diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
| commit | ef430522256013665205cdda05636846cc622251 (patch) | |
| tree | 0912b6175af9e97fa76aaf47613bd1926893dc67 /roles | |
| parent | 4e347178a85468cb2a6451a3a57c3379f832ca97 (diff) | |
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But
never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/git/files/etc/nginx/sites-available/git | 6 | ||||
| -rw-r--r-- | roles/git/tasks/cgit.yml | 13 | ||||
| l--------- | roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 | 1 | ||||
| -rw-r--r-- | roles/lists/files/etc/nginx/sites-available/sympa | 6 | ||||
| -rw-r--r-- | roles/lists/tasks/nginx.yml | 13 | ||||
| l--------- | roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 | 1 | ||||
| -rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 6 | ||||
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 13 | ||||
| l--------- | roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 | 1 | ||||
| -rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/website | 6 | ||||
| -rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/wiki | 6 | ||||
| -rw-r--r-- | roles/wiki/tasks/main.yml | 13 | ||||
| l--------- | roles/wiki/templates/etc/nginx/snippets/fripost.org.hpkp-hdr.j2 | 1 |
13 files changed, 67 insertions, 19 deletions
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index ca71e0d..0ec65e2 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -10,43 +10,43 @@ server { error_log /var/log/nginx/git.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name git.fripost.org; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; include snippets/headers.conf; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="HOoiXgC7tolzZ31b65UzbAKhpCCA7I0iNdO7NEuL0lU="; pin-sha256="7F+6dSG3D3X3SSLXmb4GWWqUViztamLmmCBlYCi4a10="; max-age=15778800'; + ssl_certificate ssl/git.fripost.org.pem; + ssl_certificate_key ssl/git.fripost.org.key; + include snippets/git.fripost.org.hpkp-hdr; location ^~ /static/ { alias /usr/share/cgit/; expires 30d; } # Bypass the CGI to return static files stored on disk. Try first repo with # a trailing '.git', then without. location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" { root /var/lib/gitolite/repositories; try_files /$1.git/objects/$2 /$1/objects/$2 =404; expires 30d; gzip off; # TODO honor git-daemon-export-ok } # disallow push over HTTP/HTTPS location ~* "^/[^/]+/git-receive-pack$" { return 403; } location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" { diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 5f4e0e9..1dd2cd6 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -79,34 +79,45 @@ - name: Copy /etc/nginx/sites-available/git copy: src=etc/nginx/sites-available/git dest=/etc/nginx/sites-available/git owner=root group=root mode=0644 register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/git file: src=../sites-available/git dest=/etc/nginx/sites-enabled/git owner=root group=root state=link force=yes register: r2 notify: - Restart Nginx +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/git.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data become: False fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/nginx/ssl/git.fripost.org.pem dest=certs/public/git.fripost.org.pub tags: - genkey diff --git a/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 b/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 new file mode 120000 index 0000000..a8ba598 --- /dev/null +++ b/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 @@ -0,0 +1 @@ +../../../../../../certs/hpkp-hdr.j2
\ No newline at end of file diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index 732f09f..fbb3421 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -12,43 +12,43 @@ server { location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name lists.fripost.org; access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri lists.fripost.org"; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="OLx1hOEqnCdS/7ZgzTzAl8Ig/Cwpz5MY9J9Fishg6/0="; pin-sha256="v/Ow0Ou2m08HO10wxci1IVrMC/pbihnoDNxvUwKBsMY="; max-age=15778800'; + ssl_certificate ssl/lists.fripost.org.pem; + ssl_certificate_key ssl/lists.fripost.org.key; + include snippets/lists.fripost.org.hpkp-hdr; location = / { return 302 /sympa$args; } location ^~ /static-sympa/ { alias /var/lib/sympa/static_content/; expires 30d; } location ^~ /sympa { fastcgi_split_path_info ^(/sympa)(.*)$; include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; } location ~* ^/([^/]+)/?$ { return 302 /$1/sympa$args; diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 20b3262..6bf4afc 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -2,34 +2,45 @@ apt: pkg=nginx - name: Copy /etc/nginx/sites-available/sympa copy: src=etc/nginx/sites-available/sympa dest=/etc/nginx/sites-available/sympa owner=root group=root mode=0644 register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/sympa file: src=../sites-available/sympa dest=/etc/nginx/sites-enabled/sympa owner=root group=root state=link register: r2 notify: - Restart Nginx +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/lists.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + - name: Start nginx service: name=nginx state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data become: False fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/nginx/ssl/lists.fripost.org.pem dest=certs/public/lists.fripost.org.pub tags: - genkey diff --git a/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 new file mode 120000 index 0000000..a8ba598 --- /dev/null +++ b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 @@ -0,0 +1 @@ +../../../../../../certs/hpkp-hdr.j2
