1
0
mirror of https://github.com/dev-sec/ansible-nginx-hardening.git synced 2024-11-22 15:32:01 +01:00
This Ansible role provides secure nginx configurations.
Go to file
Sebastian Gumprich 1b9dcf16cf first commit
2016-07-26 12:28:52 +02:00
defaults first commit 2016-07-26 12:28:52 +02:00
handlers first commit 2016-07-26 12:28:52 +02:00
meta first commit 2016-07-26 12:28:52 +02:00
spec first commit 2016-07-26 12:28:52 +02:00
tasks first commit 2016-07-26 12:28:52 +02:00
templates first commit 2016-07-26 12:28:52 +02:00
vars first commit 2016-07-26 12:28:52 +02:00
.gitignore first commit 2016-07-26 12:28:52 +02:00
.kitchen.vagrant.yml first commit 2016-07-26 12:28:52 +02:00
.kitchen.yml first commit 2016-07-26 12:28:52 +02:00
.travis.yml first commit 2016-07-26 12:28:52 +02:00
CHANGELOG.md first commit 2016-07-26 12:28:52 +02:00
CONTRIBUTING.md first commit 2016-07-26 12:28:52 +02:00
default.yml first commit 2016-07-26 12:28:52 +02:00
Gemfile first commit 2016-07-26 12:28:52 +02:00
Rakefile first commit 2016-07-26 12:28:52 +02:00
README.md first commit 2016-07-26 12:28:52 +02:00
requirements.yml first commit 2016-07-26 12:28:52 +02:00
Thorfile first commit 2016-07-26 12:28:52 +02:00

nginx-hardening (Ansible Role)

Build Status Gitter Chat Ansible Galaxy

Description

This role provides secure nginx configuration.

Requirements

  • Ansible

Role Variables

Name Default Value Description
nginx_client_body_buffer_size 1k Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
nginx_remove_default_site true Disables the default site. Set to false to enable the default site in nginx.
nginx_client_max_body_size 1k Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client.
nginx_keepalive_timeout 5 5 The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field.
nginx_server_tokens off Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header.
nginx_more_clear_headers [ "Server", "X-Powered-By" ]
nginx_client_header_buffer_size 1k
nginx_large_client_header_buffers 2 1k
nginx_client_body_timeout 10
nginx_client_header_timeout 10
nginx_send_timeout 10
nginx_limit_conn_zone $binary_remote_addr zone=default:10m
nginx_limit_conn default 5
nginx_add_header [ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"" ]
nginx_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 Specifies the SSL protocol which should be used.
nginx_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA Specifies the TLS ciphers which should be used.
nginx_ssl_prefer_server_ciphers on Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
nginx_dh-size 2048 Specifies the length of DH parameters for EDH ciphers.

Example Playbook

- hosts: localhost
  roles:
    - dev-sec.nginx-hardening

Local Testing

The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See Get started for a Docker package suitable to for your system.

You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See Vagrant Downloads for a vagrant package suitable for your system. For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.

Next install test-kitchen:

# Install dependencies
gem install bundler
bundle install

Testing with Docker

# fast test on one machine
bundle exec kitchen test default-ubuntu-1204

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-ubuntu-1204
bundle exec kitchen converge default-ubuntu-1204

Testing with Virtualbox

# fast test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1204

# test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test

# for development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1204
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1204

For more information see test-kitchen

Contributing

See contributor guideline.

License and Author

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.