# devsec.nginx_hardening

![devsec.nginx_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.nginx_hardening/badge.svg)

## Description

This role provides secure nginx configuration. It is intended to be compliant with the [DevSec Nginx Baseline](https://github.com/dev-sec/nginx-baseline).

It works with the following nginx-roles, including, but not limited to:

- [geerlingguy.nginx](https://galaxy.ansible.com/geerlingguy/nginx/)
- [nginxinc.nginx](https://galaxy.ansible.com/nginxinc/nginx)
- [jdauphant.nginx](https://galaxy.ansible.com/jdauphant/nginx/)
- [franklinkim.nginx](https://galaxy.ansible.com/franklinkim/nginx/)

**NOTE: This role does not work with nginx 1.0.15 or older! Please use the latest version from the official nginx repositories!**

## Requirements

- Ansible >= 2.9

## Role Variables

- [nginx_client_body_buffer_size][]
  - Default: `1k`
  - Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
- nginx_remove_default_site
  - Default: `true`
  - Description: Disables the default site. Set to false to enable the default site in nginx.
- [nginx_client_max_body_size][]
  - Default: `1k`
  - Description: Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 41
    3 (Request Entity Too Large) error is returned to the client.
- [nginx_keepalive_timeout][]
  - Default: `5 5`
  - Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The op
    tional second parameter sets a value in the “Keep-Alive: timeout=time” response header field.
- [nginx_server_tokens][]
  - Default: `off`
  - Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response head
    er.
- [nginx_client_header_buffer_size][]
  - Default: `1k`
  - Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough.
- [nginx_large_client_header_buffers][]
  - Default: `2 1k`
  - Description: Sets the maximum number and size of buffers used for reading large client request header.
- [nginx_client_body_timeout][]
  - Default: `10`
  - Description: Defines a timeout for reading client request body.
- [nginx_client_header_timeout][]
  - Default: `10`
  - Description: Defines a timeout for reading client request header.
- [nginx_send_timeout][]
  - Default: `10`
  - Description: Sets a timeout for transmitting a response to the client.
- [nginx_limit_conn_zone][]
  - Default: `$binary_remote_addr zone=default:10m`
  - Description: Sets parameters for a shared memory zone that will keep states for various keys.
- [nginx_limit_conn][]
  - Default: `default 5`
  - Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value.
- [nginx_add_header][]
  - Default: `[ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"", Content-Security-Policy \"script-src 'self'; object-src 'self'\" ]`
  - Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
- [nginx_ssl_protocols][]
  - Default: `TLSv1.2`
  - Description: Specifies the SSL protocol which should be used.
- [nginx_ssl_ciphers][]
  - Default: _see defaults.yml_
  - Description: Specifies the TLS ciphers which should be used.
- [nginx_ssl_prefer_server_ciphers][]
  - Default: `on`
  - Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
- [nginx_dh_size][]
  - Default: `2048`
  - Description: Specifies the length of DH parameters for EDH ciphers.

## Example Playbook

```
- hosts: localhost
  collections:
    - devsec.hardening
  roles:
    - nginx_hardening
```

[nginx_client_body_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
[nginx_client_max_body_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
[nginx_keepalive_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
[nginx_server_tokens]: http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
[nginx_more_clear_headers]: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
[nginx_client_header_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
[nginx_large_client_header_buffers]: http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
[nginx_client_body_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout
[nginx_client_header_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout
[nginx_send_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
[nginx_limit_conn_zone]: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone
[nginx_limit_conn]: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn
[nginx_add_header]: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
[nginx_ssl_protocols]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
[nginx_ssl_ciphers]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
[nginx_ssl_prefer_server_ciphers]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
[nginx_dh_size]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam