summaryrefslogtreecommitdiffstats
path: root/roles/common-web/files/etc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-03 03:04:22 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-03 03:43:36 +0100
commit2495327985da791891b579bd05b3cda1f41dfda7 (patch)
tree4a48fbc071739ec5b38f3bda049fa984cb795498 /roles/common-web/files/etc
parent203c3ca3d0b3d053827e6ced01cdde85eb0871c5 (diff)
Upgrade baseline to Debian Stretch.
Diffstat (limited to 'roles/common-web/files/etc')
-rw-r--r--roles/common-web/files/etc/nginx/sites-available/default4
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf10
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf12
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi.conf3
-rw-r--r--roles/common-web/files/etc/nginx/snippets/ssl.conf2
5 files changed, 16 insertions, 15 deletions
diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default
index 6cbea18..63c7910 100644
--- a/roles/common-web/files/etc/nginx/sites-available/default
+++ b/roles/common-web/files/etc/nginx/sites-available/default
@@ -1,6 +1,6 @@
server {
- listen 80 default_server;
- listen [::]:80 default_server;
+ listen 80 default_server;
+ listen [::]:80 default_server;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
index ebf3aa0..aa82ca6 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
@@ -3,8 +3,8 @@
include snippets/fastcgi-php.conf;
-fastcgi_param HTTPS on;
-fastcgi_param SSL_PROTOCOL $ssl_protocol;
-fastcgi_param SSL_CIPHER $ssl_cipher;
-fastcgi_param SSL_SESSION_ID $ssl_session_id;
-fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
+fastcgi_param HTTPS on;
+fastcgi_param SSL_PROTOCOL $ssl_protocol;
+fastcgi_param SSL_CIPHER $ssl_cipher;
+fastcgi_param SSL_SESSION_ID $ssl_session_id;
+fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 5823909..9668bb8 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -1,10 +1,10 @@
# cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
-try_files $uri $uri/ =404;
+try_files $fastcgi_script_name =404;
-include snippets/fastcgi.conf;
+include snippets/fastcgi.conf;
# required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param REDIRECT_STATUS 200;
+fastcgi_param REDIRECT_STATUS 200;
-fastcgi_intercept_errors on;
-fastcgi_read_timeout 14400;
-fastcgi_pass unix:/var/run/php5-fpm.sock;
+fastcgi_intercept_errors on;
+fastcgi_read_timeout 14400;
+fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
index 80132ec..ee058da 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
@@ -6,6 +6,7 @@ fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
+fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
@@ -20,4 +21,4 @@ fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
-fastcgi_param HTTPS $https;
+fastcgi_param HTTPS $https if_not_empty;
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
index 09082e7..d3ccd9e 100644
--- a/roles/common-web/files/etc/nginx/snippets/ssl.conf
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -1,5 +1,5 @@
# https://wiki.mozilla.org/Security/Server_Side_TLS
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0j&hsts=yes&profile=intermediate
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem