mirror of
https://github.com/dev-sec/ansible-nginx-hardening.git
synced 2024-05-23 09:06:11 +02:00
68 lines
2.1 KiB
YAML
68 lines
2.1 KiB
YAML
---
|
|
- name: config should not be worldwide read- or writeable
|
|
file:
|
|
path: "/etc/nginx"
|
|
mode: "o-rw"
|
|
owner: "root"
|
|
group: "root"
|
|
recurse: yes
|
|
|
|
- name: create additional configuration
|
|
template:
|
|
src: "hardening.conf.j2"
|
|
dest: "{{ nginx_config_conf_dir }}/90.hardening.conf"
|
|
owner: "root"
|
|
group: "root"
|
|
notify: reload nginx
|
|
|
|
- name: change configuration in main nginx.conf
|
|
lineinfile:
|
|
dest: "/etc/nginx/nginx.conf"
|
|
regexp: "^\\s*server_tokens"
|
|
line: "server_tokens {{ nginx_server_tokens }};"
|
|
insertafter: "http {"
|
|
notify: reload nginx
|
|
|
|
- name: change ssl_protocols in main nginx.conf
|
|
lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*ssl_protocols" line="ssl_protocols {{nginx_ssl_protocols}};" insertafter="http {"
|
|
notify: reload nginx
|
|
|
|
- name: change ssl_prefer_server_ciphers in main nginx.conf
|
|
lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*ssl_prefer_server_ciphers" line="ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}};" insertafter="http {"
|
|
notify: reload nginx
|
|
|
|
- name: change client_max_body_size in main nginx.conf
|
|
lineinfile:
|
|
dest: "/etc/nginx/nginx.conf"
|
|
regexp: "^\\s*client_max_body_size"
|
|
line: "client_max_body_size {{ nginx_client_max_body_size }};"
|
|
insertafter: "http {"
|
|
notify: reload nginx
|
|
|
|
- name: change client_body_buffer_size in main nginx.conf
|
|
lineinfile:
|
|
dest: "/etc/nginx/nginx.conf"
|
|
regexp: "^\\s*client_body_buffer_size"
|
|
line: "client_body_buffer_size {{ nginx_client_body_buffer_size }};"
|
|
insertafter: "http {"
|
|
notify: reload nginx
|
|
|
|
- name: change keepalive_timeout in main nginx.conf
|
|
lineinfile:
|
|
dest: "/etc/nginx/nginx.conf"
|
|
regexp: "^\\s*keepalive_timeout"
|
|
line: "keepalive_timeout {{ nginx_keepalive_timeout }};"
|
|
insertafter: "http {"
|
|
notify: reload nginx
|
|
|
|
- name: remove default.conf
|
|
file:
|
|
path: "{{ nginx_default_conf }}"
|
|
state: absent
|
|
when: nginx_remove_default_site
|
|
notify: reload nginx
|
|
|
|
- name: generate dh group
|
|
command: openssl dhparam -out {{ nginx_dh_param }} {{ nginx_dh_size }} creates={{ nginx_dh_param }}
|
|
notify: reload nginx
|