This cookbook provides a secure overlay for nginx configuration.

• Chef 12+

• Debian 7, 8
• Ubuntu 14.04, 16.04
• CentOS 6, 7
• OracleLinux 6.6, 6.7, 7.1

• ['nginx']['client_body_buffer_size'] - 1k Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
• ['nginx']['default_site_enabled'] - false to disable the default site. Set to on to enable the default site in nginx.
• ['nginx']['client_max_body_size'] - 1k to set the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client.
• ['nginx']['keepalive_timeout'] - 5 5 The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive: timeout=time" response header field.
• ['nginx']['server_tokens'] - off to disable disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header.
• ['nginx-hardening']['source']['http_autoindex_module'] - false to disable the HTTP Autoindex module. Set to true to enable http_autoindex_module.
• ['nginx-hardening']['source']['http_ssi_module'] - false to disable the HTTP SSI module. Set to true to enable http_ssi_module.
• ['nginx-hardening']['options']['ssl_protocols'] - 'TLSv1.2' to specify the SSL protocol which should be used.
• ['nginx-hardening']['options']['ssl_ciphers'] - 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' to specify the TLS ciphers which should be used.
• ['nginx-hardening']['options']['ssl_prefer_server_ciphers'] - 'on' Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
• ['nginx-hardening']['dh-size'] - 2048 Specifies the length of DH parameters for EDH ciphers.

You can also use the complete attributes from the nginx cookbook

Add the recipes to the run_list:

"recipe[apt]"
"recipe[nginx-hardening::upgrades]"
"recipe[nginx]"
"recipe[nginx-hardening]"

Configure attributes:

"nginx-hardening" : {
  "dh-size" : "4096"
}

For local testing you can use vagrant or docker to run tests locally. You will have to install VirtualBox and Vagrant or docker on your system. See Vagrant Downloads for a vagrant or Docker Downloads package suitable for your system. For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.

# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# fast test on one machine
bundle exec kitchen test default-ubuntu-1404

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-ubuntu-1404
bundle exec kitchen converge default-ubuntu-1404
bundle exec kitchen verify default-ubuntu-1404

• Dominik Richter arlimus
• Christoph Hartmann chris-rock
• Patrick Muench atomic111
• Edmund Haselwanter ehaselwanter

See contributor guideline.

• Author:: Dominik Richter [email protected]
• Author:: Deutsche Telekom AG

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.