diff options
Diffstat (limited to 'roles/common-web/files/etc')
-rw-r--r-- | roles/common-web/files/etc/nginx/include.d/ssl | 20 | ||||
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/php-ssl) | 2 | ||||
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/php) | 2 | ||||
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/fastcgi.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/params) | 0 | ||||
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/ssl.conf | 30 |
5 files changed, 33 insertions, 21 deletions
diff --git a/roles/common-web/files/etc/nginx/include.d/ssl b/roles/common-web/files/etc/nginx/include.d/ssl deleted file mode 100644 index 26a64f4..0000000 --- a/roles/common-web/files/etc/nginx/include.d/ssl +++ /dev/null @@ -1,20 +0,0 @@ -ssl on; - -# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization -keepalive_timeout 75 75; -ssl_session_timeout 5m; -ssl_session_cache shared:SSL:5m; - -# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST -# attack. Sadly as of 2013 many clients don't support TLSv1.2, though. -# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 -# in favor of RC4, but that's not satisfactory either since RC4 has -# other weaknesses. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; -ssl_dhparam /etc/ssl/private/dhparams.pem; -ssl_prefer_server_ciphers on; - -# Strict Transport Security header for enhanced security. See -# http://www.chromium.org/sts. -add_header Strict-Transport-Security "max-age=15552000"; diff --git a/roles/common-web/files/etc/nginx/fastcgi/php-ssl b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf index b2a419c..ebf3aa0 100644 --- a/roles/common-web/files/etc/nginx/fastcgi/php-ssl +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf @@ -1,6 +1,8 @@ # PHP only. # Credits to http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx +include snippets/fastcgi-php.conf; + fastcgi_param HTTPS on; fastcgi_param SSL_PROTOCOL $ssl_protocol; fastcgi_param SSL_CIPHER $ssl_cipher; diff --git a/roles/common-web/files/etc/nginx/fastcgi/php b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf index 1ba3937..5823909 100644 --- a/roles/common-web/files/etc/nginx/fastcgi/php +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf @@ -1,7 +1,7 @@ # cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP try_files $uri $uri/ =404; -include fastcgi/params; +include snippets/fastcgi.conf; # required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; diff --git a/roles/common-web/files/etc/nginx/fastcgi/params b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf index 80132ec..80132ec 100644 --- a/roles/common-web/files/etc/nginx/fastcgi/params +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf new file mode 100644 index 0000000..429b667 --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -0,0 +1,30 @@ +# https://wiki.mozilla.org/Security/Server_Side_TLS +# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate + +# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate +# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem + +ssl on; + +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits +ssl_dhparam /etc/ssl/private/dhparams.pem; + +# intermediate configuration. tweak to your needs. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; +ssl_prefer_server_ciphers on; + +# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) +add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains'; + +# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them +# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf +ssl_stapling on; +ssl_stapling_verify on; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs +ssl_trusted_certificate /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem; |