From 2495327985da791891b579bd05b3cda1f41dfda7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 3 Dec 2018 03:04:22 +0100 Subject: Upgrade baseline to Debian Stretch. --- roles/common-web/files/etc/nginx/sites-available/default | 4 ++-- .../common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf | 10 +++++----- roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf | 12 ++++++------ roles/common-web/files/etc/nginx/snippets/fastcgi.conf | 3 ++- roles/common-web/files/etc/nginx/snippets/ssl.conf | 2 +- 5 files changed, 16 insertions(+), 15 deletions(-) (limited to 'roles/common-web/files/etc') diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default index 6cbea18..63c7910 100644 --- a/roles/common-web/files/etc/nginx/sites-available/default +++ b/roles/common-web/files/etc/nginx/sites-available/default @@ -1,6 +1,6 @@ server { - listen 80 default_server; - listen [::]:80 default_server; + listen 80 default_server; + listen [::]:80 default_server; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log info; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf index ebf3aa0..aa82ca6 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf @@ -3,8 +3,8 @@ include snippets/fastcgi-php.conf; -fastcgi_param HTTPS on; -fastcgi_param SSL_PROTOCOL $ssl_protocol; -fastcgi_param SSL_CIPHER $ssl_cipher; -fastcgi_param SSL_SESSION_ID $ssl_session_id; -fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify; +fastcgi_param HTTPS on; +fastcgi_param SSL_PROTOCOL $ssl_protocol; +fastcgi_param SSL_CIPHER $ssl_cipher; +fastcgi_param SSL_SESSION_ID $ssl_session_id; +fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf index 5823909..9668bb8 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf @@ -1,10 +1,10 @@ # cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP -try_files $uri $uri/ =404; +try_files $fastcgi_script_name =404; -include snippets/fastcgi.conf; +include snippets/fastcgi.conf; # required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; +fastcgi_param REDIRECT_STATUS 200; -fastcgi_intercept_errors on; -fastcgi_read_timeout 14400; -fastcgi_pass unix:/var/run/php5-fpm.sock; +fastcgi_intercept_errors on; +fastcgi_read_timeout 14400; +fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf index 80132ec..ee058da 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf @@ -6,6 +6,7 @@ fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; +fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; @@ -20,4 +21,4 @@ fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; -fastcgi_param HTTPS $https; +fastcgi_param HTTPS $https if_not_empty; diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf index 09082e7..d3ccd9e 100644 --- a/roles/common-web/files/etc/nginx/snippets/ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -1,5 +1,5 @@ # https://wiki.mozilla.org/Security/Server_Side_TLS -# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate +# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0j&hsts=yes&profile=intermediate # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate # ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem -- cgit v1.2.3