Documentation

Security Hardening for StreamServer Nginx

StreamServer is not a complete system, which needs to be integrated into your system as a component and used together with other systems to form a complete inference service system. You are advised to deploy Nginx before using the StreamServer service, but do not start Nginx as the root user. You are also advised to enable the Nginx log function to record normal access logs and error request logs. In addition, to prevent oversized log files, periodically segment and compress log files. If the log files are still oversized after segmentation and compression, store them in another place.

  1. Download Nginx. For example, run the following command in the Ubuntu OS or use the source code to install Nginx. After the installation is complete, ensure that the Nginx directories and files, Nginx logs, and Nginx process IDs can be modified by the startup user. The respective permissions should not exceed 550 for the directories and files, and 640 for logs and process IDs.
    1
    apt install nginx
  2. Set the Nginx configuration file, whose permission cannot be higher than 440.
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
    worker_processes 1;
worker_cpu_affinity 0001;

worker_rlimit_nofile 4096;
events {
    worker_connections 4096;
}

http {
 port_in_redirect off;
 server_tokens off;
 autoindex off;
 
 log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$request_time"';
       
 access_log /var/log/nginx/access.log main;
 error_log /var/log/nginx/error.log info;

 limit_req_zone global zone=req_zone:100m rate=20r/s;
 limit_conn_zone global zone=north_conn_zone:100m;

 server {
  listen 127.0.0.1:8081 ssl; # IP address and port number of a reverse proxy server. The value must be the server's IP address. You are advised not to the value empty.
  server_name localhost;
  
  add_header Referrer-Policy "no-referrer";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header Strict-Transport-Security " max-age=31536000; includeSubDomains ";
  add_header Content-Security-Policy "default-src 'self'";
  add_header Cache-control "no-cache, no-store, must-revalidate";
  add_header Pragma no-cache;
  add_header Expires 0;

  ssl_session_tickets off;

  ssl_certificate     ${path_of_server_crt_1}; # Path of the server certificate (permission: 400).
  ssl_certificate_key ${path_of_server_key_1}; # Path of the server private key. The private key cannot be configured in plaintext (permission: 400).
  ssl_client_certificate ${path_of_ca_crt_1}; # Path of the root CA certificate (permission: 400).
 
  send_timeout 60;

  limit_req zone=req_zone burst=20 nodelay;
  limit_conn north_conn_zone 20;
  keepalive_timeout  60;
  proxy_read_timeout 900;
  proxy_connect_timeout   60;
  proxy_send_timeout      60;
  client_header_timeout   60;
  client_body_timeout 10;
  client_header_buffer_size  2k;
  large_client_header_buffers 4 8k;
  client_body_buffer_size 16K;
  client_max_body_size 20m;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; 
  
  ssl_verify_client on;
  ssl_verify_depth 9; 
  ssl_session_timeout 10s;
  ssl_session_cache shared:SSL:10m;

  location / {
   limit_except OPTIONS HEAD {
    deny all;
   }
   proxy_hide_header X-Powered-By;
  }

  location /v2 {
   proxy_pass https://127.0.0.1:8080; # Set the value to the IP address and port number configured in the StreamServer configuration file.
   allow 127.0.0.1; # Set the value to the remote IP address that can be accessed.
   deny all;
  proxy_ssl_certificate     ${path_of_server_crt_2}; # Path of the server certificate. You are advised to set this parameter to server.crt (permission: 400) imported to ${MX_SDK_HOME}/samples/mxVision/streamserver/keys using certImport.sh.
   proxy_ssl_certificate_key ${path_of_server_key_2}; # Path of the server private key. The private key cannot be configured in plaintext. You are advised to set this parameter to server.key (permission 400) imported to ${MX_SDK_HOME}/samples/mxVision/streamserver/keys using certImport.sh.
   proxy_ssl_trusted_certificate ${path_of_ca_crt_2}; # Path of the root CA certificate. You are advised to set this parameter to ca.crt (permission: 400) imported to ${MX_SDK_HOME}/samples/mxVision/streamserver/keys using certImport.sh.
   proxy_ssl_session_reuse on;
   proxy_ssl_protocols TLSv1.2 TLSv1.3;
   proxy_ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384";
  }
 }
}
  3. Start Nginx and run the -c command to import the configuration file path. ${path_of_nginx_bin} indicates the binary path of the installed Nginx. The path may vary according to the environment or installation mode.
    1
    ${path_of_nginx_bin} -c ${path_of_nginx_config_file} # Nginx configuration file
Parent topic: OS Security Hardening
This site uses cookies to improve your browsing experience. By continuing to browse this site, you agree to our use of cookies.View Details