summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/common-web/files/etc/nginx/include.d/ssl20
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/php-ssl)2
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/php)2
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi.conf (renamed from roles/common-web/files/etc/nginx/fastcgi/params)0
-rw-r--r--roles/common-web/files/etc/nginx/snippets/ssl.conf30
-rw-r--r--roles/common-web/tasks/main.yml47
-rw-r--r--roles/git/files/etc/nginx/sites-available/git2
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa6
-rw-r--r--roles/munin-master/files/etc/nginx/sites-available/munin4
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube8
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/website9
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/wiki11
12 files changed, 69 insertions, 72 deletions
diff --git a/roles/common-web/files/etc/nginx/include.d/ssl b/roles/common-web/files/etc/nginx/include.d/ssl
deleted file mode 100644
index 26a64f4..0000000
--- a/roles/common-web/files/etc/nginx/include.d/ssl
+++ /dev/null
@@ -1,20 +0,0 @@
-ssl on;
-
-# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
-keepalive_timeout 75 75;
-ssl_session_timeout 5m;
-ssl_session_cache shared:SSL:5m;
-
-# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
-# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
-# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
-# in favor of RC4, but that's not satisfactory either since RC4 has
-# other weaknesses.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
-ssl_dhparam /etc/ssl/private/dhparams.pem;
-ssl_prefer_server_ciphers on;
-
-# Strict Transport Security header for enhanced security. See
-# http://www.chromium.org/sts.
-add_header Strict-Transport-Security "max-age=15552000";
diff --git a/roles/common-web/files/etc/nginx/fastcgi/php-ssl b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
index b2a419c..ebf3aa0 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/php-ssl
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
@@ -1,6 +1,8 @@
# PHP only.
# Credits to http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx
+include snippets/fastcgi-php.conf;
+
fastcgi_param HTTPS on;
fastcgi_param SSL_PROTOCOL $ssl_protocol;
fastcgi_param SSL_CIPHER $ssl_cipher;
diff --git a/roles/common-web/files/etc/nginx/fastcgi/php b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 1ba3937..5823909 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/php
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -1,7 +1,7 @@
# cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
try_files $uri $uri/ =404;
-include fastcgi/params;
+include snippets/fastcgi.conf;
# required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
diff --git a/roles/common-web/files/etc/nginx/fastcgi/params b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
index 80132ec..80132ec 100644
--- a/roles/common-web/files/etc/nginx/fastcgi/params
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
new file mode 100644
index 0000000..429b667
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -0,0 +1,30 @@
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
+
+# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
+
+ssl on;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+ssl_dhparam /etc/ssl/private/dhparams.pem;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains';
+
+# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
+# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem;
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index f55770d..c44e3a5 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -8,54 +8,49 @@
tags:
- logrotate
-- name: Delete /etc/nginx/sites-{available,enabled}/default
- file: path=/etc/nginx/sites-{{ item }}/default state=absent
- with_items:
- - enabled
- - available
-
-- name: Create directory /etc/nginx/{fastcgi,ssl}
- file: path=/etc/nginx/{{ item }}
- state=directory
- owner=root group=root
- mode=0755
- with_items:
- - fastcgi
- - ssl
-
-- name: Copy fastcgi parameters
- copy: src=etc/nginx/fastcgi/{{ item }}
- dest=/etc/nginx/fastcgi/{{ item }}
+- name: Copy fastcgi parameters and SSL configuration snippets
+ copy: src=etc/nginx/snippets/{{ item }}
+ dest=/etc/nginx/snippets/{{ item }}
owner=root group=root
mode=0644
register: r1
with_items:
- - params
- - php
- - php-ssl
+ - fastcgi.conf
+ - fastcgi-php.conf
+ - fastcgi-php-ssl.conf
+ - ssl.conf
notify:
- Restart Nginx
-- name: Copy SSL configuration snippet
- copy: src=etc/nginx/include.d/ssl
- dest=/etc/nginx/include.d/ssl
+- name: Copy /etc/nginx/sites-available/default
+ copy: src=etc/nginx/sites-available/default
+ dest=/etc/nginx/sites-available/default
owner=root group=root
