roles/nginx: Add blank vhost
For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
parent
8b77fd7f94
commit
151fb29687
@ -37,6 +37,11 @@
|
|||||||
when: nginx_tls_vhosts is defined
|
when: nginx_tls_vhosts is defined
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
|
- name: Configure blank nginx vhost
|
||||||
|
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
|
||||||
|
notify:
|
||||||
|
- reload nginx
|
||||||
|
|
||||||
- name: Configure munin vhost
|
- name: Configure munin vhost
|
||||||
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
|
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
|
||||||
notify:
|
notify:
|
||||||
|
@ -15,9 +15,11 @@
|
|||||||
notify:
|
notify:
|
||||||
- reload nginx
|
- reload nginx
|
||||||
|
|
||||||
#- name: Generate self-signed TLS cert
|
- name: Generate self-signed TLS cert
|
||||||
# command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=KE/ST=Nairobi/L=Nairobi/O=/CN={{ item.nginx_domain_name }}" -newkey rsa:2048 -keyout {{ item.nginx_domain_name }}.key -out {{ item.nginx_domain_name }}.crt -extensions v3_ca creates={{ tls_key_dir }}/{{ item.nginx_domain_name }}.crt.pem
|
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
|
||||||
#
|
notify:
|
||||||
|
- reload nginx
|
||||||
|
|
||||||
- name: Generate 2048-bit dhparam
|
- name: Generate 2048-bit dhparam
|
||||||
command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
|
command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
|
||||||
notify:
|
notify:
|
||||||
|
36
roles/nginx/templates/blank-vhost.conf.j2
Normal file
36
roles/nginx/templates/blank-vhost.conf.j2
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
# default blank vhost
|
||||||
|
#
|
||||||
|
# clients asking for "example.com" should only get a response if we have
|
||||||
|
# a vhost serving that domain.
|
||||||
|
server {
|
||||||
|
listen 80 default;
|
||||||
|
{% if nginx_tls_vhosts is defined %}
|
||||||
|
listen 443 ssl spdy default;
|
||||||
|
{% endif %}
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
{% if nginx_tls_vhosts is defined %}
|
||||||
|
# "snakeoil" certificate (self signed!)
|
||||||
|
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
|
||||||
|
|
||||||
|
ssl_session_timeout {{ nginx_ssl_session_timeout }};
|
||||||
|
ssl_session_cache {{ nginx_ssl_session_cache }};
|
||||||
|
ssl_buffer_size {{ nginx_ssl_buffer_size }};
|
||||||
|
ssl_dhparam {{ nginx_ssl_dhparam }};
|
||||||
|
ssl_protocols {{ nginx_ssl_protocols }};
|
||||||
|
ssl_ciphers "{{ tls_cipher_suite }}";
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
||||||
|
# when a restart is performed the previous key is lost, which resets all previous
|
||||||
|
# sessions. The fix for this is to setup a manual rotation mechanism:
|
||||||
|
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
||||||
|
#
|
||||||
|
# Note that you'll have to define and rotate the keys securely by yourself. In absence
|
||||||
|
# of such infrastructure, consider turning off session tickets:
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
return 403;
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user