Merge pull request #29 from hexadecimalDinosaur/nginx-security-updates

NGINX security updates
hexadecimalDinosaur · Dec 3, 2023 · ae594bd · ae594bd
2 parents 7935045 + 6ccebbb
commit ae594bd
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 2 deletions.
diff --git a/ansible/nginx.conf b/ansible/nginx.conf
@@ -5,4 +5,5 @@ server {
                 proxy_set_header Host $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         }
+        server_tokens off;
 }
diff --git a/ansible/nginx.yml b/ansible/nginx.yml
@@ -12,9 +12,29 @@
       ansible.builtin.wait_for_connection:
         timeout: 300
   tasks:
+    - name: Install nginx repository prerequisites
+      ansible.builtin.package:
+        name:
+          - curl
+          - gnupg2
+          - ca-certificates
+          - lsb-release
+          - debian-archive-keyring
+        state: present
+    - name: Get NGINX keyring
+      ansible.builtin.shell: >
+        curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+    - name: Install NGINX repository
+      ansible.builtin.shell: >
+        echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+    - name: Setup Repository pinning
+      ansible.builtin.shell: >
+        echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
     - name: Install nginx
       ansible.builtin.package:
-        name: nginx
+        name:
+          - nginx
+          - nginx-extras
         state: present
       notify: Restart nginx
     - name: Copy nginx config

diff --git a/deploy_bundle/nginx.conf b/deploy_bundle/nginx.conf
@@ -5,4 +5,5 @@ server {
                 proxy_set_header Host $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         }
+        server_tokens off;
 }
diff --git a/deploy_bundle/nginx.yml b/deploy_bundle/nginx.yml
@@ -12,9 +12,29 @@
       ansible.builtin.wait_for_connection:
         timeout: 300
   tasks:
+    - name: Install nginx repository prerequisites
+      ansible.builtin.package:
+        name:
+          - curl
+          - gnupg2
+          - ca-certificates
+          - lsb-release
+          - debian-archive-keyring
+        state: present
+    - name: Get NGINX keyring
+      ansible.builtin.shell: >
+        curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+    - name: Install NGINX repository
+      ansible.builtin.shell: >
+        echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+    - name: Setup Repository pinning
+      ansible.builtin.shell: >
+        echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
     - name: Install nginx
       ansible.builtin.package:
-        name: nginx
+        name:
+          - nginx
+          - nginx-extras
         state: present
       notify: Restart nginx
     - name: Copy nginx config