From 01e59771866559cc13a58800282617d04cb286a6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 20 Dec 2015 13:59:39 +0100 Subject: nginx: Move include.d/* to snippets/. --- roles/common-web/files/etc/nginx/fastcgi/params | 23 ----------- roles/common-web/files/etc/nginx/fastcgi/php | 10 ----- roles/common-web/files/etc/nginx/fastcgi/php-ssl | 8 ---- roles/common-web/files/etc/nginx/include.d/ssl | 20 --------- .../files/etc/nginx/snippets/fastcgi-php-ssl.conf | 10 +++++ .../files/etc/nginx/snippets/fastcgi-php.conf | 10 +++++ .../files/etc/nginx/snippets/fastcgi.conf | 23 +++++++++++ roles/common-web/files/etc/nginx/snippets/ssl.conf | 30 ++++++++++++++ roles/common-web/tasks/main.yml | 47 ++++++++++------------ roles/git/files/etc/nginx/sites-available/git | 2 +- roles/lists/files/etc/nginx/sites-available/sympa | 6 +-- .../files/etc/nginx/sites-available/munin | 4 +- .../files/etc/nginx/sites-available/roundcube | 8 +--- roles/wiki/files/etc/nginx/sites-available/website | 9 ++--- roles/wiki/files/etc/nginx/sites-available/wiki | 11 ++--- 15 files changed, 109 insertions(+), 112 deletions(-) delete mode 100644 roles/common-web/files/etc/nginx/fastcgi/params delete mode 100644 roles/common-web/files/etc/nginx/fastcgi/php delete mode 100644 roles/common-web/files/etc/nginx/fastcgi/php-ssl delete mode 100644 roles/common-web/files/etc/nginx/include.d/ssl create mode 100644 roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf create mode 100644 roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf create mode 100644 roles/common-web/files/etc/nginx/snippets/fastcgi.conf create mode 100644 roles/common-web/files/etc/nginx/snippets/ssl.conf diff --git a/roles/common-web/files/etc/nginx/fastcgi/params b/roles/common-web/files/etc/nginx/fastcgi/params deleted file mode 100644 index 80132ec..0000000 --- a/roles/common-web/files/etc/nginx/fastcgi/params +++ /dev/null @@ -1,23 +0,0 @@ -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param PATH_INFO $fastcgi_path_info; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -fastcgi_param HTTPS $https; diff --git a/roles/common-web/files/etc/nginx/fastcgi/php b/roles/common-web/files/etc/nginx/fastcgi/php deleted file mode 100644 index 1ba3937..0000000 --- a/roles/common-web/files/etc/nginx/fastcgi/php +++ /dev/null @@ -1,10 +0,0 @@ -# cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP -try_files $uri $uri/ =404; - -include fastcgi/params; -# required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; - -fastcgi_intercept_errors on; -fastcgi_read_timeout 14400; -fastcgi_pass unix:/var/run/php5-fpm.sock; diff --git a/roles/common-web/files/etc/nginx/fastcgi/php-ssl b/roles/common-web/files/etc/nginx/fastcgi/php-ssl deleted file mode 100644 index b2a419c..0000000 --- a/roles/common-web/files/etc/nginx/fastcgi/php-ssl +++ /dev/null @@ -1,8 +0,0 @@ -# PHP only. -# Credits to http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx - -fastcgi_param HTTPS on; -fastcgi_param SSL_PROTOCOL $ssl_protocol; -fastcgi_param SSL_CIPHER $ssl_cipher; -fastcgi_param SSL_SESSION_ID $ssl_session_id; -fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify; diff --git a/roles/common-web/files/etc/nginx/include.d/ssl b/roles/common-web/files/etc/nginx/include.d/ssl deleted file mode 100644 index 26a64f4..0000000 --- a/roles/common-web/files/etc/nginx/include.d/ssl +++ /dev/null @@ -1,20 +0,0 @@ -ssl on; - -# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization -keepalive_timeout 75 75; -ssl_session_timeout 5m; -ssl_session_cache shared:SSL:5m; - -# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST -# attack. Sadly as of 2013 many clients don't support TLSv1.2, though. -# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 -# in favor of RC4, but that's not satisfactory either since RC4 has -# other weaknesses. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; -ssl_dhparam /etc/ssl/private/dhparams.pem; -ssl_prefer_server_ciphers on; - -# Strict Transport Security header for enhanced security. See -# http://www.chromium.org/sts. -add_header Strict-Transport-Security "max-age=15552000"; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf new file mode 100644 index 0000000..ebf3aa0 --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf @@ -0,0 +1,10 @@ +# PHP only. +# Credits to http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx + +include snippets/fastcgi-php.conf; + +fastcgi_param HTTPS on; +fastcgi_param SSL_PROTOCOL $ssl_protocol; +fastcgi_param SSL_CIPHER $ssl_cipher; +fastcgi_param SSL_SESSION_ID $ssl_session_id; +fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf new file mode 100644 index 0000000..5823909 --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf @@ -0,0 +1,10 @@ +# cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP +try_files $uri $uri/ =404; + +include snippets/fastcgi.conf; +# required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; + +fastcgi_intercept_errors on; +fastcgi_read_timeout 14400; +fastcgi_pass unix:/var/run/php5-fpm.sock; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf new file mode 100644 index 0000000..80132ec --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf @@ -0,0 +1,23 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param PATH_INFO $fastcgi_path_info; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +fastcgi_param HTTPS $https; diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf new file mode 100644 index 0000000..429b667 --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -0,0 +1,30 @@ +# https://wiki.mozilla.org/Security/Server_Side_TLS +# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate + +# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate +# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem + +ssl on; + +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits +ssl_dhparam /etc/ssl/private/dhparams.pem; + +# intermediate configuration. tweak to your needs. