twitter |   ||  email | PGP --> harshal @ harshdevx.com

r00tan4lyt1csgalleryabout m3

how to secure your shared hosting servers using free SSL and nginx reverse proxy

a lot of us have their websites hosted on shared web hosting services. usually this is a cheap option vs getting a vps and hosting the website on it. how about you may have vps but still you want to host the website on shared hosting for any reason. question that comes to mind is what about waf. with vps we can have nginx and proxy pass to apache but how will this work with shared web hosting where we do not have liberty to run our own firewall.

so my setup was simple i have a vps with nginx and naxsi configured. i won't touch on how to install nginx and configure naxsi plugin as there are alot of tutorials that are available on the same. and then we have a shared hosting service provider who doesn't provide waf :-)

Click to englarge me

the above figure shows open ports for your vps and the shared hosting are always open 80/443. so the problem was no firewall on shared hosting so how to use nginx/naxsi waf? so we solve the problem below. first we set nginx reverse proxy to point to shared hosting domain. remember at times shared hosting we have shared ips so we cannot point to ipaddress:port. therefore we need to create a subdomain lets say subdomain.domain.com. now within nginx site-enabled create a section...

Click to englarge me

#1 server {

#2 listen 443;

#3 server_name my-main-domain.com;

#4 #

#5 root html;

#6 index index.html index.htm;

#7

#8 access_log /var/log/nginx/access.log;

#9 error_log /var/log/nginx/error.log;

#10 #

#11 ssl on;

#12 include /etc/nginx/snippets/ssl-params.conf;

#13 ssl_certificate /etc/letsencrypt/live/my-main-domain.com/fullchain.pem;

#14 ssl_certificate_key /etc/letsencrypt/live/my-main-domain.com/privkey.pem;

#15 ssl_dhparam /etc/letsencrypt/live/my-main-domain/dhparams.pem;

#16

#17 location / {

#18 include /etc/nginx/naxsi.rules;

#19 proxy_set_header Host $host:$server_port;

#20 proxy_set_header X-Real-IP $remote_addr;

#21 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#22 proxy_set_header X-Forwarded-Proto $scheme;

#23

#24 proxy_pass https://my-main-domain.com:8443/;

#25 proxy_read_timeout 10m;

#26

#27 add_header X-Frame-Options SAMEORIGIN;

#28 add_header X-Content-Type-Options nosniff;

#29 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

#30 add_header X-XSS-Protection "1; mode=block";

#31 if ($sent_http_cache_control !~* "max-age=90") {

#32 add_header Cache-Control no-store;

#33 add_header Cache-Control no-cache;

#34 add_header Cache-Control private;

#35 add_header Cache_Control must-revalidate;

#36 add_header Cache_Control post-check=0;

#37 add_header Cache_control pre-check=0;

#38 }

#39 }

#40 location /RequestDenied {

#41 return 406;

#42 }

#43 }

#44

#45 server {

#46 listen 8443;

#47 server_name my-subdomain.domain.com;

#48 #

#49 root html;

#50 index index.html index.htm;

#51

#52 #access_log /var/log/nginx/access.log;

#53 #error_log /var/log/nginx/error.log;

#54

#55 access_log off;

#56 error_log on;

#57

#58 ssl on;

#59 include /etc/nginx/snippets/ssl-params.conf;

#60 ssl_certificate /etc/letsencrypt/live/my-main-domain.com/fullchain.pem;

#61 ssl_certificate_key /etc/letsencrypt/live/my-main-domain.com/privkey.pem;

#62 ssl_dhparam /etc/letsencrypt/live/my-main-domain.com/dhparams.pem;

#63

#64 location / {

#65 include /etc/nginx/naxsi.rules;

#66 proxy_set_header Host $host:$server_port;

#67 proxy_set_header X-Real-IP $remote_addr;

#68 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#69 proxy_set_header X-Forwarded-Proto $scheme;

#70

#71 proxy_pass https://subdomain.domain.com;

#72 proxy_read_timeout 10m;

#73

#74 add_header X-Frame-Options SAMEORIGIN;

#75 add_header X-Content-Type-Options nosniff;

#76 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

#77 add_header X-XSS-Protection "1; mode=block";

#78 if ($sent_http_cache_control !~* "max-age=90") {

#79 add_header Cache-Control no-store;

#80 add_header Cache-Control no-cache;

#81 add_header Cache-Control private;

#82 add_header Cache_Control must-revalidate;

#83 add_header Cache_Control post-check=0;

#84 add_header Cache_control pre-check=0;

#85 }

#86 }

#87 location /RequestDenied {

#88 return 406;

#89 }

#90 }


concept and design: harshdevX