From 0b8b27c0879ceac07a2200b0f538c37e5eca591c Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 15 Aug 2018 18:16:50 +0200 Subject: [PATCH 1/7] update testing and style --- .github_changelog_generator | 1 + .kitchen.yml | 29 ++++++++++++++++++++----- .travis.yml | 17 +++++++++------ Gemfile | 4 ++++ default.yml | 6 ------ defaults/main.yml | 11 +++++++--- requirements.yml | 2 +- spec/travis.yml | 4 ---- tasks/main.yml | 43 ++++++++++++++++++++++++++++++------- templates/hardening.conf.j2 | 5 ++++- tests/test.yml | 15 +++++++++++++ 11 files changed, 103 insertions(+), 34 deletions(-) create mode 100644 .github_changelog_generator delete mode 100644 default.yml delete mode 100644 spec/travis.yml create mode 100644 tests/test.yml diff --git a/.github_changelog_generator b/.github_changelog_generator new file mode 100644 index 00000000..312d7f83 --- /dev/null +++ b/.github_changelog_generator @@ -0,0 +1 @@ +unreleased=false diff --git a/.kitchen.yml b/.kitchen.yml index 524f716d..b9a268d7 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -21,7 +21,7 @@ provisioner: roles_path: ../ansible-nginx-hardening/ http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> - playbook: default.yml + playbook: tests/test.yml requirements_path: requirements.yml platforms: @@ -33,6 +33,10 @@ platforms: driver: image: rndmh3ro/docker-centos7-ansible:latest platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service - name: oracle6-ansible-latest driver: image: rndmh3ro/docker-oracle6-ansible:latest @@ -40,11 +44,11 @@ platforms: - name: oracle7-ansible-latest driver: image: rndmh3ro/docker-oracle7-ansible:latest + run_command: /sbin/init platform: centos -- name: ubuntu1204-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1204-ansible:latest - platform: ubuntu + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service - name: ubuntu1404-ansible-latest driver: image: rndmh3ro/docker-ubuntu1404-ansible:latest @@ -53,6 +57,9 @@ platforms: driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest platform: ubuntu + run_command: /sbin/init + provision_command: + - systemctl enable ssh.service - name: debian7-ansible-latest driver: image: rndmh3ro/docker-debian7-ansible:latest @@ -65,6 +72,18 @@ platforms: driver: image: rndmh3ro/docker-debian9-ansible:latest platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service +- name: amazon-ansible-latest + driver: + image: rndmh3ro/docker-amazon-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service verifier: name: inspec diff --git a/.travis.yml b/.travis.yml index eec25ca1..f88b3043 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ env: init: /sbin/init - distro: centos7 - init: /usr/lib/systemd/systemd + init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" version: latest @@ -29,20 +29,25 @@ env: version: latest init: /sbin/init -# - distro: debian7 -# version: latest -# init: /sbin/init + - distro: debian7 + version: latest + init: /sbin/init - distro: debian8 version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" init: /sbin/init + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro: debian9 version: latest init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: amazon + init: /lib/systemd/systemd + version: latest + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + before_install: # Pull container - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' @@ -56,7 +61,7 @@ script: - 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/' # Test role. - - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/default.yml -vv' + - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/test.yml -vv' # Verify role - 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id})' diff --git a/Gemfile b/Gemfile index c11b3bf6..4791b15e 100644 --- a/Gemfile +++ b/Gemfile @@ -16,3 +16,7 @@ end group :tools do gem 'github_changelog_generator', '~> 1' end + +gem 'kitchen-dokken' + +gem 'rb-readline' diff --git a/default.yml b/default.yml deleted file mode 100644 index 8020c5f5..00000000 --- a/default.