-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.yaml
112 lines (112 loc) · 3.44 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
---
nginx:
security_headers: []
prefix:
config: >-
{%- if ansible_system == 'Linux' -%}
/etc/nginx
{%- else -%}
/usr/local/etc/nginx
{%- endif -%}
log: /var/log/nginx
modsecurity:
config: "/usr/local/etc/modsecurity"
log: /var/log/modsecurity
worker_processes: 8
user: "{{ 'www-data' if ansible_system == 'Linux' else 'www' }}"
nameservers:
- '[2606:4700:4700::1111]:53'
- '[2606:4700:4700::1001]:53'
nameservers_valid: 300s
nameservers_ipv6: "on"
server_names_hash_max_size:
server_names_hash_bucket_size:
dhparam_bits: 4096
moved_permanently: {}
client_max_body_size: 100M
redirects: {}
real_ip_header: X-Real-IP
set_real_ip_from: {}
proxy_ssl_trusted_certificate: >-
{%- if ansible_system == 'Linux' -%}
/etc/ssl/certs/ca-certificates.crt
{%- else -%}
/usr/local/share/certs/ca-root-nss.crt
{%- endif -%}
hsts:
max_age: 31536000
include_subdomains: no
preload: no
log_format: main
log_formats:
json:
fields:
host: $host
remote_addr: $remote_addr
remote_user: $remote_user
time_iso8601: $time_iso8601
request_method: $request_method
request_uri: $request_uri
server_protocol: $server_protocol
status: $status
body_bytes_sent: $body_bytes_sent
http_referer: $http_referer
http_user_agent: $http_user_agent
http_x_forwarded_for: $http_x_forwarded_for
http_x_real_ip: $http_x_real_ip
request_id: $request_id
request_time: $request_time
bytes_sent: $bytes_sent
request_length: $request_length
connection: $connection
connection_requests: $connection_requests
sent_http_content_type: $sent_http_content_type
dnt: $dnt
ansible_info:
server_name:
private_api:
dynamic_modules_path: >-
{%- if ansible_system == 'Linux' -%}
/usr/lib/nginx/modules
{%- else -%}
/usr/local/libexec/nginx
{%- endif -%}
dynamic_modules:
ngx_http_headers_more_filter_module.so: "{{ false if ansible_system == 'Linux' else true }}"
ngx_http_modsecurity_module.so: "{{ true if vars.nginx.modsecurity.enabled else false }}"
ngx_stream_module.so: false
htpasswd: {}
stub_status_port:
modsecurity:
enabled: false
dry_run: true
owasp_crs:
enabled: true
version: 3.3.5
config:
SecRuleEngine: "{{ 'DetectionOnly' if vars.nginx.modsecurity.dry_run else 'On' }}"
SecRequestBodyAccess: "On"
SecRequestBodyLimit: "{{ vars.nginx.client_max_body_size | ansible.builtin.human_to_bytes }}"
SecRequestBodyNoFilesLimit: 131072
SecRequestBodyLimitAction: Reject
SecRequestBodyJsonDepthLimit: 512
SecPcreMatchLimit: 1000
SecPcreMatchLimitRecursion: 1000
SecResponseBodyAccess: "On"
SecResponseBodyMimeType: text/plain text/html text/xml
SecResponseBodyLimit: 524288
SecResponseBodyLimitAction: ProcessPartial
SecTmpDir: /tmp/
SecDataDir: /tmp/
SecAuditEngine: RelevantOnly
SecAuditLogRelevantStatus: "\"^(?:5|4(?!04))\""
SecAuditLogParts: ABIJDFHZ
SecAuditLogType: Serial
SecAuditLog: "{{ vars.nginx.prefix.modsecurity.log }}/audit.log"
SecArgumentSeparator: "&"
SecCookieFormat: 0
SecUnicodeMapFile: unicode.mapping 20127
SecStatusEngine: "Off" # telemetry
SecAuditLogFormat: json
actions: {}
rules: {}