Update nginx role
This commit is contained in:
parent
1b9aa00d92
commit
bbb7c76eef
9 changed files with 46 additions and 17 deletions
|
@ -1,5 +1,6 @@
|
|||
certsync_host: srv01.hamburg.freifunk.net
|
||||
nginx_resolver: 80.252.105.162 80.252.105.194
|
||||
nginx_tls_versions: TLSv1.2
|
||||
updates_group: www-data
|
||||
updates_letsencrypt: srv01
|
||||
updates_owner: ffupdates
|
||||
|
|
|
@ -17,14 +17,14 @@ srv03
|
|||
#srv02
|
||||
|
||||
[nginx]
|
||||
gw03-new ansible_host=gw03-new.hamburg.freifunk.net
|
||||
#gw03-new ansible_host=gw03-new.hamburg.freifunk.net
|
||||
|
||||
[updates]
|
||||
srv01
|
||||
srv03
|
||||
|
||||
[vms]
|
||||
gw03-new
|
||||
#gw03-new
|
||||
srv01
|
||||
#srv02
|
||||
srv03
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
---
|
||||
nginx_access_log: "off"
|
||||
nginx_ciphers: "ECDH+aRSA+CHACHA20:ECDH+aRSA+AESGCM"
|
||||
nginx_curves: "X25519:secp521r1:secp384r1"
|
||||
nginx_error_log: "/dev/null error"
|
||||
nginx_package: nginx
|
||||
nginx_packages: [nginx]
|
||||
nginx_tls_versions: TLSv1.2 TLSv1.3
|
||||
nginx_worker_connections: 512
|
||||
nginx_worker_processes: auto
|
||||
|
|
10
roles/nginx/files/openssl.cnf
Normal file
10
roles/nginx/files/openssl.cnf
Normal file
|
@ -0,0 +1,10 @@
|
|||
openssl_conf = default_conf
|
||||
|
||||
[default_conf]
|
||||
ssl_conf = ssl_sect
|
||||
|
||||
[ssl_sect]
|
||||
system_default = system_default_sect
|
||||
|
||||
[system_default_sect]
|
||||
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
|
|
@ -1,2 +1,4 @@
|
|||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
add_header Expect-CT "max-age=86400, enforce" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
proxy_hide_header Expect-CT;
|
||||
proxy_hide_header Strict-Transport-Security;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
add_header Referrer-Policy same-origin;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options sameorigin;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header Referrer-Policy same-origin always;
|
||||
add_header X-Content-Type-Options nosniff always;
|
||||
add_header X-Frame-Options sameorigin always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
proxy_hide_header Referrer-Policy;
|
||||
proxy_hide_header X-Content-Type-Options;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
|
|
|
@ -3,3 +3,8 @@
|
|||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
||||
- name: restart nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: install nginx
|
||||
apt:
|
||||
name: "{{ nginx_package }}"
|
||||
name: "{{ nginx_packages }}"
|
||||
cache_valid_time: 86400
|
||||
|
||||
- name: create directories
|
||||
|
@ -19,13 +19,20 @@
|
|||
|
||||
- name: copy snippets
|
||||
copy:
|
||||
src: snippets/
|
||||
dest: /etc/nginx/snippets/
|
||||
src: snippets
|
||||
dest: /etc/nginx/
|
||||
|
||||
- name: copy openssl.cnf
|
||||
copy:
|
||||
src: openssl.cnf
|
||||
dest: /etc/ssl/
|
||||
backup: yes
|
||||
notify: restart nginx
|
||||
|
||||
- name: template nginx.conf
|
||||
template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/nginx.conf
|
||||
src: nginx.conf
|
||||
dest: /etc/nginx/
|
||||
backup: yes
|
||||
notify: reload nginx
|
||||
|
||||
|
|
|
@ -34,11 +34,13 @@ http {
|
|||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_protocols {{ nginx_tls_versions }};
|
||||
ssl_ciphers {{ nginx_ciphers }};
|
||||
ssl_ecdh_curve {{ nginx_curves }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
|
||||
ssl_session_cache shared:SSL:1M;
|
||||
ssl_session_cache shared:SSL:10M;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_session_tickets off;
|
||||
{% if nginx_resolver is defined %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
@ -57,7 +59,6 @@ http {
|
|||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
Loading…
Reference in a new issue