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings - hosts: localhost - roles: - - geerlingguy.nginx - - ansible-nginx-hardening diff --git a/defaults/main.yml b/defaults/main.yml index 2a84b97a..434d9f79 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,10 +17,15 @@ nginx_add_header: [ # disable content-type sniffing "X-Content-Type-Options nosniff", # XSS filter -"X-XSS-Protection \"1; mode=block\"" ] +"X-XSS-Protection \"1; mode=block\"", +"Strict-Transport-Security max-age=15768000", +"Content-Security-Policy \"script-src 'self'; object-src 'self'\"" ] -nginx_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2" -nginx_ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" +nginx_set_cookie_flag: "* HttpOnly secure" nginx_ssl_prefer_server_ciphers: "on" +nginx_ssl_protocols: "TLSv1.2" +nginx_ssl_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" +nginx_ssl_prefer_server_ciphers: "on" +nginx_ssl_session_tickets: "off" nginx_dh_param: "{{nginx_root_dir}}/dh{{nginx_dh_size}}.pem" nginx_dh_size: "2048" diff --git a/requirements.yml b/requirements.yml index 86981f95..edf88b04 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1 +1 @@ -- src: geerlingguy.nginx +- src: nginxinc.nginx diff --git a/spec/travis.yml b/spec/travis.yml deleted file mode 100644 index bb64498c..00000000 --- a/spec/travis.yml +++ /dev/null @@ -1,4 +0,0 @@ -- hosts: localhost - roles: - - geerlingguy.nginx - - ansible-nginx-hardening diff --git a/tasks/main.yml b/tasks/main.yml index bd821c0e..bd3848ac 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,14 +3,27 @@ include_vars: "{{ ansible_os_family }}.yml" - name: config should not be worldwide read- or writeable - file: path="/etc/nginx" mode="o-rw" owner="root" group="root" recurse=yes + file: + path: "/etc/nginx" + mode: "o-rw" + owner: "root" + group: "root" + recurse: yes - name: create additional configuration - template: src="hardening.conf.j2" dest="{{nginx_config_conf_dir}}/90.hardening.conf" owner="root" group="root" + template: + src: "hardening.conf.j2" + dest: "{{ nginx_config_conf_dir }}/90.hardening.conf" + owner: "root" + group: "root" notify: reload nginx - name: change configuration in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*server_tokens" line="server_tokens {{nginx_server_tokens}};" insertafter="http {" + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: "^\\s*server_tokens" + line: "server_tokens {{ nginx_server_tokens }};" + insertafter: "http {" notify: reload nginx - name: change ssl_protocols in main nginx.conf @@ -22,22 +35,36 @@ notify: reload nginx - name: change client_max_body_size in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*client_max_body_size" line="client_max_body_size {{nginx_client_max_body_size}};" insertafter="http {" + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: "^\\s*client_max_body_size" + line: "client_max_body_size {{ nginx_client_max_body_size }};" + insertafter: "http {" notify: reload nginx - name: change client_body_buffer_size in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*client_body_buffer_size" line="client_body_buffer_size {{nginx_client_body_buffer_size}};" insertafter="http {" + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: "^\\s*client_body_buffer_size" + line: "client_body_buffer_size {{ nginx_client_body_buffer_size }};" + insertafter: "http {" notify: reload nginx - name: change keepalive_timeout in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*keepalive_timeout" line="keepalive_timeout {{nginx_keepalive_timeout}};" insertafter="http {" + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: "^\\s*keepalive_timeout" + line: "keepalive_timeout {{ nginx_keepalive_timeout }};" + insertafter: "http {" notify: reload nginx - name: remove default.conf - file: path="{{nginx_default_conf}}" state=absent + file: + path: "{{ nginx_default_conf }}" + state: absent when: nginx_remove_default_site notify: reload nginx - name: generate dh group - command: openssl dhparam -out {{nginx_dh_param}} {{nginx_dh_size}} creates={{nginx_dh_param}} + command: openssl dhparam -out {{ nginx_dh_param }} {{ nginx_dh_size }} creates={{ nginx_dh_param }} notify: reload nginx diff --git a/templates/hardening.conf.j2 b/templates/hardening.conf.j2 index eb5a9cd4..1e250cb2 100644 --- a/templates/hardening.conf.j2 +++ b/templates/hardening.conf.j2 @@ -8,7 +8,10 @@ client_header_timeout {{nginx_client_header_timeout}}; send_timeout {{nginx_send_timeout}}; limit_conn_zone {{nginx_limit_conn_zone}}; limit_conn {{nginx_limit_conn}}; -ssl_ciphers {{nginx_ssl_ciphers}}; +set_cookie_flag {{nginx_set_cookie_flag}}; +ssl_ciphers '{{nginx_ssl_ciphers}}'; +ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}}; +ssl_session_tickets {{nginx_ssl_session_tickets}}; ssl_dhparam {{nginx_dh_param}}; {% for header in nginx_add_header %} add_header {{header}}; diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 00000000..8f43b192 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,15 @@ +--- +- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings + hosts: localhost + pre_tasks: + - package: name="{{item}}" state=installed + with_items: + - "systemd" + ignore_errors: true + - apt: name="{{item}}" state=installed update_cache=true + with_items: + - "systemd" + ignore_errors: true + roles: + - nginxinc.nginx + - ansible-nginx-hardening From 8fc0e233fef9bdb8748a94ea4660f9354e6ebcf5 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 8 Sep 2018 14:55:58 +0200 Subject: [PATCH 2/7] remove debian 7, oracle 7 and amz from testing --- .kitchen.vagrant.yml | 4 ---- .kitchen.yml | 4 ---- .travis.yml | 20 ++++++++------------ 3 files changed, 8 insertions(+), 20 deletions(-) diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 04340dd8..a2a4126d 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -62,10 +62,6 @@ platforms: - name: oracle-7 driver_config: box: boxcutter/ol72 -- name: debian-7 - driver_config: - box: debian-7 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box - name: debian-8 driver_config: box: debian-8 diff --git a/.kitchen.yml b/.kitchen.yml index b9a268d7..7f2d68f0 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -60,10 +60,6 @@ platforms: run_command: /sbin/init provision_command: - systemctl enable ssh.service -- name: debian7-ansible-latest - driver: - image: rndmh3ro/docker-debian7-ansible:latest - platform: debian - name: debian8-ansible-latest driver: image: rndmh3ro/docker-debian8-ansible:latest diff --git a/.travis.yml b/.travis.yml index f88b3043..48c51f80 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,10 +15,10 @@ env: version: latest init: /sbin/init - - distro: oracle7 - init: /usr/lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest +# - distro: oracle7 +# init: /usr/lib/systemd/systemd +# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" +# version: latest - distro: ubuntu1604 version: latest @@ -29,10 +29,6 @@ env: version: latest init: /sbin/init - - distro: debian7 - version: latest - init: /sbin/init - - distro: debian8 version: latest init: /sbin/init @@ -43,10 +39,10 @@ env: init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - distro: amazon - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" +# - distro: amazon +# init: /lib/systemd/systemd +# version: latest +# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" before_install: # Pull container From de358d0bb16ecff1c9ef1feddfa499810631f420 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 8 Sep 2018 14:56:11 +0200 Subject: [PATCH 3/7] add ignore cert option --- .kitchen.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.kitchen.yml b/.kitchen.yml index 7f2d68f0..b344e709 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -23,6 +23,7 @@ provisioner: https_proxy: <%= ENV['https_proxy'] || nil %> playbook: tests/test.yml requirements_path: requirements.yml + galaxy_ignore_certs: true platforms: - name: centos6-ansible-latest From 07e01d45b05a7782eeafafcb3dda1b4bab6e2fd2 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 8 Sep 2018 14:56:45 +0200 Subject: [PATCH 4/7] only run certain tests in travis and kitchen --- .kitchen.yml | 19 ++++++++++++++++++- .travis.yml | 5 +++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index b344e709..97831fd5 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -86,7 +86,24 @@ verifier: name: inspec sudo: true inspec_tests: - - https://github.com/dev-sec/nginx-baseline + - ../nginx-baseline + #- https://github.com/dev-sec/nginx-baseline + controls: + - nginx-01 + - nginx-02 + - nginx-03 + - nginx-04 + - nginx-05 + - nginx-06 + - nginx-07 + - nginx-08 + - nginx-09 + - nginx-10 + - nginx-12 + - nginx-13 + - nginx-14 + - nginx-15 + - nginx-17 suites: - name: nginx diff --git a/.travis.yml b/.travis.yml index 48c51f80..31026217 100644 --- a/.travis.yml +++ b/.travis.yml @@ -54,13 +54,14 @@ script: - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-nginx-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' # Install ansible galaxy requirements - - 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/' + - 'docker exec "$(cat ${container_id})" ansible-galaxy -c install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/' # Test role. - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/test.yml -vv' # Verify role - - 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id})' + #- 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id}) --controls=nginx-01 nginx-02 nginx-03 nginx-04 nginx-05 nginx-06 nginx-07 nginx-08 nginx-09 nginx-10 nginx-12 nginx-13 nginx-14 nginx-15 nginx-17 --no-distinct-exit' + - 