improve nginx security

2022-05-28 19:07:15 +02:00
parent b7d81dc75e
commit ca1aa3dc5e
6 changed files with 29 additions and 15 deletions
--- a/roles/webserver/defaults/main.yaml
+++ b/roles/webserver/defaults/main.yaml
@ -1,4 +1,5 @@
 webserver:
  - domain: "_"
    port: 8080
+    bigrequests: false
 ...
--- a/roles/webserver/templates/nginx.conf
+++ b/roles/webserver/templates/nginx.conf
@ -43,7 +43,6 @@ http {
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
 	    proxy_set_header    Upgrade $http_upgrade;
 	    proxy_set_header    Connection $http_connection;
-        client_max_body_size    8G;
        client_body_buffer_size 128k;
        proxy_connect_timeout   90;
        proxy_send_timeout 120;
@ -53,6 +52,7 @@ http {
        proxy_busy_buffers_size    256k;
        proxy_buffering    off;
        proxy_request_buffering off;
+        server_tokens off;

        server {

@ -69,6 +69,9 @@ http {
            server_name {{ server.domain }};
            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+            {%- if server.bigrequests %}
+            client_max_body_size    8G;
+            {%- endif %}
            location /{
                proxy_pass  http://127.0.0.1:{{ server.port }};
            }