BLOG // May 3, 2021
Securing and Protecting Production Strapi
Securing your Strapi instance takes a wide variety of forms, from simply using Nginx to proxy for it (and enable SSL) all the way up to running an intelligent application firewall in front of it. That's what I'm doing today! I'm going to be using a free community account from Snapt Nova.
I have a few reasons for this:
- I want to prevent any 0day SQL, XSS, RFI attacks on Strapi
- I want to prevent any DoS or abusive attacks
- I want additional monitoring, alerts, and graphs for my Strapi performance
- I want to run SSL for Strapi and automatically issue Let's Encrypt certificates
There are a bunch of other neat things I could enable, for example:
- Country based allow/deny
- IP based allow/deny to limit access to my sites
- The NovaSense threat network for botnets and DoS
- I could use Nova in the future to scale my Strapi to multiple servers
Setting Up Nova
Nova has a free community version which we will use for this entire setup. You need to register an account first. Then login to proceed with the steps below.
Step 1: Create your Node
Go to Nodes and Add a Node, I called mine Strapi but you can name it whatever you like. You'll receive installation instructions which we'll use later.
Step 2: Create a Backend
In this step we are going to define the Strapi backend, which is typically "127.0.0.1:1337". If you are using docker-compose it might be something like "strapi:1337", etc. It's the IP and port combination the Nova Node needs to use to speak to your Strapi install.
Go to Backends on Nova and Add a Simple backend, called "strapi-localhost". Enter a single upstream IP being 127.0.0.1:1337 (or as discussed above). You can see my example in the screenshot above.
Step 3: Create an ADC
Here is where we setup the real proxy for Strapi. We want to use Let's Encrypt, SSL, the WAF (application firewall) and we want to redirect port 80. Follow these instructions to create your ADC:
- Go to ADCs and add a new SSL termination ADC.
- Leave the defaults except for the notes below:
- Either provide an SSL certificate, or choose Let's Encrypt and enter a resolvable domain that points to the IP Nova will run on (your Strapi server) and accept the terms and conditions.
- Go to Listen and Backends and check your strapi-localhost backend is enabled
- Go to Performance and Security and under SSL enable Redirect HTTP to HTTPS
- Under Security enable WAF and Scanner Protection
- Save your ADC
At this point Nova will ask you to Attach the ADC. But our Node is not online yet, so we'll come back to this page.
Step 4: Installating the Nova Node
We need to install Nova onto our Strapi server. There are two ways of doing this, if you run Strapi just on the system without any containers or docker-compose then just run the Nova docker installation it suggested. It'll look like this:
sudo docker run --cap-add=NET_ADMIN --ulimit nofile=500000:500000 -d -t --log-driver json-file --log-opt max-size=10m \ --log-opt max-file=3 --network=host --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /etc/nova:/etc/nova \ -e NODE_ID='YOUR_NODE_ID' \ -e NODE_KEY='YOUR_NODE_KEY' \ -e NODE_HOST='poll.nova-adc.com' --name=novac-host novaadc/nova-client:latest
Remember if you lost these you can just go to Nodes on Nova and find them for your "Strapi" node.
Alternatively, if you are using docker-compose I put this is my yaml file:
nova: image: novaadc/nova-client:hosted restart: always ports: - "80:80" - "443:443" environment: NODE_ID: 'YOUR_NODE_ID' NODE_KEY: 'YOUR_NODE_KEY' NODE_HOST: 'poll.nova-adc.com'
Bring it online and you will see Nova will detect the Node as connected.
Step 5: Attach your ADC
You can now go back to ADCs and Attach (or Deploy depending on the page) your ADC to your Node. It'll attach and show you any errors or a success message. At this stage you should be able to go to your server on port 443 and see your Strapi installation, protected by Nova.
Testing the Security
You can test if the WAF is protecting your system by sending a basic file inclusion attack that Nova is sure to block, https://your.strapi.install.com/?test=/etc/passwd
You can see the block I receive when doing this:
I now know that Nova is protecting my server.
Step 6: Change some WAF Settings
By default the Nova WAF will block argument values over 500 characters. For Strapi that's too short. Go to WAF -> Global Settings on Nova and change the following settings:
- Max Arg Name Length => 500
- Max Arg Value Length => 5000
In my experience these work well.
Using Nova and Reports/Monitoring
There are a bunch of other cool things you can do now, so feel free to browse around Nova. In particular I found a few things I really liked.
See your live ADC stats and requests
See which IPs are connected to your Strapi install
Use Nova Vision to monitor performance
Use the Threat Center to see our health
This is a great setup, it gives me a lot of analytics and insights, it protects my installation from DoS, abuse and hackers, and it provides SSL encryption for Strapi all for free. Sign up for Nova to give it a try.
Subscribe to new articles
If you enjoy my content, consider subscribing. You will only receive new blog stories, no other email.