mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
bb588bd777
* linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * change line length issues Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * replace yes with true in tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add exception for task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove trailing whitespace * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> |
||
|---|---|---|
| .. | ||
| defaults | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates | ||
| CHANGELOG.md | ||
| README.md | ||
devsec.nginx_hardening
Description
This role provides secure nginx configuration. It is intended to be compliant with the DevSec Nginx Baseline.
It works with the following nginx-roles, including, but not limited to:
NOTE: This role does not work with nginx 1.0.15 or older! Please use the latest version from the official nginx repositories!
Requirements
- Ansible >= 2.9
Role Variables
- nginx_client_body_buffer_size
- Default:
1k - Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
- Default:
- nginx_remove_default_site
- Default:
true - Description: Disables the default site. Set to false to enable the default site in nginx.
- Default:
- nginx_client_max_body_size
- Default:
1k - Description: Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 41 3 (Request Entity Too Large) error is returned to the client.
- Default:
- nginx_keepalive_timeout
- Default:
5 5 - Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The op tional second parameter sets a value in the “Keep-Alive: timeout=time” response header field.
- Default:
- nginx_server_tokens
- Default:
off - Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response head er.
- Default:
- nginx_client_header_buffer_size
- Default:
1k - Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough.
- Default:
- nginx_large_client_header_buffers
- Default:
2 1k - Description: Sets the maximum number and size of buffers used for reading large client request header.
- Default:
- nginx_client_body_timeout
- Default:
10 - Description: Defines a timeout for reading client request body.
- Default:
- nginx_client_header_timeout
- Default:
10 - Description: Defines a timeout for reading client request header.
- Default:
- nginx_send_timeout
- Default:
10 - Description: Sets a timeout for transmitting a response to the client.
- Default:
- nginx_limit_conn_zone
- Default:
$binary_remote_addr zone=default:10m - Description: Sets parameters for a shared memory zone that will keep states for various keys.
- Default:
- nginx_limit_conn
- Default:
default 5 - Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value.
- Default:
- nginx_add_header
- Default:
[ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"", Content-Security-Policy \"script-src 'self'; object-src 'self'\" ] - Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
- Default:
- nginx_ssl_protocols
- Default:
TLSv1.2 - Description: Specifies the SSL protocol which should be used.
- Default:
- nginx_ssl_ciphers
- Default: see defaults.yml
- Description: Specifies the TLS ciphers which should be used.
- nginx_ssl_prefer_server_ciphers
- Default:
on - Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
- Default:
- nginx_dh_size
- Default:
2048 - Description: Specifies the length of DH parameters for EDH ciphers.
- Default:
- [nginx_configuration_dir][]
- default: "/etc/nginx"
- Description: The main location for all nginx configuration files
- [nginx_configuration_hardening_dir][]
- default: "/etc/nginx"
- Description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails)
- [nginx_owner_user][]
- default: "root"
- Description: The owner user of the nginx configuration files
- [nginx_owner_group][]
- default: "root"
- Description: The owner group of the nginx configuration files
Example Playbook
- hosts: localhost
collections:
- devsec.hardening
roles:
- nginx_hardening