dev-sec.nginx-hardening

Panoramica Versioni Approfondimenti

nginx-hardening (Ansible Role)

Note: This role has moved to our new hardening collection:

Requirements

  • Ansible version 2.5 or higher

Role Variables

  • nginx_client_body_buffer_size

    • Default: 1k
    • Description: Sets the buffer size for reading the client's request body. If the request body exceeds this size, it may be saved to a temporary file.

  • nginx_remove_default_site

    • Default: true
    • Description: Disables the default website. Set to false to keep the default site enabled in nginx.

  • nginx_client_max_body_size

    • Default: 1k
    • Description: Sets the maximum allowed size for the client's request body. If the request exceeds this size, a 413 error (Request Entity Too Large) is sent back.

  • nginx_keepalive_timeout

    • Default: 5 5
    • Description: Specifies the duration for which a keep-alive client connection remains open. A value of 0 disables keep-alives. The second parameter is used in the “Keep-Alive: timeout=time” response header.

  • nginx_server_tokens

    • Default: off
    • Description: Hides the nginx version in error messages and the "Server" response header. Set to on to show the version.

  • nginx_client_header_buffer_size

    • Default: 1k
    • Description: Sets the buffer size for reading the client's request header. 1K is usually sufficient.

  • nginx_large_client_header_buffers

    • Default: 2 1k
    • Description: Sets the maximum number and size of buffers for reading large client request headers.

  • nginx_client_body_timeout

    • Default: 10
    • Description: Defines a timeout for reading the client's request body.

  • nginx_client_header_timeout

    • Default: 10
    • Description: Defines a timeout for reading the client's request header.

  • nginx_send_timeout

    • Default: 10
    • Description: Sets a timeout for sending a response back to the client.

  • nginx_limit_conn_zone

    • Default: $binary_remote_addr zone=default:10m
    • Description: Configures a shared memory zone to track different connection states.

  • nginx_limit_conn

    • Default: default 5
    • Description: Sets the maximum allowed number of connections for a specific key value.

  • nginx_add_header

    • Default: [ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"" ]
    • Description: Adds specified headers to the response when the status code is 200, 201, 204, 206, 301, 302, 303, 304, or 307.

  • nginx_ssl_protocols

    • Default: TLSv1.2
    • Description: Specifies the SSL protocols to be used.

  • nginx_ssl_ciphers

    • Default: Check defaults.yml
    • Description: Specifies the TLS ciphers to be used.

  • nginx_ssl_prefer_server_ciphers

    • Default: on
    • Description: Indicates that the server's ciphers should be prioritized over the client's when using TLS. Set to false to disable.

  • nginx_dh_size

    • Default: 2048
    • Description: Defines the length of DH parameters for EDH ciphers.

Installation

Install the role using ansible-galaxy:

ansible-galaxy install dev-sec.nginx-hardening

Example Playbook

- hosts: localhost
  roles:
    - dev-sec.nginx-hardening

Local Testing

For local testing, the best option is to use Docker. Make sure to have Docker installed. Visit Get Started for installation instructions.

You can also use Vagrant with VirtualBox or VMware for local tests. Install VirtualBox and Vagrant first. Check out Vagrant Downloads for the right package. We use test-kitchen for all tests. If you're new to test-kitchen, refer to their guide.

To install test-kitchen, run:

# Install dependencies
gem install bundler
bundle install

Testing with Docker

# Quick test on one machine
bundle exec kitchen test default-ubuntu-1204

# Test on all machines
bundle exec kitchen test

# For development
bundle exec kitchen create default-ubuntu-1204
bundle exec kitchen converge default-ubuntu-1204

Testing with VirtualBox

# Quick test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test nginx-ansible-19-ubuntu-1404

# Test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test

# For development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create nginx-ansible-19-ubuntu-1404
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge nginx-ansible-19-ubuntu-1404

For more info, check test-kitchen.

Contributing

Please follow the contributor guideline.

License and Author

  • Author: Sebastian Gumprich

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You can get a copy of the License at:

http://www.apache.org/licenses/LICENSE-2.0

Unless required by the applicable law or agreed in writing, software distributed under the License is "AS IS" without warranties or conditions of any kind. Refer to the License for specific permissions and limitations.

Informazioni sul progetto

This Ansible role provides secure nginx configurations. http://dev-sec.io/

role hardening nginx security system
Installa
ansible-galaxy install dev-sec.nginx-hardening
GitHub repository
189 stelle
41 fork
0 problemi aperti
Licenza
Unknown
Download
40.8k
Proprietario
DevSec Hardening Framework
Security + DevOps: Automatic Server Hardening