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id}) --controls=nginx-01 nginx-02 nginx-03 nginx-05 nginx-06 nginx-07 nginx-08 nginx-09 nginx-10 nginx-12 nginx-13 nginx-15 nginx-17 --no-distinct-exit' notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ From 04f0a433c958305b6772babc948b4025e3591318 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 8 Sep 2018 14:58:36 +0200 Subject: [PATCH 5/7] remove useless params --- defaults/main.yml | 2 -- tasks/main.yml | 3 --- templates/hardening.conf.j2 | 22 ++++++++++------------ vars/Debian.yml | 4 ---- vars/Oracle Linux.yml | 4 ---- vars/RedHat.yml | 4 ---- vars/main.yml | 1 + 7 files changed, 11 insertions(+), 29 deletions(-) delete mode 100644 vars/Debian.yml delete mode 100644 vars/Oracle Linux.yml delete mode 100644 vars/RedHat.yml diff --git a/defaults/main.yml b/defaults/main.yml index 434d9f79..13bc790c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -25,7 +25,5 @@ nginx_set_cookie_flag: "* HttpOnly secure" nginx_ssl_prefer_server_ciphers: "on" nginx_ssl_protocols: "TLSv1.2" nginx_ssl_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" -nginx_ssl_prefer_server_ciphers: "on" nginx_ssl_session_tickets: "off" -nginx_dh_param: "{{nginx_root_dir}}/dh{{nginx_dh_size}}.pem" nginx_dh_size: "2048" diff --git a/tasks/main.yml b/tasks/main.yml index bd3848ac..e902dbe2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,4 @@ --- -- name: add the OS specific variables - include_vars: "{{ ansible_os_family }}.yml" - - name: config should not be worldwide read- or writeable file: path: "/etc/nginx" diff --git a/templates/hardening.conf.j2 b/templates/hardening.conf.j2 index 1e250cb2..a2ca2e6b 100644 --- a/templates/hardening.conf.j2 +++ b/templates/hardening.conf.j2 @@ -1,18 +1,16 @@ # {{ansible_managed|comment}} # Additional configuration for Nginx. -client_header_buffer_size {{nginx_client_header_buffer_size}}; +client_header_buffer_size {{nginx_client_header_buffer_size}}; large_client_header_buffers {{nginx_large_client_header_buffers}}; -client_body_timeout {{nginx_client_body_timeout}}; -client_header_timeout {{nginx_client_header_timeout}}; -send_timeout {{nginx_send_timeout}}; -limit_conn_zone {{nginx_limit_conn_zone}}; -limit_conn {{nginx_limit_conn}}; -set_cookie_flag {{nginx_set_cookie_flag}}; -ssl_ciphers '{{nginx_ssl_ciphers}}'; -ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}}; -ssl_session_tickets {{nginx_ssl_session_tickets}}; -ssl_dhparam {{nginx_dh_param}}; +client_body_timeout {{nginx_client_body_timeout}}; +client_header_timeout {{nginx_client_header_timeout}}; +send_timeout {{nginx_send_timeout}}; +limit_conn_zone {{nginx_limit_conn_zone}}; +limit_conn {{nginx_limit_conn}}; +ssl_ciphers '{{nginx_ssl_ciphers}}'; +ssl_session_tickets {{nginx_ssl_session_tickets}}; +ssl_dhparam /etc/nginx/dh{{nginx_dh_size}}.pem; {% for header in nginx_add_header %} -add_header {{header}}; +add_header {{header}}; {% endfor %} diff --git a/vars/Debian.yml b/vars/Debian.yml deleted file mode 100644 index 3d85fa59..00000000 --- a/vars/Debian.yml +++ /dev/null @@ -1,4 +0,0 @@ -nginx_root_dir: '/etc/nginx' -nginx_config_conf_dir: '/etc/nginx/conf.d' -nginx_default_conf: '/etc/nginx/sites-enabled/default' -nginx_service_name: 'nginx' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml deleted file mode 100644 index 6ec8bc25..00000000 --- a/vars/Oracle Linux.yml +++ /dev/null @@ -1,4 +0,0 @@ -nginx_root_dir: '/etc/nginx' -nginx_config_conf_dir: '/etc/nginx/conf.d' -nginx_default_conf: '/etc/nginx/conf.d/default.conf' -nginx_service_name: 'nginx' diff --git a/vars/RedHat.yml b/vars/RedHat.yml deleted file mode 100644 index 6ec8bc25..00000000 --- a/vars/RedHat.yml +++ /dev/null @@ -1,4 +0,0 @@ -nginx_root_dir: '/etc/nginx' -nginx_config_conf_dir: '/etc/nginx/conf.d' -nginx_default_conf: '/etc/nginx/conf.d/default.conf' -nginx_service_name: 'nginx' diff --git a/vars/main.yml b/vars/main.yml index e69de29b..ed97d539 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -0,0 +1 @@ +--- From efde23aac42467a0393fbb4b62d7ae97c50d5c8f Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 8 Sep 2018 14:59:13 +0200 Subject: [PATCH 6/7] use restart instead of reload, fix syntax --- handlers/main.yml | 6 +++-- tasks/main.yml | 57 +++++++++++++++++++++++++++++------------------ 2 files changed, 39 insertions(+), 24 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index e2dd2895..97c58cb9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,4 @@ -- name: reload nginx - service: name={{ nginx_service_name }} state=reloaded +- name: restart nginx + service: + name: "nginx" + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml index e902dbe2..b285c267 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -10,58 +10,71 @@ - name: create additional configuration template: src: "hardening.conf.j2" - dest: "{{ nginx_config_conf_dir }}/90.hardening.conf" + dest: "/etc/nginx/conf.d/90.hardening.conf" owner: "root" group: "root" - notify: reload nginx + notify: restart nginx - name: change configuration in main nginx.conf lineinfile: dest: "/etc/nginx/nginx.conf" - regexp: "^\\s*server_tokens" - line: "server_tokens {{ nginx_server_tokens }};" + regexp: '^\s*server_tokens' + line: " server_tokens {{ nginx_server_tokens }};" insertafter: "http {" - notify: reload nginx + notify: restart nginx - name: change ssl_protocols in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*ssl_protocols" line="ssl_protocols {{nginx_ssl_protocols}};" insertafter="http {" - notify: reload nginx + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: '^\s*ssl_protocols' + line: " ssl_protocols {{nginx_ssl_protocols}};" + insertafter: "http {" + notify: restart nginx - name: change ssl_prefer_server_ciphers in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*ssl_prefer_server_ciphers" line="ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}};" insertafter="http {" - notify: reload nginx + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: '^\s*ssl_prefer_server_ciphers' + line: " ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}};" + insertafter: "http {" + notify: restart nginx - name: change client_max_body_size in main nginx.conf lineinfile: dest: "/etc/nginx/nginx.conf" - regexp: "^\\s*client_max_body_size" - line: "client_max_body_size {{ nginx_client_max_body_size }};" + regexp: '^\s*client_max_body_size' + line: " client_max_body_size {{ nginx_client_max_body_size }};" insertafter: "http {" - notify: reload nginx + notify: restart nginx - name: change client_body_buffer_size in main nginx.conf lineinfile: dest: "/etc/nginx/nginx.conf" - regexp: "^\\s*client_body_buffer_size" - line: "client_body_buffer_size {{ nginx_client_body_buffer_size }};" + regexp: '^\s*client_body_buffer_size' + line: " client_body_buffer_size {{ nginx_client_body_buffer_size }};" insertafter: "http {" - notify: reload nginx + notify: restart nginx - name: change keepalive_timeout in main nginx.conf lineinfile: dest: "/etc/nginx/nginx.conf" - regexp: "^\\s*keepalive_timeout" - line: "keepalive_timeout {{ nginx_keepalive_timeout }};" + regexp: '^\s*keepalive_timeout' + line: " keepalive_timeout {{ nginx_keepalive_timeout }};" insertafter: "http {" - notify: reload nginx + notify: restart nginx - name: remove default.conf file: - path: "{{ nginx_default_conf }}" + path: "{{ item }}" state: absent when: nginx_remove_default_site - notify: reload nginx + notify: restart nginx + loop: + - "/etc/nginx/conf.d/default.conf" + - "/etc/nginx/sites-enabled/default" - name: generate dh group - command: openssl dhparam -out {{ nginx_dh_param }} {{ nginx_dh_size }} creates={{ nginx_dh_param }} - notify: reload nginx + command: "openssl dhparam -out /etc/nginx/dh{{nginx_dh_size}}.pem {{ nginx_dh_size }}" + args: + creates: "/etc/nginx/dh{{nginx_dh_size}}.pem" + notify: restart nginx From d343513bd47809980b1baf791dd9dd153774c9d1 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 8 Sep 2018 14:59:30 +0200 Subject: [PATCH 7/7] use geerlinggux.nginx and fix tests --- requirements.yml | 1 + tests/test.yml | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index edf88b04..0560ff5f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1 +1,2 @@ - src: nginxinc.nginx +- src: geerlingguy.nginx diff --git a/tests/test.yml b/tests/test.yml index 8f43b192..e180140c 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,7 +1,17 @@ --- - name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings hosts: localhost + vars: + - nginx_ppa_use: true + - nginx_ppa_version: stable pre_tasks: + - apt_repository: + repo: "deb http://ftp.debian.org/debian jessie-backports main" + state: present + when: ansible_distribution == 'Debian' and ansible_distribution_major_version == '8' + - set_fact: + nginx_default_release: "jessie-backports" + when: ansible_distribution == 'Debian' and ansible_distribution_major_version == '8' - package: name="{{item}}" state=installed with_items: - "systemd" @@ -11,5 +21,5 @@ - "systemd" ignore_errors: true roles: - - nginxinc.nginx + - geerlingguy.nginx - ansible-nginx-hardening