ansible-personal/roles/nginx/templates/blank-vhost.conf.j2

# default blank vhost
#
# clients asking for "example.com" should only get a response if we have
# a vhost serving that domain.
server {
    listen 80 default;
    {% if nginx_tls_vhosts is defined %}
    listen 443 ssl spdy default;
    {% endif %}
    server_name _;

    {% if nginx_tls_vhosts is defined %}
    # "snakeoil" certificate (self signed!)
    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;

    ssl_session_timeout {{ nginx_ssl_session_timeout }};
    ssl_session_cache {{ nginx_ssl_session_cache }};
    ssl_buffer_size {{ nginx_ssl_buffer_size }};
    ssl_dhparam {{ nginx_ssl_dhparam }};
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism:
    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
    #
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;
    {% endif %}

    return 403;
}
roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 22:30:06 +02:00			`# default blank vhost`
			`#`
			`# clients asking for "example.com" should only get a response if we have`
			`# a vhost serving that domain.`
			`server {`
			`listen 80 default;`
			`{% if nginx_tls_vhosts is defined %}`
			`listen 443 ssl spdy default;`
			`{% endif %}`
			`server_name _;`

			`{% if nginx_tls_vhosts is defined %}`
			`# "snakeoil" certificate (self signed!)`
			`ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;`
			`ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;`

			`ssl_session_timeout {{ nginx_ssl_session_timeout }};`
			`ssl_session_cache {{ nginx_ssl_session_cache }};`
			`ssl_buffer_size {{ nginx_ssl_buffer_size }};`
			`ssl_dhparam {{ nginx_ssl_dhparam }};`
			`ssl_protocols {{ nginx_ssl_protocols }};`
			`ssl_ciphers "{{ tls_cipher_suite }}";`
			`ssl_prefer_server_ciphers on;`

			`# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and`
			`# when a restart is performed the previous key is lost, which resets all previous`
			`# sessions. The fix for this is to setup a manual rotation mechanism:`
			`# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx`
			`#`
			`# Note that you'll have to define and rotate the keys securely by yourself. In absence`
			`# of such infrastructure, consider turning off session tickets:`
			`ssl_session_tickets off;`
			`{% endif %}`

			`return 403;`
			`}`