From bbb7c76eefbbc74453d434060281b4eb5a99a7f6 Mon Sep 17 00:00:00 2001
From: Alexander Dietrich <alexander@dietrich.cx>
Date: Mon, 23 Mar 2020 20:43:06 +0100
Subject: [PATCH] Update nginx role

---
 host_vars/srv03                                 |  1 +
 production                                      |  4 ++--
 roles/nginx/defaults/main.yml                   |  5 ++++-
 roles/nginx/files/openssl.cnf                   | 10 ++++++++++
 roles/nginx/files/snippets/header-hsts.conf     |  4 +++-
 roles/nginx/files/snippets/header-security.conf |  8 ++++----
 roles/nginx/handlers/main.yml                   |  5 +++++
 roles/nginx/tasks/main.yml                      | 17 ++++++++++++-----
 .../templates/{nginx.conf.j2 => nginx.conf}     |  9 +++++----
 9 files changed, 46 insertions(+), 17 deletions(-)
 create mode 100644 roles/nginx/files/openssl.cnf
 rename roles/nginx/templates/{nginx.conf.j2 => nginx.conf} (88%)

diff --git a/host_vars/srv03 b/host_vars/srv03
index 075ccf1..44f7584 100644
--- a/host_vars/srv03
+++ b/host_vars/srv03
@@ -1,5 +1,6 @@
 certsync_host: srv01.hamburg.freifunk.net
 nginx_resolver: 80.252.105.162 80.252.105.194
+nginx_tls_versions: TLSv1.2
 updates_group: www-data
 updates_letsencrypt: srv01
 updates_owner: ffupdates
diff --git a/production b/production
index 96b681c..b3fc085 100644
--- a/production
+++ b/production
@@ -17,14 +17,14 @@ srv03
 #srv02
 
 [nginx]
-gw03-new ansible_host=gw03-new.hamburg.freifunk.net
+#gw03-new ansible_host=gw03-new.hamburg.freifunk.net
 
 [updates]
 srv01
 srv03
 
 [vms]
-gw03-new
+#gw03-new
 srv01
 #srv02
 srv03
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index f4915de..ad4e28b 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -1,6 +1,9 @@
 ---
 nginx_access_log: "off"
+nginx_ciphers: "ECDH+aRSA+CHACHA20:ECDH+aRSA+AESGCM"
+nginx_curves: "X25519:secp521r1:secp384r1"
 nginx_error_log: "/dev/null error"
-nginx_package: nginx
+nginx_packages: [nginx]
+nginx_tls_versions: TLSv1.2 TLSv1.3
 nginx_worker_connections: 512
 nginx_worker_processes: auto
diff --git a/roles/nginx/files/openssl.cnf b/roles/nginx/files/openssl.cnf
new file mode 100644
index 0000000..38a7328
--- /dev/null
+++ b/roles/nginx/files/openssl.cnf
@@ -0,0 +1,10 @@
+openssl_conf = default_conf
+
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
diff --git a/roles/nginx/files/snippets/header-hsts.conf b/roles/nginx/files/snippets/header-hsts.conf
index edfdd17..a9abbb9 100644
--- a/roles/nginx/files/snippets/header-hsts.conf
+++ b/roles/nginx/files/snippets/header-hsts.conf
@@ -1,2 +1,4 @@
-add_header Strict-Transport-Security "max-age=31536000";
+add_header Expect-CT "max-age=86400, enforce" always;
+add_header Strict-Transport-Security "max-age=31536000" always;
+proxy_hide_header Expect-CT;
 proxy_hide_header Strict-Transport-Security;
diff --git a/roles/nginx/files/snippets/header-security.conf b/roles/nginx/files/snippets/header-security.conf
index fd0c678..bad6060 100644
--- a/roles/nginx/files/snippets/header-security.conf
+++ b/roles/nginx/files/snippets/header-security.conf
@@ -1,7 +1,7 @@
-add_header Referrer-Policy same-origin;
-add_header X-Content-Type-Options nosniff;
-add_header X-Frame-Options sameorigin;
-add_header X-XSS-Protection "1; mode=block";
+add_header Referrer-Policy same-origin always;
+add_header X-Content-Type-Options nosniff always;
+add_header X-Frame-Options sameorigin always;
+add_header X-XSS-Protection "1; mode=block" always;
 proxy_hide_header Referrer-Policy;
 proxy_hide_header X-Content-Type-Options;
 proxy_hide_header X-Frame-Options;
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
index d4e42ca..15bc297 100644
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -3,3 +3,8 @@
   service:
     name: nginx
     state: reloaded
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index ef4a286..c90aa40 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: install nginx
   apt:
-    name: "{{ nginx_package }}"
+    name: "{{ nginx_packages }}"
     cache_valid_time: 86400
 
 - name: create directories
@@ -19,13 +19,20 @@
 
 - name: copy snippets
   copy:
-    src: snippets/
-    dest: /etc/nginx/snippets/
+    src: snippets
+    dest: /etc/nginx/
+
+- name: copy openssl.cnf
+  copy:
+    src: openssl.cnf
+    dest: /etc/ssl/
+    backup: yes
+  notify: restart nginx
 
 - name: template nginx.conf
   template:
-    src: nginx.conf.j2
-    dest: /etc/nginx/nginx.conf
+    src: nginx.conf
+    dest: /etc/nginx/
     backup: yes
   notify: reload nginx
 
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf
similarity index 88%
rename from roles/nginx/templates/nginx.conf.j2
rename to roles/nginx/templates/nginx.conf
index d278f8e..12032b6 100644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf
@@ -34,11 +34,13 @@ http {
     # SSL Settings
     ##
 
-    ssl_protocols TLSv1.2;
+    ssl_protocols {{ nginx_tls_versions }};
+    ssl_ciphers {{ nginx_ciphers }};
+    ssl_ecdh_curve {{ nginx_curves }};
     ssl_prefer_server_ciphers on;
-    ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
-    ssl_session_cache shared:SSL:1M;
+    ssl_session_cache shared:SSL:10M;
     ssl_session_timeout 10m;
+    ssl_session_tickets off;
 {% if nginx_resolver is defined %}
     ssl_stapling on;
     ssl_stapling_verify on;
@@ -57,7 +59,6 @@ http {
     ##
 
     gzip on;
-    gzip_disable "msie6";
 
     # gzip_vary on;
     # gzip_proxied any;