This cookbook provides a secure overlay for nginx configuration.
- Chef 12+
- Debian 7, 8
- Ubuntu 14.04, 16.04
- CentOS 6, 7
- OracleLinux 6.6, 6.7, 7.1
['nginx']['client_body_buffer_size']-1kSets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.['nginx']['default_site_enabled']-falseto disable the default site. Set toonto enable the default site in nginx.['nginx']['client_max_body_size']-1kto set the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client.['nginx']['keepalive_timeout']-5 5The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive: timeout=time" response header field.['nginx']['server_tokens']-offto disable disables emitting nginx version in error messages and in the "Server" response header field. Set toonto enable the nginx version in error messages and "Server" response header.['nginx-hardening']['source']['http_autoindex_module']-falseto disable the HTTP Autoindex module. Set totrueto enable http_autoindex_module.['nginx-hardening']['source']['http_ssi_module']-falseto disable the HTTP SSI module. Set totrueto enable http_ssi_module.['nginx-hardening']['options']['ssl_protocols']-'TLSv1.2'to specify the SSL protocol which should be used.['nginx-hardening']['options']['ssl_ciphers']-'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'to specify the TLS ciphers which should be used.['nginx-hardening']['options']['ssl_prefer_server_ciphers']-'on'Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set tofalseto disable it.['nginx-hardening']['dh-size']-2048Specifies the length of DH parameters for EDH ciphers.
You can also use the complete attributes from the nginx cookbook
Add the recipes to the run_list:
"recipe[apt]"
"recipe[nginx-hardening::upgrades]"
"recipe[nginx]"
"recipe[nginx-hardening]"
Configure attributes:
"nginx-hardening" : {
"dh-size" : "4096"
}
For local testing you can use vagrant or docker to run tests locally. You will have to install VirtualBox and Vagrant or docker on your system. See Vagrant Downloads for a vagrant or Docker Downloads package suitable for your system. For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.
# Install dependencies
gem install bundler
bundle install
# Do lint checks
bundle exec rake lint
# fast test on one machine
bundle exec kitchen test default-ubuntu-1404
# test on all machines
bundle exec kitchen test
# for development
bundle exec kitchen create default-ubuntu-1404
bundle exec kitchen converge default-ubuntu-1404
bundle exec kitchen verify default-ubuntu-1404- Dominik Richter arlimus
- Christoph Hartmann chris-rock
- Patrick Muench atomic111
- Edmund Haselwanter ehaselwanter
© 2018 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.