mirror/ ansible-nginx-hardening
1
0
Fork 0
mirror of https://github.com/dev-sec/ansible-nginx-hardening.git synced 2024-05-23 09:06:11 +02:00
Code Issues Releases Activity
ansible-nginx-hardening/tasks/main.yml
2018-09-08 14:58:36 +02:00

68 lines
2.1 KiB
YAML
Raw Blame History

---
- name: config should not be worldwide read- or writeable
file:
path: "/etc/nginx"
mode: "o-rw"
owner: "root"
group: "root"
recurse: yes
- name: create additional configuration
template:
src: "hardening.conf.j2"
dest: "{{ nginx_config_conf_dir }}/90.hardening.conf"
owner: "root"
group: "root"
notify: reload nginx
- name: change configuration in main nginx.conf
lineinfile:
dest: "/etc/nginx/nginx.conf"
regexp: "^\\s*server_tokens"
line: "server_tokens {{ nginx_server_tokens }};"
insertafter: "http {"
notify: reload nginx
- name: change ssl_protocols in main nginx.conf
lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*ssl_protocols" line="ssl_protocols {{nginx_ssl_protocols}};" insertafter="http {"
notify: reload nginx
- name: change ssl_prefer_server_ciphers in main nginx.conf
lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*ssl_prefer_server_ciphers" line="ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}};" insertafter="http {"
notify: reload nginx
- name: change client_max_body_size in main nginx.conf
lineinfile:
dest: "/etc/nginx/nginx.conf"
regexp: "^\\s*client_max_body_size"
line: "client_max_body_size {{ nginx_client_max_body_size }};"
insertafter: "http {"
notify: reload nginx
- name: change client_body_buffer_size in main nginx.conf
lineinfile:
dest: "/etc/nginx/nginx.conf"
regexp: "^\\s*client_body_buffer_size"
line: "client_body_buffer_size {{ nginx_client_body_buffer_size }};"
insertafter: "http {"
notify: reload nginx
- name: change keepalive_timeout in main nginx.conf
lineinfile:
dest: "/etc/nginx/nginx.conf"
regexp: "^\\s*keepalive_timeout"
line: "keepalive_timeout {{ nginx_keepalive_timeout }};"
insertafter: "http {"
notify: reload nginx
- name: remove default.conf
file:
path: "{{ nginx_default_conf }}"
state: absent
when: nginx_remove_default_site
notify: reload nginx
- name: generate dh group
command: openssl dhparam -out {{ nginx_dh_param }} {{ nginx_dh_size }} creates={{ nginx_dh_param }}
notify: reload nginx
View Git Blame Copy Permalink