roles/nginx: Add blank vhost

For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-04 23:30:06 +03:00 · 2015-06-04 23:30:06 +03:00 · 151fb29687
parent 8b77fd7f94
commit 151fb29687
3 changed files with 46 additions and 3 deletions
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -37,6 +37,11 @@
  when: nginx_tls_vhosts is defined
  tags: nginx

+- name: Configure blank nginx vhost
+  template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
+  notify:
+    - reload nginx
+
 - name: Configure munin vhost
  copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
  notify:
--- a/roles/nginx/tasks/tls_vhosts.yml
+++ b/roles/nginx/tasks/tls_vhosts.yml
@ -15,9 +15,11 @@
  notify:
    - reload nginx

-#- name: Generate self-signed TLS cert
-#  command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=KE/ST=Nairobi/L=Nairobi/O=/CN={{ item.nginx_domain_name }}" -newkey rsa:2048 -keyout {{ item.nginx_domain_name }}.key -out {{ item.nginx_domain_name }}.crt -extensions v3_ca creates={{ tls_key_dir }}/{{ item.nginx_domain_name }}.crt.pem
-#
+- name: Generate self-signed TLS cert
+  command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+  notify:
+    - reload nginx
+
 - name: Generate 2048-bit dhparam
  command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
  notify:
--- a/roles/nginx/templates/blank-vhost.conf.j2
+++ b/roles/nginx/templates/blank-vhost.conf.j2
@ -0,0 +1,36 @@
+# default blank vhost
+#
+# clients asking for "example.com" should only get a response if we have
+# a vhost serving that domain.
+server {
+    listen 80 default;
+    {% if nginx_tls_vhosts is defined %}
+    listen 443 ssl spdy default;
+    {% endif %}
+    server_name _;
+
+    {% if nginx_tls_vhosts is defined %}
+    # "snakeoil" certificate (self signed!)
+    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
+    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+
+    ssl_session_timeout {{ nginx_ssl_session_timeout }};
+    ssl_session_cache {{ nginx_ssl_session_cache }};
+    ssl_buffer_size {{ nginx_ssl_buffer_size }};
+    ssl_dhparam {{ nginx_ssl_dhparam }};
+    ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ciphers "{{ tls_cipher_suite }}";
+    ssl_prefer_server_ciphers on;
+
+    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
+    # when a restart is performed the previous key is lost, which resets all previous
+    # sessions. The fix for this is to setup a manual rotation mechanism:
+    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
+    #
+    # Note that you'll have to define and rotate the keys securely by yourself. In absence
+    # of such infrastructure, consider turning off session tickets:
+    ssl_session_tickets off;
+    {% endif %}
+
+    return 403;
+}