ansible-collection-hardening/roles/nginx_hardening/README.md
schurzi 8e4c22d8d9
remove FQCN from roles in examples (#404)
Ansible does not work with FQCN and collections sepcified for including
roles. It is currently expecting to only get the role name in this
context.

Verified with Ansible 2.10.5

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-17 11:34:37 +01:00

5.7 KiB

devsec.nginx_hardening

devsec.nginx_hardening

Description

This role provides secure nginx configuration. It is intended to be compliant with the DevSec Nginx Baseline.

It works with the following nginx-roles, including, but not limited to:

NOTE: This role does not work with nginx 1.0.15 or older! Please use the latest version from the official nginx repositories!

Requirements

  • Ansible >= 2.9

Role Variables

  • nginx_client_body_buffer_size
    • Default: 1k
    • Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
  • nginx_remove_default_site
    • Default: true
    • Description: Disables the default site. Set to false to enable the default site in nginx.
  • nginx_client_max_body_size
    • Default: 1k
    • Description: Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 41 3 (Request Entity Too Large) error is returned to the client.
  • nginx_keepalive_timeout
    • Default: 5 5
    • Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The op tional second parameter sets a value in the “Keep-Alive: timeout=time” response header field.
  • nginx_server_tokens
    • Default: off
    • Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response head er.
  • nginx_client_header_buffer_size
    • Default: 1k
    • Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough.
  • nginx_large_client_header_buffers
    • Default: 2 1k
    • Description: Sets the maximum number and size of buffers used for reading large client request header.
  • nginx_client_body_timeout
    • Default: 10
    • Description: Defines a timeout for reading client request body.
  • nginx_client_header_timeout
    • Default: 10
    • Description: Defines a timeout for reading client request header.
  • nginx_send_timeout
    • Default: 10
    • Description: Sets a timeout for transmitting a response to the client.
  • nginx_limit_conn_zone
    • Default: $binary_remote_addr zone=default:10m
    • Description: Sets parameters for a shared memory zone that will keep states for various keys.
  • nginx_limit_conn
    • Default: default 5
    • Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value.
  • nginx_add_header
    • Default: [ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"" ]
    • Description:Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
  • nginx_ssl_protocols
    • Default: TLSv1.2
    • Description: Specifies the SSL protocol which should be used.
  • nginx_ssl_ciphers
    • Default: see defaults.yml
    • Description: Specifies the TLS ciphers which should be used.
  • nginx_ssl_prefer_server_ciphers
    • Default: on
    • Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
  • nginx_dh_size
    • Default: 2048
    • Description: Specifies the length of DH parameters for EDH ciphers.

Example Playbook

- hosts: localhost
  collections:
    - devsec.hardening
  roles:
    - nginx_hardening