Skip to content

mitre/chef-nginx-hardening

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

nginx-hardening (Chef cookbook)

Supermarket Build Status Code Coverage Dependencies Gitter Chat

Description

This cookbook provides a secure overlay for nginx configuration.

Requirements

  • Chef 12+

Platform

  • Debian 7, 8
  • Ubuntu 14.04, 16.04
  • CentOS 6, 7
  • OracleLinux 6.6, 6.7, 7.1

Attributes

  • ['nginx']['client_body_buffer_size'] - 1k Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
  • ['nginx']['default_site_enabled'] - false to disable the default site. Set to on to enable the default site in nginx.
  • ['nginx']['client_max_body_size'] - 1k to set the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client.
  • ['nginx']['keepalive_timeout'] - 5 5 The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive: timeout=time" response header field.
  • ['nginx']['server_tokens'] - off to disable disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header.
  • ['nginx-hardening']['source']['http_autoindex_module'] - false to disable the HTTP Autoindex module. Set to true to enable http_autoindex_module.
  • ['nginx-hardening']['source']['http_ssi_module'] - false to disable the HTTP SSI module. Set to true to enable http_ssi_module.
  • ['nginx-hardening']['options']['ssl_protocols'] - 'TLSv1.2' to specify the SSL protocol which should be used.
  • ['nginx-hardening']['options']['ssl_ciphers'] - 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' to specify the TLS ciphers which should be used.
  • ['nginx-hardening']['options']['ssl_prefer_server_ciphers'] - 'on' Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
  • ['nginx-hardening']['dh-size'] - 2048 Specifies the length of DH parameters for EDH ciphers.

You can also use the complete attributes from the nginx cookbook

Usage

Add the recipes to the run_list:

"recipe[apt]"
"recipe[nginx-hardening::upgrades]"
"recipe[nginx]"
"recipe[nginx-hardening]"

Configure attributes:

"nginx-hardening" : {
  "dh-size" : "4096"
}

Local Testing

For local testing you can use vagrant or docker to run tests locally. You will have to install VirtualBox and Vagrant or docker on your system. See Vagrant Downloads for a vagrant or Docker Downloads package suitable for your system. For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.

# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# fast test on one machine
bundle exec kitchen test default-ubuntu-1404

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-ubuntu-1404
bundle exec kitchen converge default-ubuntu-1404
bundle exec kitchen verify default-ubuntu-1404

Contributors + Kudos

Contributing

See contributor guideline.

NOTICE

© 2018 The MITRE Corporation.

Approved for Public Release; Distribution Unlimited. Case Number 18-3678.

NOTICE

MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.

NOTICE

This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.

No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.

For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.