awesome-nginx-security/README.md

# awesome-nginx-security

A curated list of awesome links related to application/API security in NGINX environment.

## Talks

- [Let's Encrypt TLS for Every (video)](https://www.youtube.com/watch?v=ac4tE4_4nU0)
- [Behavior Based Security with Repsheet: Aaron Bedra @nginxconf 2014 (video)](https://www.youtube.com/watch?v=9AyaVxzqYoA)
- [Making applications secure with NGINX (video)](https://www.youtube.com/watch?v=rNNRGDAZeKY)
- [Scripting NGINX for Overload Protection (video)](https://www.youtube.com/watch?v=uFm-tp4t2mE)
- [Naxsi, a WAF for NGINX (video)](https://www.youtube.com/watch?v=JiJHCodn_PQ)

## Articles

- [Building a Security Shield for Your Applications with NGINX](https://www.nginx.com/blog/build-application-security-shield-with-nginx-wallarm)
- [Pitfalls and Common Security Mistakes in NGINX configuration](https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/)
- [Let's Encrypt & Nginx](https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/)
- [Installing the Nginx Plus with mod_security WAF](https://www.nginx.com/resources/admin-guide/nginx-plus-modsecurity-waf-installation-logging/)
- [CloudFlare's new WAF: compiling to Lua (based on Nginx)](https://blog.cloudflare.com/cloudflares-new-waf-compiling-to-lua/)
- [Tips to harden your nginx configuration](https://www.acunetix.com/blog/articles/nginx-server-security-hardening-configuration-1/#comment-16863)
- [How To Protect an Nginx Server with Fail2Ban on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04)
- [Important steps to take to make an Nginx server more secure](https://help.dreamhost.com/hc/en-us/articles/222784068-The-most-important-steps-to-take-to-make-an-Nginx-server-more-secure)

## Configuration

- [gixy](https://github.com/yandex/gixy/) - a tool to analyze Nginx configuration to prevent security misconfiguration
- [nginxconfig.io](https://nginxconfig.io) - [GitHub](https://github.com/valentinxxx/nginxconfig.io) - Online nginx configuration generator for general purposes.

## WAF for NGINX. Web Application Firewalls.

- [mod_security](https://github.com/SpiderLabs/ModSecurity-nginx) - mod_security for NGINX
- [naxsi](https://github.com/nbs-system/naxsi) - NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX.
- [NGINX 3rd Party Modules](https://www.nginx.com/resources/wiki/modules/) -  a list of third-party modules (including security-related) for NGINX and NGINX Plus, created and maintained by members of the NGINX community
- [wallarm](https://wallarm.com) - NG-WAF for NGINX and NGINX Plus with the security rules adjusted with AI


## Bot mitigation / Anti-scrapping / Account take-over prevention 

- [testcookie-nginx-module](https://github.com/kyprizel/testcookie-nginx-module) - Simple robot mitigation module using cookie based challenge/response technique 

## NGINX forks

- [SEnginx](https://github.com/NeusoftSecurity/SEnginx) - Security-Enhanced nginx
- [lua-resty-waf](https://github.com/p0pr0ck5/lua-resty-waf) - High-performance WAF built on the OpenResty stack

## Other

- [Secure nginx config. GIST](https://gist.github.com/plentz/6737338) - nginx configuration for improved security and performance
Update README.md 2017-09-05 16:29:48 -07:00			`# awesome-nginx-security`

Update README.md 2017-09-05 16:43:08 -07:00			`A curated list of awesome links related to application/API security in NGINX environment.`

