This cookbook brings secure nginx settings to your system. It installs/updates the openssl and nginx package and provides you with a secure and easy to manage nginx configuration. All changes are made in "/etc/nginx/nginx.conf". Besides the nginx hardening, this cookbook also gives you the option of a very basic, tailored system optimization. Please refer to the section Attributes for further information. The hardening and install/update recipes are seperate and can be included or excluded at will.
- Chef Server, Client or Chef-dk (tested with Chef version 12.x)
- Berkshelf
* Debian 8 and later (tested, should work with older versions, too)
* Ubuntu 14 and later (tested, should work with older versions, too)
The opscode apt cookbook makes sure, the apt reposítory list is up to date. Berkshelf is used as a dependency management tool. To resolve and install all the Dependencies cd into the directory and execute following command:
* berks vendor cookbooks
* berks install --path cookbooks
The file "attributes/default.rb" acts as a central configuration file.
default['nginx']['worker_processes'] = 'auto'- Set the number of nginx worker processes. A good start is to match the number of CPU cores. Nginx default is "4". Options:auto(will get the number of CPU cores) orIntegermore information Nginx Documentationdefault['nginx']['worker_connections'] = 'auto'- Set the number of worker connections. Nginx default is "768". Options:auto(gets users ressource limits) orIntegerdefault['nginx']['user'] = ['www-data']- Change the default user, nginx is run under. The specified unix user must exist. Nginx default "www-data". OptionsStringdefault['nginx']['server_tokens'] = ['off']- Disable the server tokens and don't show OS details on error pages. Nginx default "on" Options:on,offdefault['nginx']['client_header_buffer_size'] = ['1k']- Specifies the header buffer size; If you handle large cookies or other header data, increase the buffer. If this buffer does not suffice the "large_client_header_buffers" will be used. Nginx default "1k". Options:number of kilobytes as Integerdefault['nginx']['large_client_header_buffers'] = ['2 1k']- Specifies the maximum number and size of the client buffer; If you handle large cookies or other header data increase the buffer. Nginx defaul "4 8k". Optionsnumber of buffers as Integerandsize of buffer as Integer
further information about HTTP headers OWASP
default['nginx']['X_Frame_Headers'] = ['SAMEORIGIN']- Options:DENY,SAMEORIGIN,ALLOW-FROMuri;default['nginx']['X_Content_Type_Options'] = ['nosniff']- Options:nosnifforblankdefault['nginx']['X_XSS_Protection'] = ['"1; mode=block"']- Options:1; mode=block,0,1default['nginx']['Strict_Transport_Security'] = ['"max-age=31536000; includeSubdomains; preload"']- Options:max-age= in seconds,includeSubdomains,preload; or any combination of those options
default['nginx']['disable_default_site'] = 'true'- Remove the default system link from sites-enabled. Options:true,falsedefault['nginx']['override_default_site'] = 'true'- Override the standard index.html with a blank document. Options:true,false
CD into the hardening folder and execute the command below. Hence this cookbooks installs and changes system configuration files, it must be run with root privileges.
sudo chef-client --local-mode --runlist 'recipe[nginx_hardening]'
* If you don't want to update or install the nginx package from the system mananger, remove the line `include_recipe "nginx_hardening::check_nginx"` from "recipes/default.rb"
- Steffen Hinderer
- Author:: Steffen Hinderer [email protected]
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.