Hardening nginx 

Here, we can start looking at things like disabling server tokens to not display version information, adding headers like X-XSS-Protection, and many other configuration tweaks. Most of these changes are done via configuration changes, and Ansible allows us to version and control and automate these changes based on user requirements:

• The nginx server version information can be blocked by adding the server_tokens off; value to the configuration
• add_header X-XSS-Protection "1; mode=block"; will enable the cross-site scripting (XSS) filter
• SSLv3 can be disabled by adding  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
• This list can be pretty large, based on the use case and scenario:

The following code snippet contains nginx configuration template for updating the hardened nginx configuration changes:

    - name: update the hardened nginx configuration changes
      template:
        src: "hardened-nginx-config.j2"
        dest: "/etc/nginx/sites-available/default"

      notify:
        - restart nginx

Mozilla runs an updated web page on guidance for SSL/TLS at https://wiki.mozilla.org/Security/Server_Side_TLS. The guidance offers an opinion on what cipher suites to use, and other security measures. Additionally, if you trust their judgment, you can also use their SSL/TLS configuration generator to quickly generate a configuration for your web server configuration. For more information, visit https://mozilla.github.io/server-side-tls/ssl-config-generator/.

Whichever configuration you decide to use, the template needs to be named as hardened-nginx-config.j2.