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; +ssl_prefer_server_ciphers on; + +# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) +add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains'; + +# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them +# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf +ssl_stapling on; +ssl_stapling_verify on; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs +ssl_trusted_certificate /usr/share/lets-encrypt/lets-encrypt-x1-cross-signed.pem; diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml index f55770d..c44e3a5 100644 --- a/roles/common-web/tasks/main.yml +++ b/roles/common-web/tasks/main.yml @@ -8,54 +8,49 @@ tags: - logrotate -- name: Delete /etc/nginx/sites-{available,enabled}/default - file: path=/etc/nginx/sites-{{ item }}/default state=absent - with_items: - - enabled - - available - -- name: Create directory /etc/nginx/{fastcgi,ssl} - file: path=/etc/nginx/{{ item }} - state=directory - owner=root group=root - mode=0755 - with_items: - - fastcgi - - ssl - -- name: Copy fastcgi parameters - copy: src=etc/nginx/fastcgi/{{ item }} - dest=/etc/nginx/fastcgi/{{ item }} +- name: Copy fastcgi parameters and SSL configuration snippets + copy: src=etc/nginx/snippets/{{ item }} + dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - - params - - php - - php-ssl + - fastcgi.conf + - fastcgi-php.conf + - fastcgi-php-ssl.conf + - ssl.conf notify: - Restart Nginx -- name: Copy SSL configuration snippet - copy: src=etc/nginx/include.d/ssl - dest=/etc/nginx/include.d/ssl +- name: Copy /etc/nginx/sites-available/default + copy: src=etc/nginx/sites-available/default + dest=/etc/nginx/sites-available/default owner=root group=root mode=0644 register: r2 notify: - Restart Nginx +- name: Create /etc/nginx/sites-enabled/default + file: src=../sites-available/default + dest=/etc/nginx/sites-enabled/default + owner=root group=root + state=link force=yes + register: r3 + notify: + - Restart Nginx + - name: Add .asc to text/plain MIME types lineinfile: dest=/etc/nginx/mime.types regexp='^(\s*text/plain\s+)' backrefs=yes line='\1txt asc;' - register: r3 + register: r4 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed or r3.changed or r4.changed) - meta: flush_handlers diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index 333da02..67776de 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -50,7 +50,7 @@ server { server_name git.fripost.org; - include include.d/ssl; + include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index 3f2dce4..ea0424f 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -20,7 +20,7 @@ server { access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; - include include.d/ssl; + include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; @@ -35,7 +35,7 @@ server { location ^~ /sympa { fastcgi_split_path_info ^(/sympa)(.*)$; - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; @@ -52,7 +52,7 @@ server { } fastcgi_split_path_info ^(/[^/]+/sympa)(.*)$; - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin index ade1888..fe5e7e5 100644 --- a/roles/munin-master/files/etc/nginx/sites-available/munin +++ b/roles/munin-master/files/etc/nginx/sites-available/munin @@ -17,14 +17,14 @@ server { location /munin-cgi/munin-cgi-graph/ { fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*); - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/run/munin/cgi-graph.socket; gzip off; } location /munin/ { fastcgi_split_path_info ^(/munin)(.*); - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/run/munin/cgi-html.socket; gzip off; } diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index fe67615..1297834 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -19,10 +19,7 @@ server { server_name mail.fripost.org; root /var/lib/roundcube; - include include.d/ssl; - # include the intermediate certificate, see - # - https://www.ssllabs.com/ssltest/analyze.html?d=mail.fripost.org - # - http://nginx.org/en/docs/http/configuring_https_servers.html + include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/mail.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; @@ -49,8 +46,7 @@ server { index index.php; client_max_body_size 64m; location = /index.php { - include fastcgi/php; - include fastcgi/php-ssl; + include snippets/fastcgi-php-ssl.conf; # From /var/lib/roundcube/.htaccess fastcgi_param PHP_VALUE "upload_max_filesize=25M diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 7899f05..3e32158 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -18,12 +18,9 @@ server { server_name fripost.org; - include include.d/ssl; - # include the intermediate certificate, see - # - https://www.ssllabs.com/ssltest/analyze.html?d=fripost.org - # - http://nginx.org/en/docs/http/configuring_https_servers.html - ssl_certificate /etc/nginx/ssl/fripost.org.chained.pem; - ssl_certificate_key /etc/nginx/ssl/fripost.org.key; + include snippets/ssl.conf; + ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; + ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log info; diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index a12b017..3777b87 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -26,12 +26,9 @@ server { server_name wiki.fripost.org; - include include.d/ssl; - # include the intermediate certificate, see - # - https://www.ssllabs.com/ssltest/analyze.html?d=wiki.fripost.org - # - http://nginx.org/en/docs/http/configuring_https_servers.html - ssl_certificate /etc/nginx/ssl/fripost.org.chained.pem; - ssl_certificate_key /etc/nginx/ssl/fripost.org.key; + include snippets/ssl.conf; + ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; + ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; @@ -47,7 +44,7 @@ server { fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki; fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi; fastcgi_index ikiwiki.cgi; - include fastcgi/params; + include snippets/fastcgi.conf; fastcgi_pass unix:/var/run/fcgiwrap.socket; gzip off; } -- cgit v1.2.3