No description
Find a file
2023-03-11 21:41:19 +01:00
defaults Enable gzip compression 2023-03-11 21:01:42 +01:00
files Add fail2ban configuration 2023-03-11 21:35:10 +01:00
handlers Add fail2ban configuration 2023-03-11 21:35:10 +01:00
meta Add more configuration files and templates 2023-03-11 18:18:27 +01:00
tasks Add conditional to fail2ban tasks 2023-03-11 21:41:19 +01:00
templates Configure logging 2023-03-11 21:39:23 +01:00
README.md Configure logging 2023-03-11 21:39:23 +01:00

Nginx

A role to install and configure Nginx.

Dependencies

Run this role after you have installed fail2ban.

Variables

Name Default Notes
nginx_port 80 Listen port for Nginx
nginx_package_name nginx-full Name of the Debian package to install
nginx_bad_client_ip List of IP address to deny access
nginx_type gateway for a Reverse Proxy, standalone for a frontend webserver, backend for a backend webserver (behind a Reverse Proxy)
nginx_proxy_headers_hash_bucket_size 64
nginx_http_version 1.1 documentation
nginx_gzip documentation
nginx_gzip_types --> defaults/main.yaml
nginx_server_tokens off
nginx_access_log off Path and configuration for access log
dhparam_path /etc/ssl/private/dhparam.pem Path to dhparam file
dhparam_size 4096 Size (in bits) of the generated DH-params

Rate limiting

Limiting the Request Rate

You can use Nginx' Rate Limiting to slow down brute force attacks. The following zones are available:

Zone name Filter Limit
req_ip_one IP address 10r/s
req_ip_two IP address 1r/s
req_server_one Domain 10r/s
req_server_two Domain 1r/s

Add such a zone to your server or location block:

limit_req zone=req_ip_one burst=5 nodelay;

Limiting the Number of Connections

You can also limit the number of connection:

Zone name Filter Limit
con_ip_one IP address No default limit

Bad Bot Blocker

This roles uses a deny list from the nginx-ultimate-bad-bot-blocker repository.

Include the list in your server block with:

if ($bad_bots = 1) {return 444;}