summaryrefslogtreecommitdiffstats
path: root/roles/lists
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-07-12 03:10:33 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-07-12 03:10:33 +0200
commitef430522256013665205cdda05636846cc622251 (patch)
tree0912b6175af9e97fa76aaf47613bd1926893dc67 /roles/lists
parent4e347178a85468cb2a6451a3a57c3379f832ca97 (diff)
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles/lists')
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa6
-rw-r--r--roles/lists/tasks/nginx.yml13
l---------roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j21
3 files changed, 16 insertions, 4 deletions
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 732f09f..fbb3421 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -29,9 +29,9 @@ server {
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri lists.fripost.org";
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="OLx1hOEqnCdS/7ZgzTzAl8Ig/Cwpz5MY9J9Fishg6/0="; pin-sha256="v/Ow0Ou2m08HO10wxci1IVrMC/pbihnoDNxvUwKBsMY="; max-age=15778800';
+ ssl_certificate ssl/lists.fripost.org.pem;
+ ssl_certificate_key ssl/lists.fripost.org.key;
+ include snippets/lists.fripost.org.hpkp-hdr;
location = / {
return 302 /sympa$args;
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
index 20b3262..6bf4afc 100644
--- a/roles/lists/tasks/nginx.yml
+++ b/roles/lists/tasks/nginx.yml
@@ -19,9 +19,20 @@
notify:
- Restart Nginx
+- name: Copy HPKP header snippet
+ # never modify the pined pubkeys as we don't want to lock out our users
+ template: src=etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
+ dest=/etc/nginx/snippets/lists.fripost.org.hpkp-hdr
+ validate=/bin/false
+ owner=root group=root
+ mode=0644
+ register: r3
+ notify:
+ - Restart Nginx
+
- name: Start nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
diff --git a/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
new file mode 120000
index 0000000..a8ba598
--- /dev/null
+++ b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
@@ -0,0 +1 @@
+../../../../../../certs/hpkp-hdr.j2 \ No newline at end of file