nginx: Move include.d/* to snippets/.

author: Guilhem Moulin <guilhem@fripost.org> 2015-12-20 13:59:39 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2015-12-20 13:59:39 +0100
commit: 01e59771866559cc13a58800282617d04cb286a6 (patch)
tree: a1772ca3ce7bde38d1c96a4855db504b6ab8ec96 /roles
parent: 74943c88f1a0de34ca593dafe5b0785c7ee7a95e (diff)
12 files changed, 69 insertions, 72 deletions
diff --git a/roles/common-web/files/etc/nginx/include.d/ssl b/roles/common-web/files/etc/nginx/include.d/ssl
deleted file mode 100644
index 26a64f4..0000000
--- a/roles/common-web/files/etc/nginx/include.d/ssl
+++ /dev/null
@@ -1,20 +0,0 @@
-ssl on;
-
-# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
-keepalive_timeout           75 75;
-ssl_session_timeout         5m;
-ssl_session_cache           shared:SSL:5m;
-
-# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
-# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
-# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
-# in favor of RC4, but that's not satisfactory either since RC4 has
-# other weaknesses.
-ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers                 HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
-ssl_dhparam                 /etc/ssl/private/dhparams.pem;
-ssl_prefer_server_ciphers   on;
-
-# Strict Transport Security header for enhanced security. See
-# http://www.chromium.org/sts.
-add_header Strict-Transport-Security "max-age=15552000";
diff --git a/roles/common-web/files/etc/nginx/fastcgi/php-ssl b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
index b2a419c..ebf3aa0 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/php-ssl
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
@@ -1,6 +1,8 @@
 # PHP only.
 # Credits to http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx
 
+include snippets/fastcgi-php.conf;
+
 fastcgi_param HTTPS					on;
 fastcgi_param SSL_PROTOCOL			$ssl_protocol;
 fastcgi_param SSL_CIPHER			$ssl_cipher;
diff --git a/roles/common-web/files/etc/nginx/fastcgi/php b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 1ba3937..5823909 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/php
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -1,7 +1,7 @@
 # cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
 try_files $uri $uri/ =404;
 
-include 		fastcgi/params;
+include 		snippets/fastcgi.conf;
 # required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param	REDIRECT_STATUS	200;
 
diff --git a/roles/common-web/files/etc/nginx/fastcgi/params b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
index 80132ec..80132ec 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/params
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
new file mode 100644
index 0000000..429b667
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -0,0 +1,30 @@
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
+
+# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
+
+ssl on;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+ssl_dhparam /etc/ssl/private/dhparams.pem;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains';
+
+# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
+# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem;
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index f55770d..c44e3a5 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -8,54 +8,49 @@
   tags:
     - logrotate
 
-- name: Delete /etc/nginx/sites-{available,enabled}/default
-  file: path=/etc/nginx/sites-{{ item }}/default state=absent
-  with_items:
-    - enabled
-    - available
-
-- name: Create directory /etc/nginx/{fastcgi,ssl}
-  file: path=/etc/nginx/{{ item }}
-        state=directory
-        owner=root group=root
-        mode=0755
-  with_items:
-    - fastcgi
-    - ssl
-
-- name: Copy fastcgi parameters
-  copy: src=etc/nginx/fastcgi/{{ item }}
-        dest=/etc/nginx/fastcgi/{{ item }}
+- name: Copy fastcgi parameters and SSL configuration snippets
+  copy: src=etc/nginx/snippets/{{ item }}
+        dest=/etc/nginx/snippets/{{ item }}
         owner=root group=root
         mode=0644
   register: r1
   with_items:
-    - params
-    - php
-    - php-ssl
+    - fastcgi.conf
+    - fastcgi-php.conf
+    - fastcgi-php-ssl.conf
+    - ssl.conf
   notify:
     - Restart Nginx
 
-- name: Copy SSL configuration snippet
-  copy: src=etc/nginx/include.d/ssl
-        dest=/etc/nginx/include.d/ssl
+- name: Copy /etc/nginx/sites-available/default
+  copy: src=etc/nginx/sites-available/default
+        dest=/etc/nginx/sites-available/default
         owner=root group=root
         mode=0644
   register: r2
   notify:
     - Restart Nginx
 
+- name: Create /etc/nginx/sites-enabled/default
+  file: src=../sites-available/default
+        dest=/etc/nginx/sites-enabled/default
+        owner=root group=root
+        state=link force=yes
+  register: r3
+  notify:
+    - Restart Nginx
+
 - name: Add .asc to text/plain MIME types
   lineinfile: dest=/etc/nginx/mime.types
               regexp='^(\s*text/plain\s+)'
               backrefs=yes
               line='\1txt asc;'
-  register: r3
+  register: r4
   notify:
     - Restart Nginx
 
 - name: Start Nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed)
 
 - meta: flush_handlers
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index 333da02..67776de 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -50,7 +50,7 @@ server {
 
     server_name  git.fripost.org;
 
