Open afeld opened 7 years ago
Likely of interest: https://github.com/dev-sec/ansible-nginx-hardening
@maverickquant Are any of these blockers to deploying in our real environment? Hoping we can come back to some/most later.
Restrict Access by IP from Nginx. Limit Input Traffic via IPTables.
Definitely .Those blockers can be revisited.
Question from the ISE SecDevOps Survey:
What does current content align to, i.e. (CIS, vendor, other resource)?
From @maverickquant:
Other General Nginx Security concerns and recommendations:
[ ]
Disable Unwanted HTTP Methods in Nginx[ ] Disable weak cipher suites-Enable Strong TLS Ciphers
Set your cipher strength to something secure, yet compatible. Add following under server block in ssl.conf file:
Not sure if there is a GSA standard for this ciphers-.Will confirm and let you know.
[x] Avoid self-signed certs especially in prod.
[ ] Remove Unnecessary Modules in Nginx -if any
[ ] Setup Monitor Logs for Nginx
[ ]
proxy_ssl_verify: on :: ensure on:: Verifies the validity of certificates.[ ] Restrict Access by IP from Nginx.
[ ] Limit Input Traffic via IPTables.
[x] Disable server_tokens Directive in Nginx. The server_tokens directive tells Nginx to display its current version on error pages.
Crossed off items that I don't believe are applicable.