diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/common-web/files/etc/nginx/include.d/ssl | 20 | ||||
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/php-ssl) | 2 | ||||
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/php) | 2 | ||||
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/fastcgi.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/params) | 0 | ||||
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/ssl.conf | 30 | ||||
-rw-r--r-- | roles/common-web/tasks/main.yml | 47 | ||||
-rw-r--r-- | roles/git/files/etc/nginx/sites-available/git | 2 | ||||
-rw-r--r-- | roles/lists/files/etc/nginx/sites-available/sympa | 6 | ||||
-rw-r--r-- | roles/munin-master/files/etc/nginx/sites-available/munin | 4 | ||||
-rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 8 | ||||
-rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/website | 9 | ||||
-rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/wiki | 11 |
12 files changed, 69 insertions, 72 deletions
diff --git a/roles/common-web/files/etc/nginx/include.d/ssl b/roles/common-web/files/etc/nginx/include.d/ssl deleted file mode 100644 index 26a64f4..0000000 --- a/roles/common-web/files/etc/nginx/include.d/ssl +++ /dev/null @@ -1,20 +0,0 @@ -ssl on; - -# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization -keepalive_timeout 75 75; -ssl_session_timeout 5m; -ssl_session_cache shared:SSL:5m; - -# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST -# attack. Sadly as of 2013 many clients don't support TLSv1.2, though. -# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 -# in favor of RC4, but that's not satisfactory either since RC4 has -# other weaknesses. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; -ssl_dhparam /etc/ssl/private/dhparams.pem; -ssl_prefer_server_ciphers on; - -# Strict Transport Security header for enhanced security. See -# http://www.chromium.org/sts. -add_header Strict-Transport-Security "max-age=15552000"; diff --git a/roles/common-web/files/etc/nginx/fastcgi/php-ssl b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf index b2a419c..ebf3aa0 100644 --- a/roles/common-web/files/etc/nginx/fastcgi/php-ssl +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf @@ -1,6 +1,8 @@ # PHP only. # Credits to http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx +include snippets/fastcgi-php.conf; + fastcgi_param HTTPS on; fastcgi_param SSL_PROTOCOL $ssl_protocol; fastcgi_param SSL_CIPHER $ssl_cipher; diff --git a/roles/common-web/files/etc/nginx/fastcgi/php b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf index 1ba3937..5823909 100644 --- a/roles/common-web/files/etc/nginx/fastcgi/php +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf @@ -1,7 +1,7 @@ # cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP try_files $uri $uri/ =404; -include fastcgi/params; +include snippets/fastcgi.conf; # required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; diff --git a/roles/common-web/files/etc/nginx/fastcgi/params b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf index 80132ec..80132ec 100644 --- a/roles/common-web/files/etc/nginx/fastcgi/params +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf new file mode 100644 index 0000000..429b667 --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -0,0 +1,30 @@ +# https://wiki.mozilla.org/Security/Server_Side_TLS +# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate + +# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate +# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem + +ssl on; + +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits +ssl_dhparam /etc/ssl/private/dhparams.pem; + +# intermediate configuration. tweak to your needs. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; +ssl_prefer_server_ciphers on; + +# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) +add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains'; + +# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them +# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf +ssl_stapling on; +ssl_stapling_verify on; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs +ssl_trusted_certificate /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem; diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml index f55770d..c44e3a5 100644 --- a/roles/common-web/tasks/main.yml +++ b/roles/common-web/tasks/main.yml @@ -8,54 +8,49 @@ tags: - logrotate -- name: Delete /etc/nginx/sites-{available,enabled}/default - file: path=/etc/nginx/sites-{{ item }}/default state=absent - with_items: - - enabled - - available - -- name: Create directory /etc/nginx/{fastcgi,ssl} - file: path=/etc/nginx/{{ item }} - state=directory - owner=root group=root - mode=0755 - with_items: - - fastcgi - - ssl - -- name: Copy fastcgi parameters - copy: src=etc/nginx/fastcgi/{{ item }} - dest=/etc/nginx/fastcgi/{{ item }} +- name: Copy fastcgi parameters and SSL configuration snippets + copy: src=etc/nginx/snippets/{{ item }} + dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - - params - - php - - php-ssl + - fastcgi.conf + - fastcgi-php.conf + - fastcgi-php-ssl.conf + - ssl.conf notify: - Restart Nginx -- name: Copy SSL configuration snippet - copy: src=etc/nginx/include.d/ssl - dest=/etc/nginx/include.d/ssl +- name: Copy /etc/nginx/sites-available/default + copy: src=etc/nginx/sites-available/default + dest=/etc/nginx/sites-available/default owner=root group=root mode=0644 register: r2 notify: - Restart Nginx +- name: Create /etc/nginx/sites-enabled/default + file: src=../sites-available/default + dest=/etc/nginx/sites-enabled/default + owner=root group=root + state=link force=yes + register: r3 + notify: + - Restart Nginx + - name: Add .asc to text/plain MIME types lineinfile: dest=/etc/nginx/mime.types regexp='^(\s*text/plain\s+)' backrefs=yes line='\1txt asc;' - register: r3 + register: r4 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed or r3.changed or r4.changed) - meta: flush_handlers diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index 333da02..67776de 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -50,7 +50,7 @@ server { server_name git.fripost.org; - include include.d/ssl; + include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index 3f2dce4..ea0424f 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -20,7 +20,7 @@ server { access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; - include include.d/ssl; + include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; @@ -35,7 +35,7 @@ server { location ^~ /sympa { fastcgi_split_path_info ^(/sympa)(.*)$; - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; @@ -52,7 +52,7 @@ server { } fastcgi_split_path_info ^(/[^/]+/sympa)(.*)$; - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin index ade1888..fe5e7e5 100644 --- a/roles/munin-master/files/etc/nginx/sites-available/munin +++ b/roles/munin-master/files/etc/nginx/sites-available/munin @@ -17,14 +17,14 @@ server { location /munin-cgi/munin-cgi-graph/ { fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*); - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/run/munin/cgi-graph.socket; gzip off; } location /munin/ { fastcgi_split_path_info ^(/munin)(.*); - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/run/munin/cgi-html.socket; gzip off; } diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index fe67615..1297834 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -19,10 +19,7 @@ server { server_name mail.fripost.org; root /var/lib/roundcube; - include include.d/ssl; - # include the intermediate certificate, see - # - https://www.ssllabs.com/ssltest/analyze.html?d=mail.fripost.org - # - http://nginx.org/en/docs/http/configuring_https_servers.html + include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/mail.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; @@ -49,8 +46,7 @@ server { index index.php; client_max_body_size 64m; location = /index.php { - include fastcgi/php; - include fastcgi/php-ssl; + include snippets/fastcgi-php-ssl.conf; # From /var/lib/roundcube/.htaccess fastcgi_param PHP_VALUE "upload_max_filesize=25M diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 7899f05..3e32158 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -18,12 +18,9 @@ server { server_name fripost.org; - include include.d/ssl; - # include the intermediate certificate, see - # - https://www.ssllabs.com/ssltest/analyze.html?d=fripost.org - # - http://nginx.org/en/docs/http/configuring_https_servers.html - ssl_certificate /etc/nginx/ssl/fripost.org.chained.pem; - ssl_certificate_key /etc/nginx/ssl/fripost.org.key; + include snippets/ssl.conf; + ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; + ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log info; diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index a12b017..3777b87 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -26,12 +26,9 @@ server { server_name wiki.fripost.org; - include include.d/ssl; - # include the intermediate certificate, see - # - https://www.ssllabs.com/ssltest/analyze.html?d=wiki.fripost.org - # - http://nginx.org/en/docs/http/configuring_https_servers.html - ssl_certificate /etc/nginx/ssl/fripost.org.chained.pem; - ssl_certificate_key /etc/nginx/ssl/fripost.org.key; + include snippets/ssl.conf; + ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; + ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; @@ -47,7 +44,7 @@ server { fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki; fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi; fastcgi_index ikiwiki.cgi; - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/var/run/fcgiwrap.socket; gzip off; } |