summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-16 00:51:30 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-16 00:51:30 +0200
commite250173c23a9c192dc18ba34115f94816846ccf3 (patch)
tree6d83fb38c44ac8e75e5136cb927b409f86a47ea6 /roles
parent0bfbe0e49f7fc77abfe7bb5d92c72dbdf6742204 (diff)
role/common-web: Upgrade baseline to Debian 10.
Diffstat (limited to 'roles')
-rw-r--r--roles/common-web/files/etc/nginx/sites-available/default2
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf18
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi.conf9
-rw-r--r--roles/common-web/files/etc/nginx/snippets/ssl.conf13
4 files changed, 23 insertions, 19 deletions
diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default
index 63c7910..295cb6d 100644
--- a/roles/common-web/files/etc/nginx/sites-available/default
+++ b/roles/common-web/files/etc/nginx/sites-available/default
@@ -7,6 +7,6 @@ server {
# serve ACME challenges on all virtual hosts
# /!\ need to be served individually for each explicit virtual host as well!
- include snippets/acme-challenge.conf;
+ include /etc/lacme/nginx.conf;
include snippets/headers.conf;
}
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 9668bb8..48ebc63 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -1,10 +1,14 @@
-# cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+
+# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
-include snippets/fastcgi.conf;
-# required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param REDIRECT_STATUS 200;
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
-fastcgi_intercept_errors on;
-fastcgi_read_timeout 14400;
-fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+fastcgi_index index.php;
+include snippets/fastcgi.conf;
+fastcgi_pass unix:/run/php/php7.3-fpm.sock;
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
index ee058da..9a0a029 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
@@ -1,16 +1,16 @@
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
-fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
-fastcgi_param PATH_INFO $fastcgi_path_info;
-fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
@@ -21,4 +21,5 @@ fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
-fastcgi_param HTTPS $https if_not_empty;
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
index d3ccd9e..57a317b 100644
--- a/roles/common-web/files/etc/nginx/snippets/ssl.conf
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -1,5 +1,5 @@
# https://wiki.mozilla.org/Security/Server_Side_TLS
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0j&hsts=yes&profile=intermediate
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.14.2&openssl=1.1.1c&hsts=yes&profile=intermediate
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
@@ -13,13 +13,12 @@ ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/dhparams.pem;
-# intermediate configuration. tweak to your needs.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+ssl_prefer_server_ciphers off;
-# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains';
+# HSTS (ngx_http_headers_module is required) (31557600 seconds = 1 year)
+add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf