diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
commit | ef430522256013665205cdda05636846cc622251 (patch) | |
tree | 0912b6175af9e97fa76aaf47613bd1926893dc67 /roles/lists | |
parent | 4e347178a85468cb2a6451a3a57c3379f832ca97 (diff) |
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But
never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles/lists')
-rw-r--r-- | roles/lists/files/etc/nginx/sites-available/sympa | 6 | ||||
-rw-r--r-- | roles/lists/tasks/nginx.yml | 13 | ||||
l--------- | roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 | 1 |
3 files changed, 16 insertions, 4 deletions
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index 732f09f..fbb3421 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -29,9 +29,9 @@ server { "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri lists.fripost.org"; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="OLx1hOEqnCdS/7ZgzTzAl8Ig/Cwpz5MY9J9Fishg6/0="; pin-sha256="v/Ow0Ou2m08HO10wxci1IVrMC/pbihnoDNxvUwKBsMY="; max-age=15778800'; + ssl_certificate ssl/lists.fripost.org.pem; + ssl_certificate_key ssl/lists.fripost.org.key; + include snippets/lists.fripost.org.hpkp-hdr; location = / { return 302 /sympa$args; diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 20b3262..6bf4afc 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -19,9 +19,20 @@ notify: - Restart Nginx +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/lists.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + - name: Start nginx service: name=nginx state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers diff --git a/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 new file mode 120000 index 0000000..a8ba598 --- /dev/null +++ b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 @@ -0,0 +1 @@ +../../../../../../certs/hpkp-hdr.j2
\ No newline at end of file |