roles/nginx: Add blank vhost

For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth 2015-06-04 23:30:06 +03:00
parent 8b77fd7f94
commit 151fb29687
3 changed files with 46 additions and 3 deletions

View File

@ -37,6 +37,11 @@
when: nginx_tls_vhosts is defined
tags: nginx
- name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
notify:
- reload nginx
- name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
notify:

View File

@ -15,9 +15,11 @@
notify:
- reload nginx
#- name: Generate self-signed TLS cert
# command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=KE/ST=Nairobi/L=Nairobi/O=/CN={{ item.nginx_domain_name }}" -newkey rsa:2048 -keyout {{ item.nginx_domain_name }}.key -out {{ item.nginx_domain_name }}.crt -extensions v3_ca creates={{ tls_key_dir }}/{{ item.nginx_domain_name }}.crt.pem
#
- name: Generate self-signed TLS cert
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- reload nginx
- name: Generate 2048-bit dhparam
command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
notify:

View File

@ -0,0 +1,36 @@
# default blank vhost
#
# clients asking for "example.com" should only get a response if we have
# a vhost serving that domain.
server {
listen 80 default;
{% if nginx_tls_vhosts is defined %}
listen 443 ssl spdy default;
{% endif %}
server_name _;
{% if nginx_tls_vhosts is defined %}
# "snakeoil" certificate (self signed!)
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }};
ssl_buffer_size {{ nginx_ssl_buffer_size }};
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% endif %}
return 403;
}