-    include include.d/ssl;
+    include snippets/ssl.conf;
     ssl_certificate     /etc/nginx/ssl/git.fripost.org.pem;
     ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
 
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 3f2dce4..ea0424f 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -20,7 +20,7 @@ server {
     access_log /var/log/nginx/lists.access.log;
     error_log  /var/log/nginx/lists.error.log info;
 
-    include include.d/ssl;
+    include snippets/ssl.conf;
     ssl_certificate     /etc/nginx/ssl/lists.fripost.org.pem;
     ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
 
@@ -35,7 +35,7 @@ server {
 
     location ^~ /sympa {
         fastcgi_split_path_info ^(/sympa)(.*)$;
-        include fastcgi/params;
+        include snippets/fastcgi.conf;
 
         fastcgi_pass unix:/run/wwsympa.socket;
         gzip off;
@@ -52,7 +52,7 @@ server {
         }
 
         fastcgi_split_path_info ^(/[^/]+/sympa)(.*)$;
-        include fastcgi/params;
+        include snippets/fastcgi.conf;
 
         fastcgi_pass unix:/run/wwsympa.socket;
         gzip off;
diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin
index ade1888..fe5e7e5 100644
--- a/roles/munin-master/files/etc/nginx/sites-available/munin
+++ b/roles/munin-master/files/etc/nginx/sites-available/munin
@@ -17,14 +17,14 @@ server {
 
     location /munin-cgi/munin-cgi-graph/ {
         fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
-        include fastcgi/params;
+        include snippets/fastcgi.conf;
         fastcgi_pass unix:/run/munin/cgi-graph.socket;
         gzip off;
     }
 
     location /munin/ {
         fastcgi_split_path_info ^(/munin)(.*);
-        include fastcgi/params;
+        include snippets/fastcgi.conf;
         fastcgi_pass unix:/run/munin/cgi-html.socket;
         gzip off;
     }
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index fe67615..1297834 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -19,10 +19,7 @@ server {
     server_name  mail.fripost.org;
     root         /var/lib/roundcube;
 
-    include include.d/ssl;
-    # include the intermediate certificate, see
-    # - https://www.ssllabs.com/ssltest/analyze.html?d=mail.fripost.org
-    # - http://nginx.org/en/docs/http/configuring_https_servers.html
+    include snippets/ssl.conf;
     ssl_certificate     /etc/nginx/ssl/mail.fripost.org.chained.pem;
     ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key;
 
@@ -49,8 +46,7 @@ server {
     index index.php;
     client_max_body_size 64m;
     location = /index.php {
-        include fastcgi/php;
-        include fastcgi/php-ssl;
+        include snippets/fastcgi-php-ssl.conf;
 
         # From /var/lib/roundcube/.htaccess
         fastcgi_param PHP_VALUE "upload_max_filesize=25M
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 7899f05..3e32158 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -18,12 +18,9 @@ server {
 
     server_name fripost.org;
 
-    include include.d/ssl;
-    # include the intermediate certificate, see
-    # - https://www.ssllabs.com/ssltest/analyze.html?d=fripost.org
-    # - http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate     /etc/nginx/ssl/fripost.org.chained.pem;
-    ssl_certificate_key /etc/nginx/ssl/fripost.org.key;
+    include snippets/ssl.conf;
+    ssl_certificate     /etc/nginx/ssl/www.fripost.org.chained.pem;
+    ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
 
     access_log /var/log/nginx/access.log;
     error_log  /var/log/nginx/error.log info;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index a12b017..3777b87 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -26,12 +26,9 @@ server {
 
     server_name wiki.fripost.org;
 
-    include include.d/ssl;
-    # include the intermediate certificate, see
-    # - https://www.ssllabs.com/ssltest/analyze.html?d=wiki.fripost.org
-    # - http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate     /etc/nginx/ssl/fripost.org.chained.pem;
-    ssl_certificate_key /etc/nginx/ssl/fripost.org.key;
+    include snippets/ssl.conf;
+    ssl_certificate     /etc/nginx/ssl/www.fripost.org.chained.pem;
+    ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
 
     access_log /var/log/nginx/wiki.access.log;
     error_log  /var/log/nginx/wiki.error.log info;
@@ -47,7 +44,7 @@ server {
         fastcgi_param DOCUMENT_ROOT   /var/lib/ikiwiki/public_html/fripost-wiki;
         fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi;
         fastcgi_index ikiwiki.cgi;
-        include fastcgi/params;
+        include snippets/fastcgi.conf;
         fastcgi_pass unix:/var/run/fcgiwrap.socket;
         gzip off;
     }
author	Guilhem Moulin <guilhem@fripost.org>	2015-12-20 13:59:39 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2015-12-20 13:59:39 +0100
commit	01e59771866559cc13a58800282617d04cb286a6 (patch)
tree	a1772ca3ce7bde38d1c96a4855db504b6ab8ec96 /roles
parent	74943c88f1a0de34ca593dafe5b0785c7ee7a95e (diff)