nginx-hardening

This cookbook provides a secure overlay for nginx configuration.

Platform

• Debian 7, 8
• Ubuntu 14.04, 16.04
• CentOS 6, 7
• OracleLinux 6.6, 6.7, 7.1

Attributes

• ['nginx']['client_body_buffer_size'] – 1k Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
• ['nginx']['default_site_enabled'] – false to disable the default site. Set to on to enable the default site in nginx.
• ['nginx']['client_max_body_size'] – 1k to set the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client.
• ['nginx']['keepalive_timeout'] – 5 5 The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field.
• ['nginx']['server_tokens'] – off to disable disables emitting nginx version in error messages and in the “Server” response header field. Set to on to enable the nginx version in error messages and “Server” response header.
• ['nginx-hardening']['source']['http_autoindex_module'] – false to disable the HTTP Autoindex module. Set to trueto enable http_autoindex_module.
• ['nginx-hardening']['source']['http_ssi_module'] – false to disable the HTTP SSI module. Set to true to enable http_ssi_module.
• ['nginx-hardening']['options']['ssl_protocols'] – 'TLSv1.2' to specify the SSL protocol which should be used.
• ['nginx-hardening']['options']['ssl_ciphers'] – 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' to specify the TLS ciphers which should be used.
• ['nginx-hardening']['options']['ssl_prefer_server_ciphers'] – 'on' Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
• ['nginx-hardening']['dh-size'] – 2048 Specifies the length of DH parameters for EDH ciphers.

Download && Use

Author:

• Author:: Dominik Richter dominik.richter@googlemail.com
• Author:: Deutsche Telekom AG