Update README.md 2017-09-05 16:29:48 -07:00			`## Talks`

Update README.md 2017-09-14 19:12:24 -07:00			`- [Let's Encrypt TLS for Every (video)](https://www.youtube.com/watch?v=ac4tE4_4nU0)`
Update README.md 2017-09-05 16:54:58 -07:00			`- [Behavior Based Security with Repsheet: Aaron Bedra @nginxconf 2014 (video)](https://www.youtube.com/watch?v=9AyaVxzqYoA)`
Update README.md 2017-09-14 19:09:01 -07:00			`- [Making applications secure with NGINX (video)](https://www.youtube.com/watch?v=rNNRGDAZeKY)`
Update README.md 2017-09-14 19:10:55 -07:00			`- [Scripting NGINX for Overload Protection (video)](https://www.youtube.com/watch?v=uFm-tp4t2mE)`
Update README.md 2017-09-14 19:17:31 -07:00			`- [Naxsi, a WAF for NGINX (video)](https://www.youtube.com/watch?v=JiJHCodn_PQ)`
Update README.md 2017-09-05 16:43:08 -07:00
Update README.md 2017-09-05 17:05:30 -07:00			`## Articles`
Update README.md 2017-09-05 16:43:08 -07:00
Update README.md 2017-10-02 18:21:45 -07:00			`- [Building a Security Shield for Your Applications with NGINX](https://www.nginx.com/blog/build-application-security-shield-with-nginx-wallarm)`
			`- [Pitfalls and Common Security Mistakes in NGINX configuration](https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/)`
Update README.md 2017-09-05 16:54:58 -07:00			`- [Let's Encrypt & Nginx](https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/)`
			`- [Installing the Nginx Plus with mod_security WAF](https://www.nginx.com/resources/admin-guide/nginx-plus-modsecurity-waf-installation-logging/)`
Update README.md 2017-09-14 19:19:05 -07:00			`- [CloudFlare's new WAF: compiling to Lua (based on Nginx)](https://blog.cloudflare.com/cloudflares-new-waf-compiling-to-lua/)`
Update README.md 2017-09-14 19:33:39 -07:00			`- [Tips to harden your nginx configuration](https://www.acunetix.com/blog/articles/nginx-server-security-hardening-configuration-1/#comment-16863)`
Update README.md 2017-10-02 18:24:34 -07:00			`- [How To Protect an Nginx Server with Fail2Ban on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04)`
Update README.md 2017-09-14 19:34:03 -07:00			`- [Important steps to take to make an Nginx server more secure](https://help.dreamhost.com/hc/en-us/articles/222784068-The-most-important-steps-to-take-to-make-an-Nginx-server-more-secure)`
Update README.md 2017-09-14 19:07:16 -07:00
			`## Configuration`

			`- [gixy](https://github.com/yandex/gixy/) - a tool to analyze Nginx configuration to prevent security misconfiguration`
added nginxconfig.io 2018-02-19 13:23:29 +01:00			`- [nginxconfig.io](https://nginxconfig.io) - [GitHub](https://github.com/valentinxxx/nginxconfig.io) - Online nginx configuration generator for general purposes.`
Update README.md 2017-09-05 16:43:08 -07:00
Update README.md 2018-06-21 17:31:37 -07:00			`## WAF for NGINX. Web Application Firewalls.`
Update README.md 2017-09-05 17:10:44 -07:00
Update README.md 2017-09-05 17:12:12 -07:00			`- [mod_security](https://github.com/SpiderLabs/ModSecurity-nginx) - mod_security for NGINX`
Update README.md 2017-09-05 17:10:44 -07:00			`- [naxsi](https://github.com/nbs-system/naxsi) - NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX.`
Update README.md 2017-10-02 18:21:45 -07:00			`- [NGINX 3rd Party Modules](https://www.nginx.com/resources/wiki/modules/) - a list of third-party modules (including security-related) for NGINX and NGINX Plus, created and maintained by members of the NGINX community`
Update README.md 2018-06-21 17:31:37 -07:00			`- [wallarm](https://wallarm.com) - NG-WAF for NGINX and NGINX Plus with the security rules adjusted with AI`
Update README.md 2017-10-02 18:21:45 -07:00
Update README.md 2017-09-05 17:10:44 -07:00
Update README.md 2017-09-14 19:18:26 -07:00			`## Bot mitigation / Anti-scrapping / Account take-over prevention`
Update README.md 2017-09-14 19:07:16 -07:00
Update README.md 2017-09-05 17:05:14 -07:00			`- [testcookie-nginx-module](https://github.com/kyprizel/testcookie-nginx-module) - Simple robot mitigation module using cookie based challenge/response technique`
Update README.md 2017-09-14 19:07:16 -07:00
			`## NGINX forks`

			`- [SEnginx](https://github.com/NeusoftSecurity/SEnginx) - Security-Enhanced nginx`
			`- [lua-resty-waf](https://github.com/p0pr0ck5/lua-resty-waf) - High-performance WAF built on the OpenResty stack`
Update README.md 2017-09-14 19:33:39 -07:00
			`## Other`

			`- [Secure nginx config. GIST](https://gist.github.com/plentz/6737338) - nginx configuration for improved security and performance`