Update nginx role

host_vars/srv03

@@ -1,5 +1,6 @@
 certsync_host: srv01.hamburg.freifunk.net
 nginx_resolver: 80.252.105.162 80.252.105.194
+nginx_tls_versions: TLSv1.2
 updates_group: www-data
 updates_letsencrypt: srv01
 updates_owner: ffupdates

production

@@ -17,14 +17,14 @@ srv03
 #srv02
 
 [nginx]
-gw03-new ansible_host=gw03-new.hamburg.freifunk.net
+#gw03-new ansible_host=gw03-new.hamburg.freifunk.net
 
 [updates]
 srv01
 srv03
 
 [vms]
-gw03-new
+#gw03-new
 srv01
 #srv02
 srv03

roles/nginx/defaults/main.yml

@@ -1,6 +1,9 @@
 ---
 nginx_access_log: "off"
+nginx_ciphers: "ECDH+aRSA+CHACHA20:ECDH+aRSA+AESGCM"
+nginx_curves: "X25519:secp521r1:secp384r1"
 nginx_error_log: "/dev/null error"
-nginx_package: nginx
+nginx_packages: [nginx]
+nginx_tls_versions: TLSv1.2 TLSv1.3
 nginx_worker_connections: 512
 nginx_worker_processes: auto

roles/nginx/files/openssl.cnf

@@ -0,0 +1,10 @@
+openssl_conf = default_conf
+
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

roles/nginx/files/snippets/header-hsts.conf

@@ -1,2 +1,4 @@
-add_header Strict-Transport-Security "max-age=31536000";
+add_header Expect-CT "max-age=86400, enforce" always;
+add_header Strict-Transport-Security "max-age=31536000" always;
+proxy_hide_header Expect-CT;
 proxy_hide_header Strict-Transport-Security;

roles/nginx/files/snippets/header-security.conf

@@ -1,7 +1,7 @@
-add_header Referrer-Policy same-origin;
-add_header X-Content-Type-Options nosniff;
-add_header X-Frame-Options sameorigin;
-add_header X-XSS-Protection "1; mode=block";
+add_header Referrer-Policy same-origin always;
+add_header X-Content-Type-Options nosniff always;
+add_header X-Frame-Options sameorigin always;
+add_header X-XSS-Protection "1; mode=block" always;
 proxy_hide_header Referrer-Policy;
 proxy_hide_header X-Content-Type-Options;
 proxy_hide_header X-Frame-Options;

roles/nginx/handlers/main.yml

@@ -3,3 +3,8 @@
   service:
     name: nginx
     state: reloaded
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted

roles/nginx/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: install nginx
   apt:
-    name: "{{ nginx_package }}"
+    name: "{{ nginx_packages }}"
     cache_valid_time: 86400
 
 - name: create directories
@@ -19,13 +19,20 @@
 
 - name: copy snippets
   copy:
-    src: snippets/
-    dest: /etc/nginx/snippets/
+    src: snippets
+    dest: /etc/nginx/
+
+- name: copy openssl.cnf
+  copy:
+    src: openssl.cnf
+    dest: /etc/ssl/
+    backup: yes
+  notify: restart nginx
 
 - name: template nginx.conf
   template:
-    src: nginx.conf.j2
-    dest: /etc/nginx/nginx.conf
+    src: nginx.conf
+    dest: /etc/nginx/
     backup: yes
   notify: reload nginx
 

roles/nginx/templates/nginx.conf

@@ -34,11 +34,13 @@ http {
     # SSL Settings
     ##
 
-    ssl_protocols TLSv1.2;
+    ssl_protocols {{ nginx_tls_versions }};
+    ssl_ciphers {{ nginx_ciphers }};
+    ssl_ecdh_curve {{ nginx_curves }};
     ssl_prefer_server_ciphers on;
-    ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
-    ssl_session_cache shared:SSL:1M;
+    ssl_session_cache shared:SSL:10M;
     ssl_session_timeout 10m;
+    ssl_session_tickets off;
 {% if nginx_resolver is defined %}
     ssl_stapling on;
     ssl_stapling_verify on;
@@ -57,7 +59,6 @@ http {
     ##
 
     gzip on;
-    gzip_disable "msie6";
 
     # gzip_vary on;
     # gzip_proxied any;