Nginx Ansible Role

Description

This role installs a Nginx web server.

Features

Configuration:

• Easily include the site-specific configuration.
• Set up TLS certificate (or generate self-signed certificate).
• Optionally, set SELinux boolean according to the application needs.
• Support PHP-FPM.
• Clean up the default site.
• Log in Systemd journal.

Security:

• Use modern TLS configuration from Mozilla.
• Provide HTTP to HTTPS redirection by default.
• Add recommended security HTTP headers.
• Run in a Systemd sandbox.
• Work with SElinux enforced.
• Hide the server version.
• Configure the firewall.
• Limit connections and requests rate par client.
• Enable Fail2ban jails.
• Provide some extra hardening variables.

Variables

Mandatory

Name	Default Value	Description
nginx_server_name		Server domain name.
nginx_site		Name of the site.
nginx_site_conf		Site specific configuration to insert into Nginx configuration. The content is inserted in the server section of the generated site .conf file.
nginx_site_user		Unix user used to run the site application.

Optional

Name	Default Value	Description
nginx_access_log	true	If true, accesses are logged in journal, else access log is disabled.
nginx_can_connect_ldap	false	If true, configure SELinux to allow Nginx to access to LDAP.
nginx_can_network_connect	false	If true, configure SELinux to allow Nginx to access to the network.
nginx_can_network_connect_db	false	If true, configure SELinux to allow Nginx to access to a database.
nginx_can_network_memcache	false	If true, configure SELinux to allow Nginx to access to a memcache.
nginx_can_sendmail	false	If true, configure SELinux to allow Nginx to send emails.
nginx_can_use_cifs	false	If true, configure SELinux to allow Nginx to access to CIFS/SMB shares.
nginx_can_use_fusefs	false	If true, configure SELinux to allow Nginx to access to FUSE filesystems.
nginx_can_use_gpg	false	If true, configure SELinux to allow Nginx to use GPG.
nginx_client_body_timeout	60s	Timeout for reading client request body. Help to prevent slow connexion attacks.
nginx_client_header_timeout	60s	Timeout for reading client request header. Help to prevent slow connexion attacks.
nginx_client_max_body_size	1k	Sets the maximum allowed size of the client request body. Can be increased to allow uploading large files, or reduced to mitigate some DOS attacks. Default to 1KB to improve security.
nginx_domain_can_mmap_files	false	If true, configure SELinux to allow memory map files.
nginx_error_log_level	error	The level for error log in journal.
nginx_firewalld_source		If specified, restrict the HTTP/HTTPS access to the specified sources list in CIDR notation (["192.168.1.10/32", "192.168.1.0/24", "2001:db8:1234:5678::/64"], …). By default, allow all using public zone. Exclusive with nginx_firewalld_zone parameter.
nginx_firewalld_zone		If specified, the existing firewalld zone where allow HTTP/HTTPS access. By default, use public zone. Exclusive with nginx_firewalld_source parameter.
nginx_health_check_path	/	Path to use for health check/monitoring. Used if common_netdata_enable is true.
nginx_limit_conn_per_ip	100	The limit of simultaneous connections allowed per client IP address. Applied at server level. Can help to prevent DoS attacks.
nginx_limit_req_per_ip_burst	1000	The requests burst limit allowed per client IP address. Applied at server level. Can help to prevent DoS attacks.
nginx_limit_req_per_ip_delay	nodelay	Limit at which excessive requests become delayed. The value can be the number of request or nodelay. Applied at server level. Can help to prevent DoS attacks.
nginx_limit_req_per_ip_rate	1000r/s	The requests rate limit allowed per client IP address. Applied at server level. Can help to prevent DoS attacks.
nginx_inaccessible_paths		Space separated list of absolutes paths to make inaccessible from the Nginx service.
nginx_php_fpm	false	If true, configure Nginx for PHP-FPM (See php-pfm role).
nginx_read_user_content	false	If true, configure SELinux to allow Nginx to read user content.
nginx_resolver	127.0.0.1	Nginx resolver.
nginx_security_header_content_security_policy	false	If true, add the Content-Security-Policy HTTP header with the value set in nginx_security_header_content_security_policy_value.
nginx_security_header_content_security_policy_value	default-src 'none'; frame-ancestors 'none'; base-uri 'self'; script-src 'self'; style-src 'self'; media-src 'self'; font-src 'self'; img-src 'self'; form-action 'self';	Value of the Content-Security-Policy HTTP header set if nginx_security_header_content_security_policy is true.
nginx_security_header_feature_policy	false	If true, add the Feature-Policy HTTP header with the value set in nginx_security_header_feature_policy_value.
nginx_security_header_feature_policy_value	geolocation none; midi none; notifications none; push none; sync-xhr none; microphone none; camera none; magnetometer none; gyroscope none; speaker none; vibrate none; fullscreen self; payment none;	Value of the Feature-Policy HTTP header set if nginx_security_header_feature_policy is true. note that Feature-Policy is deprecated and should be replaced by Permission-Policy.
nginx_security_header_permission_policy	false	If true, add the Permissions-Policy HTTP header with the value set in nginx_security_header_permission_policy_value.
nginx_security_header_permission_policy_value	geolocation(), midi(), notifications(), push(), sync-xhr(), microphone(), camera(), magnetometer(), gyroscope(), speaker(), vibrate(), fullscreen(self), payment()"	Value of the Permissions-Policy HTTP header set if nginx_security_header_feature_policy is true.
nginx_security_header_public_key_pins	false	If true, add the Public-Key-Pins HTTP header to enable HTTP Public Key Pinning.
nginx_security_header_public_key_pins_backup_pins	[]	List of SHA256 base64 digests of certificates to add as backup HTTP Public Key Pinning.
nginx_security_header_public_key_pins_max_age	2592000	Age in seconds of the HTTP Public Key Pinning.
nginx_security_header_referrer_policy	true	If true, add the Referrer-Policy HTTP header to disable referer.
nginx_security_header_x_content_type_options	true	If true, add the X-Content-Type-Options HTTP header to mitigate MIME-sniffing attacks.
nginx_security_header_x_download_options	true	If true, add the X-Download-Options HTTP header to mitigate MIME-sniffing attacks.
nginx_security_header_x_frame_options	true	If true, add the X-Frame-Options HTTP header to mitigate clickjacking attacks.
nginx_security_header_x_permitted_cross_domain_policies	true	If true, add the X-Permitted-Cross-Domain-Policies HTTP header to disallow cross domain policy.
nginx_security_header_x_robots_tag	true	If true, add the X-Robots-Tag HTTP header and a robot.txt file to disable crawlers indexations.
nginx_security_header_x_xss_protection	false	If true, add the X-XSS-Protection HTTP header to mitigate cross site scripting attacks. Deprecated, disabled by default.
nginx_site_conf		Path to a Jinja template file that contains the site specific Nginx configuration. This template will be evaluated and inserted inside the server section of the configuration.
nginx_ssl_certificate		Path to the TLS certificate associated to the nginx_server_name domain.
nginx_ssl_certificate_key		Path to the TLS private key associated to the nginx_server_name domain.
nginx_ssl_trusted_certificate		Path to the TLS certificate chain (root + intermediates) associated to the nginx_server_name domain.
nginx_unified	false	If true, configure SELinux to allow unified handling of all content files.

If nginx_ssl_certificate, nginx_ssl_certificate_key and nginx_ssl_trusted_certificate variables are not set, a self-signed certificate is used (Warning: Self signed certificates are only suitable for testing and should not be used on a publicly accessible server.)

Example Playbook

---
- hosts: all
  become: true
  collections:
    - jgoutin.home
  roles:
    - nginx