Update nginx role

This commit is contained in:
Alexander Dietrich 2020-03-23 20:43:06 +01:00
parent 1b9aa00d92
commit bbb7c76eef
9 changed files with 46 additions and 17 deletions

View file

@ -1,5 +1,6 @@
certsync_host: srv01.hamburg.freifunk.net certsync_host: srv01.hamburg.freifunk.net
nginx_resolver: 80.252.105.162 80.252.105.194 nginx_resolver: 80.252.105.162 80.252.105.194
nginx_tls_versions: TLSv1.2
updates_group: www-data updates_group: www-data
updates_letsencrypt: srv01 updates_letsencrypt: srv01
updates_owner: ffupdates updates_owner: ffupdates

View file

@ -17,14 +17,14 @@ srv03
#srv02 #srv02
[nginx] [nginx]
gw03-new ansible_host=gw03-new.hamburg.freifunk.net #gw03-new ansible_host=gw03-new.hamburg.freifunk.net
[updates] [updates]
srv01 srv01
srv03 srv03
[vms] [vms]
gw03-new #gw03-new
srv01 srv01
#srv02 #srv02
srv03 srv03

View file

@ -1,6 +1,9 @@
--- ---
nginx_access_log: "off" nginx_access_log: "off"
nginx_ciphers: "ECDH+aRSA+CHACHA20:ECDH+aRSA+AESGCM"
nginx_curves: "X25519:secp521r1:secp384r1"
nginx_error_log: "/dev/null error" nginx_error_log: "/dev/null error"
nginx_package: nginx nginx_packages: [nginx]
nginx_tls_versions: TLSv1.2 TLSv1.3
nginx_worker_connections: 512 nginx_worker_connections: 512
nginx_worker_processes: auto nginx_worker_processes: auto

View file

@ -0,0 +1,10 @@
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

View file

@ -1,2 +1,4 @@
add_header Strict-Transport-Security "max-age=31536000"; add_header Expect-CT "max-age=86400, enforce" always;
add_header Strict-Transport-Security "max-age=31536000" always;
proxy_hide_header Expect-CT;
proxy_hide_header Strict-Transport-Security; proxy_hide_header Strict-Transport-Security;

View file

@ -1,7 +1,7 @@
add_header Referrer-Policy same-origin; add_header Referrer-Policy same-origin always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options sameorigin; add_header X-Frame-Options sameorigin always;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block" always;
proxy_hide_header Referrer-Policy; proxy_hide_header Referrer-Policy;
proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Content-Type-Options;
proxy_hide_header X-Frame-Options; proxy_hide_header X-Frame-Options;

View file

@ -3,3 +3,8 @@
service: service:
name: nginx name: nginx
state: reloaded state: reloaded
- name: restart nginx
service:
name: nginx
state: restarted

View file

@ -1,7 +1,7 @@
--- ---
- name: install nginx - name: install nginx
apt: apt:
name: "{{ nginx_package }}" name: "{{ nginx_packages }}"
cache_valid_time: 86400 cache_valid_time: 86400
- name: create directories - name: create directories
@ -19,13 +19,20 @@
- name: copy snippets - name: copy snippets
copy: copy:
src: snippets/ src: snippets
dest: /etc/nginx/snippets/ dest: /etc/nginx/
- name: copy openssl.cnf
copy:
src: openssl.cnf
dest: /etc/ssl/
backup: yes
notify: restart nginx
- name: template nginx.conf - name: template nginx.conf
template: template:
src: nginx.conf.j2 src: nginx.conf
dest: /etc/nginx/nginx.conf dest: /etc/nginx/
backup: yes backup: yes
notify: reload nginx notify: reload nginx

View file

@ -34,11 +34,13 @@ http {
# SSL Settings # SSL Settings
## ##
ssl_protocols TLSv1.2; ssl_protocols {{ nginx_tls_versions }};
ssl_ciphers {{ nginx_ciphers }};
ssl_ecdh_curve {{ nginx_curves }};
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1; ssl_session_cache shared:SSL:10M;
ssl_session_cache shared:SSL:1M;
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_session_tickets off;
{% if nginx_resolver is defined %} {% if nginx_resolver is defined %}
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
@ -57,7 +59,6 @@ http {
## ##
gzip on; gzip on;
gzip_disable "msie6";
# gzip_vary on; # gzip_vary on;
# gzip_proxied any; # gzip_proxied any;