ansible-role-nginx/README.md

Nginx
=====

A role to install and configure Nginx.

## Dependencies

Run this role after you have installed fail2ban.

## Variables

| Name | Default | Notes |
|--|--|--|
| `nginx_port` | `80` | Listen port for Nginx |
| `nginx_package_name` | `nginx-full` | Name of the Debian package to install |
| `nginx_bad_client_ip` | | List of IP address to deny access |
| `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) |
| `nginx_proxy_headers_hash_bucket_size` | `64` | |
| `nginx_http_version` | `1.1` | [documentation](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version) |
| `nginx_gzip` | | [documentation](https://nginx.org/en/docs/http/ngx_http_gzip_module.html) |
| `nginx_gzip_types` | --> `defaults/main.yaml` | |
| `nginx_server_tokens` | `off` | |
| `nginx_access_log` | `off` | Path and configuration for access log |
| `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file |
| `dhparam_size` | `4096` | Size (in bits) of the generated DH-params |

## Rate limiting
### Limiting the Request Rate

You can use Nginx' [Rate Limiting](https://www.nginx.com/blog/rate-limiting-nginx/) to slow down brute force attacks.
The following zones are available:

| Zone name | Filter | Limit |
|--|--|--|
| `req_ip_one` | IP address | 10r/s |
| `req_ip_two` | IP address | 1r/s |
| `req_server_one` | Domain | 10r/s |
| `req_server_two` | Domain | 1r/s |

Add such a zone to your `server` or `location` block:
```Shell
limit_req zone=req_ip_one burst=5 nodelay;
```

### Limiting the Number of Connections

You can also limit the number of [connection](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/):

| Zone name | Filter | Limit |
|--|--|--|
| `con_ip_one` | IP address | No default limit |

## Bad Bot Blocker

This roles uses a deny list from the [nginx-ultimate-bad-bot-blocker](https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker) repository.

Include the list in your `server` block with:
```Shell
if ($bad_bots = 1) {return 444;}
```
nginx: Aktualisiere Rolle. Dient nun zur allgemeinen Einrichtung von Nginx 2022-06-19 20:30:17 +02:00			`Nginx`
			`=====`

Add fail2ban configuration 2023-03-11 21:35:10 +01:00			`A role to install and configure Nginx.`

			`## Dependencies`

			`Run this role after you have installed fail2ban.`
Add more configuration files and templates 2023-03-11 18:18:27 +01:00
			`## Variables`

			`\| Name \| Default \| Notes \|`
			`\|--\|--\|--\|`
			\| `nginx_port` \| `80` \| Listen port for Nginx \|
			\| `nginx_package_name` \| `nginx-full` \| Name of the Debian package to install \|
			\| `nginx_bad_client_ip` \| \| List of IP address to deny access \|
			\| `nginx_type` \| \| `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) \|
Add variable 2023-03-11 19:39:40 +01:00			\| `nginx_proxy_headers_hash_bucket_size` \| `64` \| \|
Enable gzip compression 2023-03-11 20:52:04 +01:00			\| `nginx_http_version` \| `1.1` \| [documentation](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version) \|
			\| `nginx_gzip` \| \| [documentation](https://nginx.org/en/docs/http/ngx_http_gzip_module.html) \|
			\| `nginx_gzip_types` \| --> `defaults/main.yaml` \| \|
Add hint and another variable 2023-03-11 21:25:09 +01:00			\| `nginx_server_tokens` \| `off` \| \|
Configure logging 2023-03-11 21:39:23 +01:00			\| `nginx_access_log` \| `off` \| Path and configuration for access log \|
Add more configuration files and templates 2023-03-11 18:18:27 +01:00			\| `dhparam_path` \| `/etc/ssl/private/dhparam.pem` \| Path to dhparam file \|
Generate dhparam file 2023-03-11 18:23:26 +01:00			\| `dhparam_size` \| `4096` \| Size (in bits) of the generated DH-params \|
Add information about request limits 2023-03-11 18:46:49 +01:00
			`## Rate limiting`
			`### Limiting the Request Rate`

Add hint and another variable 2023-03-11 21:25:09 +01:00			`You can use Nginx' [Rate Limiting](https://www.nginx.com/blog/rate-limiting-nginx/) to slow down brute force attacks.`
Add information about request limits 2023-03-11 18:46:49 +01:00			`The following zones are available:`

			`\| Zone name \| Filter \| Limit \|`
			`\|--\|--\|--\|`
Change limit defaults 2023-03-11 18:48:54 +01:00			\| `req_ip_one` \| IP address \| 10r/s \|
			\| `req_ip_two` \| IP address \| 1r/s \|
			\| `req_server_one` \| Domain \| 10r/s \|
			\| `req_server_two` \| Domain \| 1r/s \|
Add information about request limits 2023-03-11 18:46:49 +01:00
Add hint and another variable 2023-03-11 21:25:09 +01:00			Add such a zone to your `server` or `location` block:
			```Shell
			`limit_req zone=req_ip_one burst=5 nodelay;`
			```

Add information about request limits 2023-03-11 18:46:49 +01:00			`### Limiting the Number of Connections`

			`You can also limit the number of [connection](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/):`

			`\| Zone name \| Filter \| Limit \|`
			`\|--\|--\|--\|`
			\| `con_ip_one` \| IP address \| No default limit \|
Add bad bot block list 2023-03-11 20:20:42 +01:00
			`## Bad Bot Blocker`

			`This roles uses a deny list from the [nginx-ultimate-bad-bot-blocker](https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker) repository.`

			Include the list in your `server` block with:
			```Shell
			`if ($bad_bots = 1) {return 444;}`
			```