From bbb7c76eefbbc74453d434060281b4eb5a99a7f6 Mon Sep 17 00:00:00 2001 From: Alexander Dietrich Date: Mon, 23 Mar 2020 20:43:06 +0100 Subject: [PATCH] Update nginx role --- host_vars/srv03 | 1 + production | 4 ++-- roles/nginx/defaults/main.yml | 5 ++++- roles/nginx/files/openssl.cnf | 10 ++++++++++ roles/nginx/files/snippets/header-hsts.conf | 4 +++- roles/nginx/files/snippets/header-security.conf | 8 ++++---- roles/nginx/handlers/main.yml | 5 +++++ roles/nginx/tasks/main.yml | 17 ++++++++++++----- .../templates/{nginx.conf.j2 => nginx.conf} | 9 +++++---- 9 files changed, 46 insertions(+), 17 deletions(-) create mode 100644 roles/nginx/files/openssl.cnf rename roles/nginx/templates/{nginx.conf.j2 => nginx.conf} (88%) diff --git a/host_vars/srv03 b/host_vars/srv03 index 075ccf1..44f7584 100644 --- a/host_vars/srv03 +++ b/host_vars/srv03 @@ -1,5 +1,6 @@ certsync_host: srv01.hamburg.freifunk.net nginx_resolver: 80.252.105.162 80.252.105.194 +nginx_tls_versions: TLSv1.2 updates_group: www-data updates_letsencrypt: srv01 updates_owner: ffupdates diff --git a/production b/production index 96b681c..b3fc085 100644 --- a/production +++ b/production @@ -17,14 +17,14 @@ srv03 #srv02 [nginx] -gw03-new ansible_host=gw03-new.hamburg.freifunk.net +#gw03-new ansible_host=gw03-new.hamburg.freifunk.net [updates] srv01 srv03 [vms] -gw03-new +#gw03-new srv01 #srv02 srv03 diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index f4915de..ad4e28b 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,6 +1,9 @@ --- nginx_access_log: "off" +nginx_ciphers: "ECDH+aRSA+CHACHA20:ECDH+aRSA+AESGCM" +nginx_curves: "X25519:secp521r1:secp384r1" nginx_error_log: "/dev/null error" -nginx_package: nginx +nginx_packages: [nginx] +nginx_tls_versions: TLSv1.2 TLSv1.3 nginx_worker_connections: 512 nginx_worker_processes: auto diff --git a/roles/nginx/files/openssl.cnf b/roles/nginx/files/openssl.cnf new file mode 100644 index 0000000..38a7328 --- /dev/null +++ b/roles/nginx/files/openssl.cnf @@ -0,0 +1,10 @@ +openssl_conf = default_conf + +[default_conf] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 diff --git a/roles/nginx/files/snippets/header-hsts.conf b/roles/nginx/files/snippets/header-hsts.conf index edfdd17..a9abbb9 100644 --- a/roles/nginx/files/snippets/header-hsts.conf +++ b/roles/nginx/files/snippets/header-hsts.conf @@ -1,2 +1,4 @@ -add_header Strict-Transport-Security "max-age=31536000"; +add_header Expect-CT "max-age=86400, enforce" always; +add_header Strict-Transport-Security "max-age=31536000" always; +proxy_hide_header Expect-CT; proxy_hide_header Strict-Transport-Security; diff --git a/roles/nginx/files/snippets/header-security.conf b/roles/nginx/files/snippets/header-security.conf index fd0c678..bad6060 100644 --- a/roles/nginx/files/snippets/header-security.conf +++ b/roles/nginx/files/snippets/header-security.conf @@ -1,7 +1,7 @@ -add_header Referrer-Policy same-origin; -add_header X-Content-Type-Options nosniff; -add_header X-Frame-Options sameorigin; -add_header X-XSS-Protection "1; mode=block"; +add_header Referrer-Policy same-origin always; +add_header X-Content-Type-Options nosniff always; +add_header X-Frame-Options sameorigin always; +add_header X-XSS-Protection "1; mode=block" always; proxy_hide_header Referrer-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml index d4e42ca..15bc297 100644 --- a/roles/nginx/handlers/main.yml +++ b/roles/nginx/handlers/main.yml @@ -3,3 +3,8 @@ service: name: nginx state: reloaded + +- name: restart nginx + service: + name: nginx + state: restarted diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index ef4a286..c90aa40 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: install nginx apt: - name: "{{ nginx_package }}" + name: "{{ nginx_packages }}" cache_valid_time: 86400 - name: create directories @@ -19,13 +19,20 @@ - name: copy snippets copy: - src: snippets/ - dest: /etc/nginx/snippets/ + src: snippets + dest: /etc/nginx/ + +- name: copy openssl.cnf + copy: + src: openssl.cnf + dest: /etc/ssl/ + backup: yes + notify: restart nginx - name: template nginx.conf template: - src: nginx.conf.j2 - dest: /etc/nginx/nginx.conf + src: nginx.conf + dest: /etc/nginx/ backup: yes notify: reload nginx diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf similarity index 88% rename from roles/nginx/templates/nginx.conf.j2 rename to roles/nginx/templates/nginx.conf index d278f8e..12032b6 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf @@ -34,11 +34,13 @@ http { # SSL Settings ## - ssl_protocols TLSv1.2; + ssl_protocols {{ nginx_tls_versions }}; + ssl_ciphers {{ nginx_ciphers }}; + ssl_ecdh_curve {{ nginx_curves }}; ssl_prefer_server_ciphers on; - ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1; - ssl_session_cache shared:SSL:1M; + ssl_session_cache shared:SSL:10M; ssl_session_timeout 10m; + ssl_session_tickets off; {% if nginx_resolver is defined %} ssl_stapling on; ssl_stapling_verify on; @@ -57,7 +59,6 @@ http { ## gzip on; - gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any;