summaryrefslogtreecommitdiffstats
path: root/roles/common-web/files
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common-web/files')
-rw-r--r--roles/common-web/files/etc/nginx/include.d/ssl20
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/php-ssl)2
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/php)2
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/params)0
-rw-r--r--roles/common-web/files/etc/nginx/snippets/ssl.conf30
5 files changed, 33 insertions, 21 deletions
diff --git a/roles/common-web/files/etc/nginx/include.d/ssl b/roles/common-web/files/etc/nginx/include.d/ssl
deleted file mode 100644
index 26a64f4..0000000
--- a/roles/common-web/files/etc/nginx/include.d/ssl
+++ /dev/null
@@ -1,20 +0,0 @@
-ssl on;
-
-# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
-keepalive_timeout 75 75;
-ssl_session_timeout 5m;
-ssl_session_cache shared:SSL:5m;
-
-# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
-# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
-# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
-# in favor of RC4, but that's not satisfactory either since RC4 has
-# other weaknesses.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
-ssl_dhparam /etc/ssl/private/dhparams.pem;
-ssl_prefer_server_ciphers on;
-
-# Strict Transport Security header for enhanced security. See
-# http://www.chromium.org/sts.
-add_header Strict-Transport-Security "max-age=15552000";
diff --git a/roles/common-web/files/etc/nginx/fastcgi/php-ssl b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
index b2a419c..ebf3aa0 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/php-ssl
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
@@ -1,6 +1,8 @@
# PHP only.
# Credits to http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx
+include snippets/fastcgi-php.conf;
+
fastcgi_param HTTPS on;
fastcgi_param SSL_PROTOCOL $ssl_protocol;
fastcgi_param SSL_CIPHER $ssl_cipher;
diff --git a/roles/common-web/files/etc/nginx/fastcgi/php b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 1ba3937..5823909 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/php
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -1,7 +1,7 @@
# cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
try_files $uri $uri/ =404;
-include fastcgi/params;
+include snippets/fastcgi.conf;
# required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
diff --git a/roles/common-web/files/etc/nginx/fastcgi/params b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
index 80132ec..80132ec 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/params
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
new file mode 100644
index 0000000..429b667
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -0,0 +1,30 @@
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
+
+# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
+
+ssl on;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+ssl_dhparam /etc/ssl/private/dhparams.pem;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains';
+
+# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
+# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem;