From 46eda365158828c6819a79aec6d83272e1ba9d6f Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 16 Dec 2023 21:57:19 +0000 Subject: [PATCH] Fully block Server header --- ansible/galaxy-requirements.yml | 1 + ansible/roles/nginx/files/nginx.conf | 3 +++ ansible/roles/nginx/tasks/main.yml | 12 ++++++++++++ 3 files changed, 16 insertions(+) diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index a08f082..e9d9a23 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -2,6 +2,7 @@ collections: - ansible.posix - community.general - community.docker + - kewlfft.aur - name: https://github.com/prometheus-community/ansible type: git diff --git a/ansible/roles/nginx/files/nginx.conf b/ansible/roles/nginx/files/nginx.conf index 25179d8..341fdbd 100644 --- a/ansible/roles/nginx/files/nginx.conf +++ b/ansible/roles/nginx/files/nginx.conf @@ -2,6 +2,8 @@ worker_processes auto; error_log /var/log/nginx/error.log; +load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; + pcre_jit on; events { @@ -13,6 +15,7 @@ http { default_type application/octet-stream; server_tokens off; + more_clear_headers "Server"; types_hash_max_size 2048; types_hash_bucket_size 128; diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index 788b317..f44f7d0 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -10,6 +10,18 @@ when: ansible_os_family == 'Archlinux' become: true +- name: Install nginx-mod-http-headers-more + package: + name: libnginx-mod-http-headers-more-filter + when: ansible_os_family != 'Archlinux' + become: true + +- name: Install nginx-mod-http-headers-more on Arch + kewlfft.aur.aur: + name: nginx-mainline-mod-headers-more + when: ansible_os_family == 'Archlinux' + become: true + - name: Create config directories file: path: /etc/nginx/{{ item }}