Update nginx role
This commit is contained in:
parent
1b9aa00d92
commit
bbb7c76eef
|
@ -1,5 +1,6 @@
|
||||||
certsync_host: srv01.hamburg.freifunk.net
|
certsync_host: srv01.hamburg.freifunk.net
|
||||||
nginx_resolver: 80.252.105.162 80.252.105.194
|
nginx_resolver: 80.252.105.162 80.252.105.194
|
||||||
|
nginx_tls_versions: TLSv1.2
|
||||||
updates_group: www-data
|
updates_group: www-data
|
||||||
updates_letsencrypt: srv01
|
updates_letsencrypt: srv01
|
||||||
updates_owner: ffupdates
|
updates_owner: ffupdates
|
||||||
|
|
|
@ -17,14 +17,14 @@ srv03
|
||||||
#srv02
|
#srv02
|
||||||
|
|
||||||
[nginx]
|
[nginx]
|
||||||
gw03-new ansible_host=gw03-new.hamburg.freifunk.net
|
#gw03-new ansible_host=gw03-new.hamburg.freifunk.net
|
||||||
|
|
||||||
[updates]
|
[updates]
|
||||||
srv01
|
srv01
|
||||||
srv03
|
srv03
|
||||||
|
|
||||||
[vms]
|
[vms]
|
||||||
gw03-new
|
#gw03-new
|
||||||
srv01
|
srv01
|
||||||
#srv02
|
#srv02
|
||||||
srv03
|
srv03
|
||||||
|
|
|
@ -1,6 +1,9 @@
|
||||||
---
|
---
|
||||||
nginx_access_log: "off"
|
nginx_access_log: "off"
|
||||||
|
nginx_ciphers: "ECDH+aRSA+CHACHA20:ECDH+aRSA+AESGCM"
|
||||||
|
nginx_curves: "X25519:secp521r1:secp384r1"
|
||||||
nginx_error_log: "/dev/null error"
|
nginx_error_log: "/dev/null error"
|
||||||
nginx_package: nginx
|
nginx_packages: [nginx]
|
||||||
|
nginx_tls_versions: TLSv1.2 TLSv1.3
|
||||||
nginx_worker_connections: 512
|
nginx_worker_connections: 512
|
||||||
nginx_worker_processes: auto
|
nginx_worker_processes: auto
|
||||||
|
|
10
roles/nginx/files/openssl.cnf
Normal file
10
roles/nginx/files/openssl.cnf
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
openssl_conf = default_conf
|
||||||
|
|
||||||
|
[default_conf]
|
||||||
|
ssl_conf = ssl_sect
|
||||||
|
|
||||||
|
[ssl_sect]
|
||||||
|
system_default = system_default_sect
|
||||||
|
|
||||||
|
[system_default_sect]
|
||||||
|
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
|
|
@ -1,2 +1,4 @@
|
||||||
add_header Strict-Transport-Security "max-age=31536000";
|
add_header Expect-CT "max-age=86400, enforce" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||||
|
proxy_hide_header Expect-CT;
|
||||||
proxy_hide_header Strict-Transport-Security;
|
proxy_hide_header Strict-Transport-Security;
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
add_header Referrer-Policy same-origin;
|
add_header Referrer-Policy same-origin always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff always;
|
||||||
add_header X-Frame-Options sameorigin;
|
add_header X-Frame-Options sameorigin always;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
proxy_hide_header Referrer-Policy;
|
proxy_hide_header Referrer-Policy;
|
||||||
proxy_hide_header X-Content-Type-Options;
|
proxy_hide_header X-Content-Type-Options;
|
||||||
proxy_hide_header X-Frame-Options;
|
proxy_hide_header X-Frame-Options;
|
||||||
|
|
|
@ -3,3 +3,8 @@
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart nginx
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: restarted
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: install nginx
|
- name: install nginx
|
||||||
apt:
|
apt:
|
||||||
name: "{{ nginx_package }}"
|
name: "{{ nginx_packages }}"
|
||||||
cache_valid_time: 86400
|
cache_valid_time: 86400
|
||||||
|
|
||||||
- name: create directories
|
- name: create directories
|
||||||
|
@ -19,13 +19,20 @@
|
||||||
|
|
||||||
- name: copy snippets
|
- name: copy snippets
|
||||||
copy:
|
copy:
|
||||||
src: snippets/
|
src: snippets
|
||||||
dest: /etc/nginx/snippets/
|
dest: /etc/nginx/
|
||||||
|
|
||||||
|
- name: copy openssl.cnf
|
||||||
|
copy:
|
||||||
|
src: openssl.cnf
|
||||||
|
dest: /etc/ssl/
|
||||||
|
backup: yes
|
||||||
|
notify: restart nginx
|
||||||
|
|
||||||
- name: template nginx.conf
|
- name: template nginx.conf
|
||||||
template:
|
template:
|
||||||
src: nginx.conf.j2
|
src: nginx.conf
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
||||||
|
|
|
@ -34,11 +34,13 @@ http {
|
||||||
# SSL Settings
|
# SSL Settings
|
||||||
##
|
##
|
||||||
|
|
||||||
ssl_protocols TLSv1.2;
|
ssl_protocols {{ nginx_tls_versions }};
|
||||||
|
ssl_ciphers {{ nginx_ciphers }};
|
||||||
|
ssl_ecdh_curve {{ nginx_curves }};
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
|
ssl_session_cache shared:SSL:10M;
|
||||||
ssl_session_cache shared:SSL:1M;
|
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
{% if nginx_resolver is defined %}
|
{% if nginx_resolver is defined %}
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
|
@ -57,7 +59,6 @@ http {
|
||||||
##
|
##
|
||||||
|
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_disable "msie6";
|
|
||||||
|
|
||||||
# gzip_vary on;
|
# gzip_vary on;
|
||||||
# gzip_proxied any;
|
# gzip_proxied any;
|
Loading…
Reference in a new issue