Merge branch 'master' of https://github.com/dev-sec/chef-nginx-hardening

Signed-off-by: Aaron Lippold <[email protected]>

Author: aaronlippold

.kitchen.yml

@@ -68,13 +68,6 @@ platforms:
     intermediate_instructions:
       - RUN dnf -y install yum which systemd-sysv initscripts
 
-- name: ubuntu-12.04
-  driver:
-    image: ubuntu-upstart:12.04
-    pid_one_command: /sbin/init
-    intermediate_instructions:
-      - RUN /usr/bin/apt-get update
-
 - name: ubuntu-14.04
   driver:
     image: ubuntu-upstart:14.04
@@ -103,7 +96,6 @@ platforms:
     intermediate_instructions:
       - RUN zypper --non-interactive install aaa_base perl-Getopt-Long-Descriptive which
 
-
 suites:
 - name: default
   run_list:

.travis.yml

@@ -20,7 +20,6 @@ services: docker
 
 env:
   matrix:
-  - INSTANCE=default-ubuntu-1204
   - INSTANCE=default-ubuntu-1404
   - INSTANCE=default-ubuntu-1604
   - INSTANCE=default-centos-6
@@ -32,7 +31,7 @@ before_script:
   - /opt/chefdk/embedded/bin/chef --version
   - /opt/chefdk/embedded/bin/cookstyle --version
   - /opt/chefdk/embedded/bin/foodcritic --version
-  - /opt/chefdk/embedded/bin/chef gem install coveralls # needed for chefspecs
+  - /opt/chefdk/embedded/bin/chef gem install coveralls -v 0.8.19 # needed for chefspecs
 
 script: KITCHEN_LOCAL_YAML=.kitchen.docker.yml /opt/chefdk/embedded/bin/kitchen verify ${INSTANCE}
 

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Change Log
 
+## [v3.0.0](https://github.com/dev-sec/chef-nginx-hardening/tree/v3.0.0) (2018-01-05)
+[Full Changelog](https://github.com/dev-sec/chef-nginx-hardening/compare/v2.0.0...v3.0.0)
+
+**Closed issues:**
+
+- Update metadata to depend on "nginx" cookbook [\#47](https://github.com/dev-sec/chef-nginx-hardening/issues/47)
+
+**Merged pull requests:**
+
+- switch to nginx cookbook [\#48](https://github.com/dev-sec/chef-nginx-hardening/pull/48) ([rveznaver](https://github.com/rveznaver))
+- add headers and cleaning [\#46](https://github.com/dev-sec/chef-nginx-hardening/pull/46) ([atomic111](https://github.com/atomic111))
+
 ## [v2.0.0](https://github.com/dev-sec/chef-nginx-hardening/tree/v2.0.0) (2017-01-04)
 [Full Changelog](https://github.com/dev-sec/chef-nginx-hardening/compare/v1.1.0...v2.0.0)
 

Gemfile

@@ -2,45 +2,38 @@
 
 source 'https://rubygems.org'
 
-gem 'berkshelf',  '~> 5.0'
-gem 'chef',       '>= 12.0'
-
-# pin dependency for Ruby 1.9.3 since bundler is not
-# detecting that net-ssh 3 does not work with 1.9.3
-if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2.2')
-  gem 'listen', '~> 3.0.0'
-  gem 'ruby_dep', '~> 1.3.0'
-  gem 'rack', '< 2.0'
-end
+gem 'berkshelf', '~> 6.1'
+gem 'chef', '~> 12.5' # chefspec builds get stucked with 13.1
 
 group :test do
   gem 'rake'
-  gem 'chefspec',   '~> 5.3'
-  gem 'foodcritic', '~> 8.0'
+  gem 'chefspec', '~> 7.1.0'
+  gem 'foodcritic', '~> 11.1'
+  gem 'thor', '~> 0.19.1'
   gem 'thor-foodcritic'
   gem 'cookstyle'
   gem 'coveralls', require: false
-  gem 'minitest', '~> 5.5'
+  gem 'minitest', '~> 5.10.2'
+  gem 'rubocop', '~> 0.49.0'
   gem 'simplecov', '~> 0.10'
 end
 
 group :development do
   gem 'guard'
   gem 'guard-rspec'
+  gem 'guard-foodcritic', '~> 3.0'
   gem 'guard-kitchen'
   gem 'guard-rubocop'
-  # gem 'guard-foodcritic' # disabled until a new release comes out that removes the pin
 end
 
 group :integration do
-  gem 'test-kitchen', '~> 1.0'
+  gem 'test-kitchen', '~> 1.16.0'
   gem 'kitchen-vagrant'
-  gem 'kitchen-inspec'
-  gem 'kitchen-sharedtests', '~> 0.2.0'
-  gem 'concurrent-ruby', '~> 0.9'
   gem 'kitchen-dokken'
+  gem 'kitchen-inspec'
+  gem 'concurrent-ruby', '~> 1.0.5'
 end
 
 group :tools do
-  gem 'github_changelog_generator', '~> 1.14.0'
+  gem 'github_changelog_generator', '~> 1.14'
 end