mode=0644
register: r2
notify:
- Restart Nginx
+- name: Create /etc/nginx/sites-enabled/default
+ file: src=../sites-available/default
+ dest=/etc/nginx/sites-enabled/default
+ owner=root group=root
+ state=link force=yes
+ register: r3
+ notify:
+ - Restart Nginx
+
- name: Add .asc to text/plain MIME types
lineinfile: dest=/etc/nginx/mime.types
regexp='^(\s*text/plain\s+)'
backrefs=yes
line='\1txt asc;'
- register: r3
+ register: r4
notify:
- Restart Nginx
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed or r3.changed or r4.changed)
- meta: flush_handlers
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index 333da02..67776de 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -50,7 +50,7 @@ server {
server_name git.fripost.org;
- include include.d/ssl;
+ include snippets/ssl.conf;
ssl_certificate /etc/nginx/ssl/git.fripost.org.pem;
ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 3f2dce4..ea0424f 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -20,7 +20,7 @@ server {
access_log /var/log/nginx/lists.access.log;
error_log /var/log/nginx/lists.error.log info;
- include include.d/ssl;
+ include snippets/ssl.conf;
ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem;
ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
@@ -35,7 +35,7 @@ server {
location ^~ /sympa {
fastcgi_split_path_info ^(/sympa)(.*)$;
- include fastcgi/params;
+ include snippets/fastcgi.conf;
fastcgi_pass unix:/run/wwsympa.socket;
gzip off;
@@ -52,7 +52,7 @@ server {
}
fastcgi_split_path_info ^(/[^/]+/sympa)(.*)$;
- include fastcgi/params;
+ include snippets/fastcgi.conf;
fastcgi_pass unix:/run/wwsympa.socket;
gzip off;
diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin
index ade1888..fe5e7e5 100644
--- a/roles/munin-master/files/etc/nginx/sites-available/munin
+++ b/roles/munin-master/files/etc/nginx/sites-available/munin
@@ -17,14 +17,14 @@ server {
location /munin-cgi/munin-cgi-graph/ {
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
- include fastcgi/params;
+ include snippets/fastcgi.conf;
fastcgi_pass unix:/run/munin/cgi-graph.socket;
gzip off;
}
location /munin/ {
fastcgi_split_path_info ^(/munin)(.*);
- include fastcgi/params;
+ include snippets/fastcgi.conf;
fastcgi_pass unix:/run/munin/cgi-html.socket;
gzip off;
}
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index fe67615..1297834 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -19,10 +19,7 @@ server {
server_name mail.fripost.org;
root /var/lib/roundcube;
- include include.d/ssl;
- # include the intermediate certificate, see
- # - https://www.ssllabs.com/ssltest/analyze.html?d=mail.fripost.org
- # - http://nginx.org/en/docs/http/configuring_https_servers.html
+ include snippets/ssl.conf;
ssl_certificate /etc/nginx/ssl/mail.fripost.org.chained.pem;
ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key;
@@ -49,8 +46,7 @@ server {
index index.php;
client_max_body_size 64m;
location = /index.php {
- include fastcgi/php;
- include fastcgi/php-ssl;
+ include snippets/fastcgi-php-ssl.conf;
# From /var/lib/roundcube/.htaccess
fastcgi_param PHP_VALUE "upload_max_filesize=25M
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 7899f05..3e32158 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -18,12 +18,9 @@ server {
server_name fripost.org;
- include include.d/ssl;
- # include the intermediate certificate, see
- # - https://www.ssllabs.com/ssltest/analyze.html?d=fripost.org
- # - http://nginx.org/en/docs/http/configuring_https_servers.html
- ssl_certificate /etc/nginx/ssl/fripost.org.chained.pem;
- ssl_certificate_key /etc/nginx/ssl/fripost.org.key;
+ include snippets/ssl.conf;
+ ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem;
+ ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index a12b017..3777b87 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -26,12 +26,9 @@ server {
server_name wiki.fripost.org;
- include include.d/ssl;
- # include the intermediate certificate, see
- # - https://www.ssllabs.com/ssltest/analyze.html?d=wiki.fripost.org
- # - http://nginx.org/en/docs/http/configuring_https_servers.html
- ssl_certificate /etc/nginx/ssl/fripost.org.chained.pem;
- ssl_certificate_key /etc/nginx/ssl/fripost.org.key;
+ include snippets/ssl.conf;
+ ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem;
+ ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
access_log /var/log/nginx/wiki.access.log;
error_log /var/log/nginx/wiki.error.log info;
@@ -47,7 +44,7 @@ server {
fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki;
fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi;
fastcgi_index ikiwiki.cgi;
- include fastcgi/params;
+ include snippets/fastcgi.conf;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
gzip off;
}