From e250173c23a9c192dc18ba34115f94816846ccf3 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 16 May 2020 00:51:30 +0200 Subject: role/common-web: Upgrade baseline to Debian 10. --- .../common-web/files/etc/nginx/sites-available/default | 2 +- .../files/etc/nginx/snippets/fastcgi-php.conf | 18 +++++++++++------- roles/common-web/files/etc/nginx/snippets/fastcgi.conf | 9 +++++---- roles/common-web/files/etc/nginx/snippets/ssl.conf | 13 ++++++------- 4 files changed, 23 insertions(+), 19 deletions(-) diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default index 63c7910..295cb6d 100644 --- a/roles/common-web/files/etc/nginx/sites-available/default +++ b/roles/common-web/files/etc/nginx/sites-available/default @@ -7,6 +7,6 @@ server { # serve ACME challenges on all virtual hosts # /!\ need to be served individually for each explicit virtual host as well! - include snippets/acme-challenge.conf; + include /etc/lacme/nginx.conf; include snippets/headers.conf; } diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf index 9668bb8..48ebc63 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf @@ -1,10 +1,14 @@ -# cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info ^(.+?\.php)(/.*)$; + +# Check that the PHP script exists before passing it try_files $fastcgi_script_name =404; -include snippets/fastcgi.conf; -# required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; -fastcgi_intercept_errors on; -fastcgi_read_timeout 14400; -fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; +fastcgi_index index.php; +include snippets/fastcgi.conf; +fastcgi_pass unix:/run/php/php7.3-fpm.sock; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf index ee058da..9a0a029 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf @@ -1,16 +1,16 @@ +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param PATH_INFO $fastcgi_path_info; -fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; @@ -21,4 +21,5 @@ fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; -fastcgi_param HTTPS $https if_not_empty; +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf index d3ccd9e..57a317b 100644 --- a/roles/common-web/files/etc/nginx/snippets/ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -1,5 +1,5 @@ # https://wiki.mozilla.org/Security/Server_Side_TLS -# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0j&hsts=yes&profile=intermediate +# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.14.2&openssl=1.1.1c&hsts=yes&profile=intermediate # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate # ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem @@ -13,13 +13,12 @@ ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/ssl/dhparams.pem; -# intermediate configuration. tweak to your needs. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; -ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; +ssl_prefer_server_ciphers off; -# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) -add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains'; +# HSTS (ngx_http_headers_module is required) (31557600 seconds = 1 year) +add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them # https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf -- cgit v1.2.3