README.md

@@ -13,7 +13,7 @@ This cookbook provides a secure overlay for nginx configuration.
 ### Platform
 
 - Debian 7, 8
-- Ubuntu 12.04, 14.04, 16.04
+- Ubuntu 14.04, 16.04
 - CentOS 6, 7
 - OracleLinux 6.6, 6.7, 7.1
 
@@ -26,12 +26,12 @@ This cookbook provides a secure overlay for nginx configuration.
 - `['nginx']['server_tokens']` - `off` to disable disables emitting nginx version in error messages and in the "Server" response header field. Set to `on` to enable the nginx version in error messages and "Server" response header.
 - `['nginx-hardening']['source']['http_autoindex_module']` - `false` to disable the HTTP Autoindex module. Set to `true` to enable http_autoindex_module.
 - `['nginx-hardening']['source']['http_ssi_module']` - `false` to disable the HTTP SSI module. Set to `true` to enable http_ssi_module.
-- `['nginx-hardening']['options']['ssl_protocols']` - `'TLSv1 TLSv1.1 TLSv1.2'` to specify the SSL protocol which should be used.
-- `['nginx-hardening']['options']['ssl_ciphers']` - `'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'` to specify the TLS ciphers which should be used.
+- `['nginx-hardening']['options']['ssl_protocols']` - `'TLSv1.2'` to specify the SSL protocol which should be used.
+- `['nginx-hardening']['options']['ssl_ciphers']` - `'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'` to specify the TLS ciphers which should be used.
 - `['nginx-hardening']['options']['ssl_prefer_server_ciphers']` - `'on'` Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to `false` to disable it.
 - `['nginx-hardening']['dh-size']` - `2048` Specifies the length of DH parameters for EDH ciphers.
 
-You can also use the complete attributes from the [chef_nginx cookbook](https://supermarket.chef.io/cookbooks/chef_nginx)
+You can also use the complete attributes from the [nginx cookbook](https://supermarket.chef.io/cookbooks/nginx)
 
 ## Usage
 
@@ -40,7 +40,7 @@ Add the recipes to the run_list:
 ```
 "recipe[apt]"
 "recipe[nginx-hardening::upgrades]"
-"recipe[chef_nginx]"
+"recipe[nginx]"
 "recipe[nginx-hardening]"
 ```
 
@@ -65,15 +65,15 @@ bundle install
 bundle exec rake lint
 
 # fast test on one machine
-bundle exec kitchen test default-ubuntu-1204
+bundle exec kitchen test default-ubuntu-1404
 
 # test on all machines
 bundle exec kitchen test
 
 # for development
-bundle exec kitchen create default-ubuntu-1204
-bundle exec kitchen converge default-ubuntu-1204
-bundle exec kitchen verify default-ubuntu-1204
+bundle exec kitchen create default-ubuntu-1404
+bundle exec kitchen converge default-ubuntu-1404
+bundle exec kitchen verify default-ubuntu-1404
 ```
 
 ## Contributors + Kudos

attributes/hardening.rb

@@ -95,4 +95,5 @@
 default['nginx-hardening']['options']['ssl_protocols'] = 'TLSv1 TLSv1.1 TLSv1.2'
 default['nginx-hardening']['options']['ssl_ciphers'] = "'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA@STRENGTH'"
 default['nginx-hardening']['options']['ssl_prefer_server_ciphers'] = 'on'
+default['nginx-hardening']['options']['ssl_session_tickets'] = 'off'
 default['nginx-hardening']['dh-size'] = 2048

metadata.rb

@@ -18,11 +18,11 @@
 name             'nginx-hardening'
 maintainer       'Dominik Richter'
 maintainer_email '[email protected]'
-license          'Apache 2.0'
+license          'Apache-2.0'
 description      'Configures nginx hardening'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 
-version          '2.0.0'
+version          '3.0.0'
 
 issues_url       'https://github.com/dev-sec/chef-nginx-hardening/issues'
 source_url       'https://github.com/dev-sec/chef-nginx-hardening'
@@ -31,7 +31,11 @@
 supports 'ubuntu', '>= 12.04'
 supports 'centos', '>= 6.6'
 
+<<<<<<< HEAD
 depends 'nginx', '>= 4.0'
+=======
+depends 'nginx', '>= 7.0'
+>>>>>>> 13d38aa133278ff7db765cb8f6b812f7d89aa43a
 depends 'openssl'
 
 recipe 'nginx-hardening::default', 'configures nginx for hardening'

test/integration/default/controls/test.rb

@@ -0,0 +1,6 @@
+include_controls 'nginx-baseline' do
+  # skip http method control
+  skip_control 'nginx-14'
+  # skip HTTPOnly and secure cookie control
+  skip_control 'nginx-16'
+end

test/integration/default/inspec.yml

@@ -0,0 +1,4 @@
+name: nginx-hardening-integration-tests
+depends:
+  - name: nginx-baseline
+    url: https://github.com/dev-sec/nginx-baseline