roles/nginx: Add blank vhost

For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/nginx/templates/blank-vhost.conf.j2

@@ -0,0 +1,36 @@
+# default blank vhost
+#
+# clients asking for "example.com" should only get a response if we have
+# a vhost serving that domain.
+server {
+    listen 80 default;
+    {% if nginx_tls_vhosts is defined %}
+    listen 443 ssl spdy default;
+    {% endif %}
+    server_name _;
+
+    {% if nginx_tls_vhosts is defined %}
+    # "snakeoil" certificate (self signed!)
+    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
+    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+
+    ssl_session_timeout {{ nginx_ssl_session_timeout }};
+    ssl_session_cache {{ nginx_ssl_session_cache }};
+    ssl_buffer_size {{ nginx_ssl_buffer_size }};
+    ssl_dhparam {{ nginx_ssl_dhparam }};
+    ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ciphers "{{ tls_cipher_suite }}";
+    ssl_prefer_server_ciphers on;
+
+    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
+    # when a restart is performed the previous key is lost, which resets all previous
+    # sessions. The fix for this is to setup a manual rotation mechanism:
+    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
+    #
+    # Note that you'll have to define and rotate the keys securely by yourself. In absence
+    # of such infrastructure, consider turning off session tickets:
+    ssl_session_tickets off;
+    {% endif %}
+
+    return 403;
+}