Is it unsafe to publish your nginx configs?



  • I've recently started to automate a lot of my tasks for my private VPS. A significant part of working with this server is ensuring the nginx webserver, which handles a reverse proxy to multiple applications and a static website, is running and correctly configured.

    Though when working with complex configs or debugging problems only working over bash+ssh has become a problem for me. It's also been a problem when just wanting to look at configs without actually connecting to the server e.g. on the go with a phone.

    So I've decided to move my nginx configs to a private git repository and have them, with a CI tested their first, deployed onto the server. This approach has solved a lot of problems and simplified the workflow. But I would now like to make this repository public to enable users to ensure for themselves what e.g. access is being logged as part of providing transparency over the usage/ processing of their data.

    My question is then: How much risk do I take by publishing these configs and is there any part that should be censored?



  • IMO, there should be nothing in your nginx config that is secret. It should not directly contain credentials. There should not be any secret paths or secret headers or secret query params that bypass authentication. The filesystem path to your TLS private key is not useful to an attacker. The filesystem path of a basic auth password file is not useful to an attacker. Rewrites and redirects and log format should not be useful to an attacker.

    It might be that your config has some kind of bug that allows an attacker to attack your app (e.g. send http request headers that the app thinks are only set by nginx), and no attacker knew about it, but once they see your config they'll know and be able to attack your site/app. The bug was there already, but nobody knew. This is like open sourcing the app's source code - maybe someone will find bugs now that it is easier to inspect.

    So, it should be safe to publish your nginx config, but only if it was developed while knowing that it will be published, or reviewed before being published.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2