nginx: Move include.d/* to snippets/.

6 files changed, 54 insertions, 47 deletions

diff --git a/roles/common-web/files/etc/nginx/include.d/ssl b/roles/common-web/files/etc/nginx/include.d/ssl
deleted file mode 100644
index 26a64f4..0000000
--- a/roles/common-web/files/etc/nginx/include.d/ssl
+++ /dev/null
@@ -1,20 +0,0 @@
-ssl on;
-
-# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
-keepalive_timeout           75 75;
-ssl_session_timeout         5m;
-ssl_session_cache           shared:SSL:5m;
-
-# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
-# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
-# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
-# in favor of RC4, but that's not satisfactory either since RC4 has
-# other weaknesses.
-ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers                 HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
-ssl_dhparam                 /etc/ssl/private/dhparams.pem;
-ssl_prefer_server_ciphers   on;
-
-# Strict Transport Security header for enhanced security. See
-# http://www.chromium.org/sts.
-add_header Strict-Transport-Security "max-age=15552000";
diff --git a/roles/common-web/files/etc/nginx/fastcgi/php-ssl b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
index b2a419c..ebf3aa0 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/php-ssl
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
@@ -1,6 +1,8 @@
 # PHP only.
 # Credits to http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx
 
+include snippets/fastcgi-php.conf;
+
 fastcgi_param HTTPS					on;
 fastcgi_param SSL_PROTOCOL			$ssl_protocol;
 fastcgi_param SSL_CIPHER			$ssl_cipher;
diff --git a/roles/common-web/files/etc/nginx/fastcgi/php b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 1ba3937..5823909 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/php
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -1,7 +1,7 @@
 # cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
 try_files $uri $uri/ =404;
 
-include 		fastcgi/params;
+include 		snippets/fastcgi.conf;
 # required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param	REDIRECT_STATUS	200;
 
diff --git a/roles/common-web/files/etc/nginx/fastcgi/params b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
index 80132ec..80132ec 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/params
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
new file mode 100644
index 0000000..429b667
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -0,0 +1,30 @@
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
+
+# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
+
+ssl on;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+ssl_dhparam /etc/ssl/private/dhparams.pem;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains';
+
+# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
+# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem;
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index f55770d..c44e3a5 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -8,54 +8,49 @@
   tags:
     - logrotate
 
-- name: Delete /etc/nginx/sites-{available,enabled}/default
-  file: path=/etc/nginx/sites-{{ item }}/default state=absent
-  with_items:
-    - enabled
-    - available
-
-- name: Create directory /etc/nginx/{fastcgi,ssl}
-  file: path=/etc/nginx/{{ item }}
-        state=directory
-        owner=root group=root
-        mode=0755
-  with_items:
-    - fastcgi
-    - ssl
-
-- name: Copy fastcgi parameters
-  copy: src=etc/nginx/fastcgi/{{ item }}
-        dest=/etc/nginx/fastcgi/{{ item }}
+- name: Copy fastcgi parameters and SSL configuration snippets
+  copy: src=etc/nginx/snippets/{{ item }}
+        dest=/etc/nginx/snippets/{{ item }}
         owner=root group=root
         mode=0644
   register: r1
   with_items:
-    - params
-    - php
-    - php-ssl
+    - fastcgi.conf
+    - fastcgi-php.conf
+    - fastcgi-php-ssl.conf
+    - ssl.conf
   notify:
     - Restart Nginx
 
-- name: Copy SSL configuration snippet
-  copy: src=etc/nginx/include.d/ssl
-        dest=/etc/nginx/include.d/ssl
+- name: Copy /etc/nginx/sites-available/default
+  copy: src=etc/nginx/sites-available/default
+        dest=/etc/nginx/sites-available/default
         owner=root group=root
         mode=0644
   register: r2
   notify:
     - Restart Nginx
 
+- name: Create /etc/nginx/sites-enabled/default
+  file: src=../sites-available/default
+        dest=/etc/nginx/sites-enabled/default
+        owner=root group=root
+        state=link force=yes
+  register: r3
+  notify:
+    - Restart Nginx
+
 - name: Add .asc to text/plain MIME types
   lineinfile: dest=/etc/nginx/mime.types
               regexp='^(\s*text/plain\s+)'
               backrefs=yes
               line='\1txt asc;'
-  register: r3
+  register: r4
   notify:
     - Restart Nginx
 
 - name: Start Nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed)
 
 - meta: flush_handlers