2015-12-09 22:29:33 +01:00
|
|
|
{# helper variables and per-site defaults that we can't set in role defaults #}
|
2015-12-09 23:25:44 +01:00
|
|
|
{% set domain_name = item.domain_name %}
|
2015-09-26 23:24:58 +02:00
|
|
|
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
|
2015-12-09 23:25:44 +01:00
|
|
|
{% set enable_hsts = item.enable_hsts | default("no") %}
|
2016-06-27 18:07:48 +02:00
|
|
|
|
2016-06-27 22:52:39 +02:00
|
|
|
{# first, check if the current vhost has a custom cert (perhaps self-signed) #}
|
2016-07-05 18:42:26 +02:00
|
|
|
{% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
|
2014-09-06 20:32:37 +02:00
|
|
|
|
2014-09-13 22:16:54 +02:00
|
|
|
# concatenated key + cert
|
|
|
|
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
2016-06-27 18:07:48 +02:00
|
|
|
ssl_certificate {{ item.tls_certificate_path }};
|
|
|
|
ssl_certificate_key {{ item.tls_key_path }};
|
|
|
|
|
2016-06-27 22:52:39 +02:00
|
|
|
{# otherwise, assume host is using letsencrypt #}
|
2015-12-08 16:18:21 +01:00
|
|
|
{% else %}
|
2016-06-27 18:07:48 +02:00
|
|
|
|
2016-06-27 22:52:39 +02:00
|
|
|
# concatenated key + cert
|
|
|
|
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
|
|
|
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
|
|
|
|
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
|
2016-06-27 18:07:48 +02:00
|
|
|
|
2015-12-08 16:18:21 +01:00
|
|
|
{% endif %}
|
2014-09-06 20:32:37 +02:00
|
|
|
|
2015-06-04 22:28:31 +02:00
|
|
|
ssl_session_timeout {{ nginx_ssl_session_timeout }};
|
|
|
|
ssl_session_cache {{ nginx_ssl_session_cache }};
|
|
|
|
ssl_buffer_size {{ nginx_ssl_buffer_size }};
|
2014-12-06 20:17:52 +01:00
|
|
|
|
2015-06-04 22:28:31 +02:00
|
|
|
ssl_dhparam {{ nginx_ssl_dhparam }};
|
|
|
|
ssl_protocols {{ nginx_ssl_protocols }};
|
2014-09-06 20:32:37 +02:00
|
|
|
ssl_ciphers "{{ tls_cipher_suite }}";
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
2015-12-08 16:18:21 +01:00
|
|
|
{# OSCP stapling only works with real certs #}
|
2016-06-27 18:07:48 +02:00
|
|
|
{% if use_letsencrypt == "yes" or item.tls_certificate_path %}
|
2014-12-06 21:21:46 +01:00
|
|
|
# OCSP stapling...
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
2015-11-30 16:40:32 +01:00
|
|
|
{% if linode_id is defined %}
|
|
|
|
# use Linode internal DNS
|
2016-06-27 17:40:25 +02:00
|
|
|
resolver 139.162.139.5 139.162.130.5 [2a01:7e01::5] [2a01:7e01::6];
|
2015-11-30 16:40:32 +01:00
|
|
|
{% else %}
|
2016-04-25 12:24:49 +02:00
|
|
|
resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8844] [2001:4860:4860::8888];
|
2015-12-08 16:18:21 +01:00
|
|
|
{% endif %} {# end: linode_id #}
|
2016-06-27 18:07:48 +02:00
|
|
|
{% endif %} {# end: use_letsencrypt #}
|
2014-12-06 21:21:46 +01:00
|
|
|
|
2014-12-06 20:37:00 +01:00
|
|
|
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
|
|
|
# when a restart is performed the previous key is lost, which resets all previous
|
|
|
|
# sessions. The fix for this is to setup a manual rotation mechanism:
|
|
|
|
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
|
|
|
#
|
|
|
|
# Note that you'll have to define and rotate the keys securely by yourself. In absence
|
|
|
|
# of such infrastructure, consider turning off session tickets:
|
|
|
|
ssl_session_tickets off;
|
|
|
|
|
2015-09-26 23:24:58 +02:00
|
|
|
{% if enable_hsts == "yes" %}
|
2014-09-06 20:32:37 +02:00
|
|
|
# Enable this if you want HSTS (recommended, but be careful)
|
2015-05-20 14:56:19 +02:00
|
|
|
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
|
|
|
# See: https://hstspreload.appspot.com/
|
2016-03-31 12:34:05 +02:00
|
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
2015-06-04 22:28:31 +02:00
|
|
|
{% endif %}
|