ansible-personal/roles/nginx/templates/https.j2

{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name       = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to True #}
{% set enable_hsts       = item.enable_hsts | default(False) %}

    {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
    {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
    ssl_certificate {{ item.tls_certificate_path }};
    ssl_certificate_key {{ item.tls_key_path }};

    {# otherwise, assume host is using letsencrypt #}
    {% else %}

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
    ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
    ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;

    {% endif %}

    ssl_session_timeout {{ nginx_ssl_session_timeout }};
    ssl_session_cache {{ nginx_ssl_session_cache }};
    ssl_buffer_size {{ nginx_ssl_buffer_size }};

    ssl_dhparam {{ nginx_ssl_dhparam }};
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

    {# OSCP stapling only works with real certs #}
    {% if use_letsencrypt == True or item.tls_certificate_path %}
    # OCSP stapling...
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver {{ nginx_ssl_stapling_resolver }};
    {% endif %} {# end: use_letsencrypt #}

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism:
    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
    #
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;

    {% if enable_hsts == True %}
    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
    # See: https://hstspreload.appspot.com/
    add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
    {% endif %}
roles/nginx: Add comments about defaults in templates It would be bettwe to set these defaults in the role's defaults, but we can't because they exist in dicts for each of the host's sites. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 23:29:33 +02:00			`{# helper variables and per-site defaults that we can't set in role defaults #}`
Rename nginx_* variables underneath nginx_vhosts It's just deduplication, since it's already obvious that the dict is for nginx-related vars: - nginx_domain_name→domain_name - nginx_domain_aliases→domain_aliases - nginx_enable_https→enable_https - nginx_enable_hsts→enable_hsts Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-10 00:25:44 +02:00			`{% set domain_name = item.domain_name %}`
roles/nginx: Use explicity booleans for tests instead of "yes" and "no" Better to be explict with booleans rather than being confused when you mix up yes and "yes" with Ansible/Python testing of conditionals. 2016-08-17 12:55:14 +03:00			`{# assume HSTS is off unless a vhost explicitly sets it to True #}`
			`{% set enable_hsts = item.enable_hsts \| default(False) %}`
roles/nginx: Allow usage of Let's Encrypt certs Hosts can specify use_letsencrypt: 'yes' in their host_vars. For now this assumes that the certificates already exist (ie, you have to manually run Let's Encrypt first to register/create the certs). 2016-06-27 19:07:48 +03:00
roles/nginx: Rework Let's Encrypt stuff Take an opinionated stance on HTTPS and assume that hosts are using HTTPS for all vhosts. This can either be via custom TLS cert/key pairs defined in the host's variables (could even be self-signed certificates on dev boxes) or via Let's Encrypt. 2016-06-27 23:52:39 +03:00			`{# first, check if the current vhost has a custom cert (perhaps self-signed) #}`
roles/nginx: Fix variable check in HTTPS template Don't assume the variables for TLS certs exist. 2016-07-05 19:42:26 +03:00			`{% if item.tls_certificate_path is defined and item.tls_key_path is defined %}`
roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-06 21:32:37 +03:00
roles/nginx: Update nginx https stuff - re-organize tls vhost configuration - copy TLS cert from host_vars directly to file Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-13 23:16:54 +03:00			`# concatenated key + cert`
			`# See: http://nginx.org/en/docs/http/configuring_https_servers.html`
roles/nginx: Allow usage of Let's Encrypt certs Hosts can specify use_letsencrypt: 'yes' in their host_vars. For now this assumes that the certificates already exist (ie, you have to manually run Let's Encrypt first to register/create the certs). 2016-06-27 19:07:48 +03:00			`ssl_certificate {{ item.tls_certificate_path }};`
			`ssl_certificate_key {{ item.tls_key_path }};`

