2.1 KiB
2.1 KiB
Nginx
A role to install and configure Nginx.
Dependencies
Run this role after you have installed fail2ban.
Variables
| Name | Default | Notes |
|---|---|---|
nginx_port |
80 |
Listen port for Nginx |
nginx_package_name |
nginx-full |
Name of the Debian package to install |
nginx_bad_client_ip |
List of IP address to deny access | |
nginx_type |
gateway for a Reverse Proxy, standalone for a frontend webserver, backend for a backend webserver (behind a Reverse Proxy) |
|
nginx_proxy_headers_hash_bucket_size |
64 |
|
nginx_http_version |
1.1 |
documentation |
nginx_gzip |
documentation | |
nginx_gzip_types |
--> defaults/main.yaml |
|
nginx_server_tokens |
off |
|
nginx_access_log |
off |
Path and configuration for access log |
dhparam_path |
/etc/ssl/private/dhparam.pem |
Path to dhparam file |
dhparam_size |
4096 |
Size (in bits) of the generated DH-params |
Rate limiting
Limiting the Request Rate
You can use Nginx' Rate Limiting to slow down brute force attacks. The following zones are available:
| Zone name | Filter | Limit |
|---|---|---|
req_ip_one |
IP address | 10r/s |
req_ip_two |
IP address | 1r/s |
req_server_one |
Domain | 10r/s |
req_server_two |
Domain | 1r/s |
Add such a zone to your server or location block:
limit_req zone=req_ip_one burst=5 nodelay;
Limiting the Number of Connections
You can also limit the number of connection:
| Zone name | Filter | Limit |
|---|---|---|
con_ip_one |
IP address | No default limit |
Bad Bot Blocker
This roles uses a deny list from the nginx-ultimate-bad-bot-blocker repository.
Include the list in your server block with:
if ($bad_bots = 1) {return 444;}