\ No newline at end of file diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 67851ae..c691d35 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -14,43 +14,43 @@ server { location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name mail.fripost.org; server_name webmail.fripost.org; root /var/lib/roundcube; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; child-src 'self'; frame-src 'self'; connect-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self'; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'self'; form-action 'self'; base-uri mail.fripost.org webmail.fripost.org"; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk="; pin-sha256="/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w="; max-age=15778800'; + ssl_certificate ssl/mail.fripost.org.pem; + ssl_certificate_key ssl/mail.fripost.org.key; + include snippets/mail.fripost.org.hpkp-hdr; location = /favicon.ico { root /usr/share/roundcube/skins/default/images; log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files, or files under hidden # directories. location ~ /\. { return 404; } access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index caa91dc..15544c2 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -114,34 +114,45 @@ service: name=php5-fpm state=started - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube dest=/etc/nginx/sites-available/roundcube owner=root group=root mode=0644 register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes register: r2 notify: - Restart Nginx +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/mail.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data become: False fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/nginx/ssl/mail.fripost.org.pem dest=certs/public/mail.fripost.org.pub tags: - genkey diff --git a/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 b/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 new file mode 120000 index 0000000..a8ba598 --- /dev/null +++ b/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 @@ -0,0 +1 @@ +../../../../../../certs/hpkp-hdr.j2
\ No newline at end of file diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 10e127c..e79ff1f 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -14,43 +14,43 @@ server { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name fripost.org; server_name www.fripost.org; access_log /var/log/nginx/www.access.log; error_log /var/log/nginx/www.error.log info; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action https://www.paypal.com/; base-uri fripost.org www.fripost.org"; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="fQ+gau72iwOf6rmXvY7/QemB+kYhixPCY/A/EIr3ats="; pin-sha256="MYhOgCyUOp8NRGxa1LZc57g0wREA3kV8C+4SsrDajt8="; max-age=15778800'; + ssl_certificate ssl/www.fripost.org.pem; + ssl_certificate_key ssl/www.fripost.org.key; + include snippets/fripost.org.hpkp-hdr; location / { try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki/website; } location /static/ { alias /var/lib/ikiwiki/public_html/fripost-wiki/static/; expires 30d; } location /material/ { alias /var/www/fripost.org/material/; expires 30d; } location /minutes/ { alias /var/www/fripost.org/minutes/; expires 30d; } location /.well-known/autoconfig/ { alias /var/www/fripost.org/autoconfig/; diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index 39cd653..d2e13a5 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -13,40 +13,40 @@ server { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name wiki.fripost.org; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri wiki.fripost.org"; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="fQ+gau72iwOf6rmXvY7/QemB+kYhixPCY/A/EIr3ats="; pin-sha256="MYhOgCyUOp8NRGxa1LZc57g0wREA3kV8C+4SsrDajt8="; max-age=15778800'; + ssl_certificate ssl/www.fripost.org.pem; + ssl_certificate_key ssl/www.fripost.org.key; + include snippets/fripost.org.hpkp-hdr; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki; } location = /ikiwiki.cgi { fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki; fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi; fastcgi_index ikiwiki.cgi; include snippets/fastcgi.conf; fastcgi_pass unix:/var/run/fcgiwrap.socket; gzip off; } } diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml index 4a64c2f..ff2d724 100644 --- a/roles/wiki/tasks/main.yml +++ b/roles/wiki/tasks/main.yml @@ -76,43 +76,54 @@ mode=0644 register: r1 with_items: - website - wiki notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/{wiki,website} file: src=../sites-available/{{ item }} dest=/etc/nginx/sites-enabled/{{ item }} owner=root group=root state=link force=yes register: r2 with_items: - website - wiki notify: - Restart Nginx +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data become: False fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/nginx/ssl/www.fripost.org.pem dest=certs/public/fripost.org.pub tags: - genkey - name: Create directory /var/www/fripost.org/autoconfig/mail file: path=/var/www/fripost.org/autoconfig/mail state=directory owner=root group=root mode=0755 - name: Copy /var/www/fripost.org/autoconfig/mail/config-v1.1.xml copy: src=var/www/fripost.org/autoconfig/mail/config-v1.1.xml diff --git a/roles/wiki/templates/etc/nginx/snippets/fripost.org.hpkp-hdr.j2 b/roles/wiki/templates/etc/nginx/snippets/fripost.org.hpkp-hdr.j2 new file mode 120000 index 0000000..a8ba598 --- /dev/null +++ b/roles/wiki/templates/etc/nginx/snippets/fripost.org.hpkp-hdr.j2 @@ -0,0 +1 @@ +../../../../../../certs/hpkp-hdr.j2
\ No newline at end of file |