roles/nginx: Rework Let's Encrypt stuff Take an opinionated stance on HTTPS and assume that hosts are using HTTPS for all vhosts. This can either be via custom TLS cert/key pairs defined in the host's variables (could even be self-signed certificates on dev boxes) or via Let's Encrypt. 2016-06-27 23:52:39 +03:00			`{# otherwise, assume host is using letsencrypt #}`
roles/nginx: Allow using self-signed TLS certs with dev hosts Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev hosts where we don't have real domains or real certs. But everything should have TLS. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-08 17:18:21 +02:00			`{% else %}`
roles/nginx: Allow usage of Let's Encrypt certs Hosts can specify use_letsencrypt: 'yes' in their host_vars. For now this assumes that the certificates already exist (ie, you have to manually run Let's Encrypt first to register/create the certs). 2016-06-27 19:07:48 +03:00
roles/nginx: Rework Let's Encrypt stuff Take an opinionated stance on HTTPS and assume that hosts are using HTTPS for all vhosts. This can either be via custom TLS cert/key pairs defined in the host's variables (could even be self-signed certificates on dev boxes) or via Let's Encrypt. 2016-06-27 23:52:39 +03:00			`# concatenated key + cert`
			`# See: http://nginx.org/en/docs/http/configuring_https_servers.html`
roles/nginx: Switch to acme.sh for Let's Encrypt The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known. 2021-03-19 23:39:30 +02:00			`ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;`
			`ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;`
roles/nginx: Allow usage of Let's Encrypt certs Hosts can specify use_letsencrypt: 'yes' in their host_vars. For now this assumes that the certificates already exist (ie, you have to manually run Let's Encrypt first to register/create the certs). 2016-06-27 19:07:48 +03:00
roles/nginx: Allow using self-signed TLS certs with dev hosts Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev hosts where we don't have real domains or real certs. But everything should have TLS. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-08 17:18:21 +02:00			`{% endif %}`
roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-06 21:32:37 +03:00
roles/nginx: Templatize SSL parameters using role defaults Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 23:28:31 +03:00			`ssl_session_timeout {{ nginx_ssl_session_timeout }};`
			`ssl_session_cache {{ nginx_ssl_session_cache }};`
			`ssl_buffer_size {{ nginx_ssl_buffer_size }};`
roles/nginx: Format and add comments to nginx https config Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-12-06 22:17:52 +03:00
roles/nginx: Templatize SSL parameters using role defaults Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 23:28:31 +03:00			`ssl_dhparam {{ nginx_ssl_dhparam }};`
			`ssl_protocols {{ nginx_ssl_protocols }};`
roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-06 21:32:37 +03:00			`ssl_ciphers "{{ tls_cipher_suite }}";`
			`ssl_prefer_server_ciphers on;`

roles/nginx: Allow using self-signed TLS certs with dev hosts Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev hosts where we don't have real domains or real certs. But everything should have TLS. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-08 17:18:21 +02:00			`{# OSCP stapling only works with real certs #}`
roles/nginx: use boolean for use_letsencrypt instead of string "yes" This is very confusing when you forget about how Ansible/Python is testing conditionals. Let's use actual booleans so it's more clear. 2016-08-17 12:42:48 +03:00			`{% if use_letsencrypt == True or item.tls_certificate_path %}`
roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-12-06 23:21:46 +03:00			`# OCSP stapling...`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
roles/nginx: Allow custom resolvers for TLS stapling Allows to specify custom DNS resolvers for TLS stapling, with a default of Cloudflare's public DNS servers. 2018-04-30 18:04:17 +03:00			`resolver {{ nginx_ssl_stapling_resolver }};`
roles/nginx: Allow usage of Let's Encrypt certs Hosts can specify use_letsencrypt: 'yes' in their host_vars. For now this assumes that the certificates already exist (ie, you have to manually run Let's Encrypt first to register/create the certs). 2016-06-27 19:07:48 +03:00			`{% endif %} {# end: use_letsencrypt #}`
roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-12-06 23:21:46 +03:00
roles/nginx: Disable SSL session tickets Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-12-06 22:37:00 +03:00			`# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and`
			`# when a restart is performed the previous key is lost, which resets all previous`
			`# sessions. The fix for this is to setup a manual rotation mechanism:`
			`# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx`
			`#`
			`# Note that you'll have to define and rotate the keys securely by yourself. In absence`
			`# of such infrastructure, consider turning off session tickets:`
			`ssl_session_tickets off;`

roles/nginx: Use explicity booleans for tests instead of "yes" and "no" Better to be explict with booleans rather than being confused when you mix up yes and "yes" with Ansible/Python testing of conditionals. 2016-08-17 12:55:14 +03:00			`{% if enable_hsts == True %}`
roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-06 21:32:37 +03:00			`# Enable this if you want HSTS (recommended, but be careful)`
roles/nginx: Adjust HSTS headers for https block of vhost template I was only setting it on the PHP block, which is for all dynamic requests (ie pages from WordPress), but it should also be the same for all static files not served from that block. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-05-20 15:56:19 +03:00			`# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store`
			`# See: https://hstspreload.appspot.com/`
roles/nginx: Parameterize HSTS header This parameterizes the HTTP Strict Transport Security header so we can use it consistently across all templates. Also, it updates the max-age to be ~1 year in seconds, which is recommended by Google. See: https://hstspreload.org/ 2021-03-23 15:36:28 +02:00			`add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;`
roles/nginx: Templatize SSL parameters using role defaults Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 23:28:31 +03:00			`{% endif %}`