summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-07-12 03:10:33 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-07-12 03:10:33 +0200
commitef430522256013665205cdda05636846cc622251 (patch)
tree0912b6175af9e97fa76aaf47613bd1926893dc67 /roles
parent4e347178a85468cb2a6451a3a57c3379f832ca97 (diff)
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles')
-rw-r--r--roles/git/files/etc/nginx/sites-available/git6
-rw-r--r--roles/git/tasks/cgit.yml13
l---------roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j21
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa6
-rw-r--r--roles/lists/tasks/nginx.yml13
l---------roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j21
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube6
-rw-r--r--roles/webmail/tasks/roundcube.yml13
l---------roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j21
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/website6
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/wiki6
-rw-r--r--roles/wiki/tasks/main.yml13
l---------roles/wiki/templates/etc/nginx/snippets/fripost.org.hpkp-hdr.j21
13 files changed, 67 insertions, 19 deletions
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index ca71e0d..0ec65e2 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -27,9 +27,9 @@ server {
include snippets/headers.conf;
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/git.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="HOoiXgC7tolzZ31b65UzbAKhpCCA7I0iNdO7NEuL0lU="; pin-sha256="7F+6dSG3D3X3SSLXmb4GWWqUViztamLmmCBlYCi4a10="; max-age=15778800';
+ ssl_certificate ssl/git.fripost.org.pem;
+ ssl_certificate_key ssl/git.fripost.org.key;
+ include snippets/git.fripost.org.hpkp-hdr;
location ^~ /static/ {
alias /usr/share/cgit/;
diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml
index 5f4e0e9..1dd2cd6 100644
--- a/roles/git/tasks/cgit.yml
+++ b/roles/git/tasks/cgit.yml
@@ -96,9 +96,20 @@
notify:
- Restart Nginx
+- name: Copy HPKP header snippet
+ # never modify the pined pubkeys as we don't want to lock out our users
+ template: src=etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2
+ dest=/etc/nginx/snippets/git.fripost.org.hpkp-hdr
+ validate=/bin/false
+ owner=root group=root
+ mode=0644
+ register: r3
+ notify:
+ - Restart Nginx
+
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
diff --git a/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 b/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2
new file mode 120000
index 0000000..a8ba598
--- /dev/null
+++ b/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2
@@ -0,0 +1 @@
+../../../../../../certs/hpkp-hdr.j2 \ No newline at end of file
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 732f09f..fbb3421 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -29,9 +29,9 @@ server {
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri lists.fripost.org";
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="OLx1hOEqnCdS/7ZgzTzAl8Ig/Cwpz5MY9J9Fishg6/0="; pin-sha256="v/Ow0Ou2m08HO10wxci1IVrMC/pbihnoDNxvUwKBsMY="; max-age=15778800';
+ ssl_certificate ssl/lists.fripost.org.pem;
+ ssl_certificate_key ssl/lists.fripost.org.key;
+ include snippets/lists.fripost.org.hpkp-hdr;
location = / {
return 302 /sympa$args;
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
index 20b3262..6bf4afc 100644
--- a/roles/lists/tasks/nginx.yml
+++ b/roles/lists/tasks/nginx.yml
@@ -19,9 +19,20 @@
notify:
- Restart Nginx
+- name: Copy HPKP header snippet
+ # never modify the pined pubkeys as we don't want to lock out our users
+ template: src=etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
+ dest=/etc/nginx/snippets/lists.fripost.org.hpkp-hdr
+ validate=/bin/false
+ owner=root group=root
+ mode=0644
+ register: r3
+ notify:
+ - Restart Nginx
+
- name: Start nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
diff --git a/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
new file mode 120000
index 0000000..a8ba598
--- /dev/null
+++ b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
@@ -0,0 +1 @@
+../../../../../../certs/hpkp-hdr.j2 \ No newline at end of file
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 67851ae..c691d35 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -31,9 +31,9 @@ server {
"default-src 'none'; child-src 'self'; frame-src 'self'; connect-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self'; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'self'; form-action 'self'; base-uri mail.fripost.org webmail.fripost.org";
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk="; pin-sha256="/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w="; max-age=15778800';
+ ssl_certificate ssl/mail.fripost.org.pem;
+ ssl_certificate_key ssl/mail.fripost.org.key;
+ include snippets/mail.fripost.org.hpkp-hdr;
location = /favicon.ico {
root /usr/share/roundcube/skins/default/images;
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index caa91dc..15544c2 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -131,9 +131,20 @@
notify:
- Restart Nginx
+- name: Copy HPKP header snippet
+ # never modify the pined pubkeys as we don't want to lock out our users
+ template: src=etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2
+ dest=/etc/nginx/snippets/mail.fripost.org.hpkp-hdr
+ validate=/bin/false
+ owner=root group=root
+ mode=0644
+ register: r3
+ notify:
+ - Restart Nginx
+
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
diff --git a/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 b/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2
new file mode 120000
index 0000000..a8ba598
--- /dev/null
+++ b/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2
@@ -0,0 +1 @@
+../../../../../../certs/hpkp-hdr.j2 \ No newline at end of file
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 10e127c..e79ff1f 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -31,9 +31,9 @@ server {
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action https://www.paypal.com/; base-uri fripost.org www.fripost.org";
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/www.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="fQ+gau72iwOf6rmXvY7/QemB+kYhixPCY/A/EIr3ats="; pin-sha256="MYhOgCyUOp8NRGxa1LZc57g0wREA3kV8C+4SsrDajt8="; max-age=15778800';
+ ssl_certificate ssl/www.fripost.org.pem;
+ ssl_certificate_key ssl/www.fripost.org.key;
+ include snippets/fripost.org.hpkp-hdr;
location / {
try_files $uri $uri/ =404;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index 39cd653..d2e13a5 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -30,9 +30,9 @@ server {
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri wiki.fripost.org";
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/www.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="fQ+gau72iwOf6rmXvY7/QemB+kYhixPCY/A/EIr3ats="; pin-sha256="MYhOgCyUOp8NRGxa1LZc57g0wREA3kV8C+4SsrDajt8="; max-age=15778800';
+ ssl_certificate ssl/www.fripost.org.pem;
+ ssl_certificate_key ssl/www.fripost.org.key;
+ include snippets/fripost.org.hpkp-hdr;
location / {
location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; }
diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml
index 4a64c2f..ff2d724 100644
--- a/roles/wiki/tasks/main.yml
+++ b/roles/wiki/tasks/main.yml
@@ -93,9 +93,20 @@
notify:
- Restart Nginx
+- name: Copy HPKP header snippet
+ # never modify the pined pubkeys as we don't want to lock out our users
+ template: src=etc/nginx/snippets/fripost.org.hpkp-hdr.j2
+ dest=/etc/nginx/snippets/fripost.org.hpkp-hdr
+ validate=/bin/false
+ owner=root group=root
+ mode=0644
+ register: r3
+ notify:
+ - Restart Nginx
+
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
diff --git a/roles/wiki/templates/etc/nginx/snippets/fripost.org.hpkp-hdr.j2 b/roles/wiki/templates/etc/nginx/snippets/fripost.org.hpkp-hdr.j2
new file mode 120000
index 0000000..a8ba598
--- /dev/null
+++ b/roles/wiki/templates/etc/nginx/snippets/fripost.org.hpkp-hdr.j2
@@ -0,0 +1 @@
+../../../../../../certs/hpkp-hdr.j2 \ No newline at end of file