From 2e67b6809d3b44da2e1e6ee6a974f10a3844964f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2015 17:21:06 +0100 Subject: ngnix: mv ssl/config conf.d/ssl --- roles/common-web/files/etc/nginx/conf.d/ssl | 20 ++++++++++++++++++++ roles/common-web/files/etc/nginx/ssl/config | 20 -------------------- roles/common-web/tasks/main.yml | 6 +++--- roles/git/files/etc/nginx/sites-available/git | 2 +- roles/lists/files/etc/nginx/sites-available/sympa | 2 +- .../files/etc/nginx/sites-available/roundcube | 2 +- roles/wiki/files/etc/nginx/sites-available/website | 2 +- roles/wiki/files/etc/nginx/sites-available/wiki | 2 +- 8 files changed, 28 insertions(+), 28 deletions(-) create mode 100644 roles/common-web/files/etc/nginx/conf.d/ssl delete mode 100644 roles/common-web/files/etc/nginx/ssl/config diff --git a/roles/common-web/files/etc/nginx/conf.d/ssl b/roles/common-web/files/etc/nginx/conf.d/ssl new file mode 100644 index 0000000..26a64f4 --- /dev/null +++ b/roles/common-web/files/etc/nginx/conf.d/ssl @@ -0,0 +1,20 @@ +ssl on; + +# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization +keepalive_timeout 75 75; +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:5m; + +# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST +# attack. Sadly as of 2013 many clients don't support TLSv1.2, though. +# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 +# in favor of RC4, but that's not satisfactory either since RC4 has +# other weaknesses. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; +ssl_dhparam /etc/ssl/private/dhparams.pem; +ssl_prefer_server_ciphers on; + +# Strict Transport Security header for enhanced security. See +# http://www.chromium.org/sts. +add_header Strict-Transport-Security "max-age=15552000"; diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config deleted file mode 100644 index 26a64f4..0000000 --- a/roles/common-web/files/etc/nginx/ssl/config +++ /dev/null @@ -1,20 +0,0 @@ -ssl on; - -# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization -keepalive_timeout 75 75; -ssl_session_timeout 5m; -ssl_session_cache shared:SSL:5m; - -# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST -# attack. Sadly as of 2013 many clients don't support TLSv1.2, though. -# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 -# in favor of RC4, but that's not satisfactory either since RC4 has -# other weaknesses. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; -ssl_dhparam /etc/ssl/private/dhparams.pem; -ssl_prefer_server_ciphers on; - -# Strict Transport Security header for enhanced security. See -# http://www.chromium.org/sts. -add_header Strict-Transport-Security "max-age=15552000"; diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml index d2b2acd..1f06c13 100644 --- a/roles/common-web/tasks/main.yml +++ b/roles/common-web/tasks/main.yml @@ -36,9 +36,9 @@ notify: - Restart Nginx -- name: Copy SSL configuration - copy: src=etc/nginx/ssl/config - dest=/etc/nginx/ssl/config +- name: Copy SSL configuration snippet + copy: src=etc/nginx/conf.d/ssl + dest=/etc/nginx/conf.d/ssl owner=root group=root mode=0644 register: r2 diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index 112babb..c71dd7b 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -50,7 +50,7 @@ server { server_name git.fripost.org; - include ssl/config; + include conf.d/ssl; ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index 77e9dc0..2dad552 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -20,7 +20,7 @@ server { access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; - include ssl/config; + include conf.d/ssl; ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 8251841..af1818b 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -19,7 +19,7 @@ server { server_name mail.fripost.org; root /var/lib/roundcube; - include ssl/config; + include conf.d/ssl; # include the intermediate certificate, see # - https://www.ssllabs.com/ssltest/analyze.html?d=mail.fripost.org # - http://nginx.org/en/docs/http/configuring_https_servers.html diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index ba8a34f..2a32212 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -18,7 +18,7 @@ server { server_name fripost.org; - include ssl/config; + include conf.d/ssl; # include the intermediate certificate, see # - https://www.ssllabs.com/ssltest/analyze.html?d=fripost.org # - http://nginx.org/en/docs/http/configuring_https_servers.html diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index 304ea1a..8951633 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -26,7 +26,7 @@ server { server_name wiki.fripost.org; - include ssl/config; + include conf.d/ssl; # include the intermediate certificate, see # - https://www.ssllabs.com/ssltest/analyze.html?d=wiki.fripost.org # - http://nginx.org/en/docs/http/configuring_https_servers.html -- cgit v1.2.3