
- Per-route RBAC: map claims/scopes to backend routing and authorization decisions; deny by default if claims missing or verification fails; set low TTL on auth cache and respect token revocation.
- Audit: log authenticated principal, auth method, and policy decision for sensitive routes.
- Security Value: Prevents header spoofing, enforces least privilege access to critical endpoints, and strengthens end-to-end identity assurance.
- Practice: Secrets and Key Management, with Pre-Production Data Isolation
- Specific Description: Protect TLS keys, API tokens, and WAF secrets; ensure pre-production uses isolated credentials and data.
- Implementation Points:
- Storage: restrict file permissions (600, owned by service user); no secrets in environment variables or command lines; disable core dumps; scrub crash artifacts.
- Retrieval: use a centralized secret manager or OS keystore; short-lived credentials; automated rotation; strict access policies and audit trails.
- Separation: unique CAs, certificates, tokens, and database credentials for pre-prod; no production secrets or datasets; use masked/synthetic data only.
- Transport: ship logs and metrics over TLS with mutual auth to collectors; pin collector CA.
- Controls: detect and block accidental secret leakage in configs and logs; run pre-commit/CI scanners; prevent world-readable temp files.
- Security Value: Limits blast radius of key compromise, prevents cross-environment leakage, and maintains confidentiality of sensitive material.
- Practice: Observability, Security Telemetry, and Incident Response for Edge Services
- Specific Description: Produce high-fidelity, privacy-aware telemetry; centralize analysis; automate detection and rollback aligned to pre-production workflows.
- Implementation Points:
- Structured logging: JSON logs for access, error, and WAF audit with fields for request_id, client IP, TLS version/cipher, mTLS subject, upstream status/latency, auth principal, and rule matches. Redact sensitive fields.
- Metrics: export per-route/request metrics (rates, latencies, error codes, WAF block rates, 429/403 spikes). Protect metrics endpoints; do not expose publicly.
- Centralization: forward logs/metrics over TLS to a central platform; segregate pre-prod indices; strict RBAC for viewers; synchronized time (NTP/Chrony).
- Detection: alerts for anomalies (5xx surge, WAF FP/TP changes, auth failures, rate-limit events, config integrity changes). Establish baselines for pre-prod traffic.
- Integrity monitoring: watch /etc/nginx, WAF rules, and TLS material for unauthorized changes; tie to change tickets.
- Response: playbooks for quick rollback of Nginx/WAF configs; safe-mode switch to change WAF from Block to Detect on elevated FP; automated config canary with health checks gatekeeping full rollout.
- Security Value: Enhances early detection, speeds containment, and reduces MTTR while ensuring privacy and compliance of telemetry.
Summary and Recommendations
- Apply defense-in-depth: hardened Linux host with MAC, least-privilege process isolation, tight network segmentation, modern TLS/mTLS, strict HTTP and WAF controls, and robust observability.
- Treat configurations and WAF rules as code: versioned, peer-reviewed, automatically tested (nginx -t, schema tests, replay traffic), and promoted via canary and staged rollouts in pre-production before production.
- Keep pre-production isolated: no production data or secrets, separate PKI/credentials, and limited exposure. Use synthetic/masked data to validate WAF efficacy and tuning.
- Continuously improve: monitor baselines, tune WAF and rate limits to minimize false positives while preserving protection, and keep host/packages patched on a predictable schedule.
By implementing the above practices, your pre-production Nginx+WAF tier will closely mirror production security posture, safely validate changes, and provide strong preventive, detective, and responsive controls aligned with modern security standards.
