You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
phil 719fc93598 Create dhparams only for gateways or standalone servers
Fix lint warnings
3 months ago
defaults Enable gzip compression 3 months ago
files Add fail2ban configuration 3 months ago
handlers Add fail2ban configuration 3 months ago
meta Add more configuration files and templates 3 months ago
tasks Create dhparams only for gateways or standalone servers 3 months ago
templates Fix quotation 3 months ago Configure logging 3 months ago


A role to install and configure Nginx.


Run this role after you have installed fail2ban.


Name Default Notes
nginx_port 80 Listen port for Nginx
nginx_package_name nginx-full Name of the Debian package to install
nginx_bad_client_ip List of IP address to deny access
nginx_type gateway for a Reverse Proxy, standalone for a frontend webserver, backend for a backend webserver (behind a Reverse Proxy)
nginx_proxy_headers_hash_bucket_size 64
nginx_http_version 1.1 documentation
nginx_gzip documentation
nginx_gzip_types --> defaults/main.yaml
nginx_server_tokens off
nginx_access_log off Path and configuration for access log
dhparam_path /etc/ssl/private/dhparam.pem Path to dhparam file
dhparam_size 4096 Size (in bits) of the generated DH-params

Rate limiting

Limiting the Request Rate

You can use Nginx' Rate Limiting to slow down brute force attacks. The following zones are available:

Zone name Filter Limit
req_ip_one IP address 10r/s
req_ip_two IP address 1r/s
req_server_one Domain 10r/s
req_server_two Domain 1r/s

Add such a zone to your server or location block:

limit_req zone=req_ip_one burst=5 nodelay;

Limiting the Number of Connections

You can also limit the number of connection:

Zone name Filter Limit
con_ip_one IP address No default limit

Bad Bot Blocker

This roles uses a deny list from the nginx-ultimate-bad-bot-blocker repository.

Include the list in your server block with:

if ($bad_bots = 1) {return 444;}