2016-06-27 16:50:49 +02:00
|
|
|
# {{ ansible_managed }}
|
|
|
|
|
2015-06-04 22:30:06 +02:00
|
|
|
# default blank vhost
|
|
|
|
#
|
|
|
|
# clients asking for "example.com" should only get a response if we have
|
|
|
|
# a vhost serving that domain.
|
|
|
|
server {
|
2016-04-25 20:48:36 +02:00
|
|
|
listen 80 default_server;
|
|
|
|
listen [::]:80 default_server;
|
2015-12-09 23:14:47 +01:00
|
|
|
server_name _;
|
|
|
|
|
2016-04-25 20:45:21 +02:00
|
|
|
return 444;
|
2015-12-09 23:14:47 +01:00
|
|
|
}
|
|
|
|
server {
|
2016-04-25 20:48:36 +02:00
|
|
|
listen 443 ssl http2 default_server;
|
2016-04-25 20:49:41 +02:00
|
|
|
listen [::]:443 ssl http2 default_server;
|
2015-06-04 22:30:06 +02:00
|
|
|
server_name _;
|
|
|
|
|
|
|
|
# "snakeoil" certificate (self signed!)
|
|
|
|
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
|
|
|
|
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
|
|
|
|
|
|
|
|
ssl_session_timeout {{ nginx_ssl_session_timeout }};
|
|
|
|
ssl_session_cache {{ nginx_ssl_session_cache }};
|
|
|
|
ssl_buffer_size {{ nginx_ssl_buffer_size }};
|
|
|
|
ssl_dhparam {{ nginx_ssl_dhparam }};
|
|
|
|
ssl_protocols {{ nginx_ssl_protocols }};
|
|
|
|
ssl_ciphers "{{ tls_cipher_suite }}";
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
|
|
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
|
|
|
# when a restart is performed the previous key is lost, which resets all previous
|
|
|
|
# sessions. The fix for this is to setup a manual rotation mechanism:
|
|
|
|
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
|
|
|
#
|
|
|
|
# Note that you'll have to define and rotate the keys securely by yourself. In absence
|
|
|
|
# of such infrastructure, consider turning off session tickets:
|
|
|
|
ssl_session_tickets off;
|
|
|
|
|
2016-04-25 20:45:21 +02:00
|
|
|
return 444;
|
2015-06-04 22:30:06 +02:00
|
|
|
}
|