146 Commits

Author SHA1 Message Date
roles/nginx: Correct HSTS header in https template
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.

See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 10:20:55 +03:00
roles/nginx: Switch nginx OCSP resolver to OpenDNS
We don't need to give Google EVERYTHING.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:06:22 +03:00
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-11 13:51:48 +03:00
roles/nginx: Move some common fastcgi settings out of vhost template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-10 11:59:43 +03:00
roles/nginx: Don't cache 404 errors in munin config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:32:09 +03:00
roles/nginx: Re-order $request_method in fastcgi_cache_key
Everyone else on the Internet has it this way, so why not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:18:02 +03:00
53d2c85bf0 roles/nginx: Adjust fastcgi_cache_valid
Only cache 200, 301, and 302 requests!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:23:48 +03:00
roles/nginx: Set gzip_comp_level to 6
Seems to be the sweet spot, as gzip itself defaults to this.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:21:34 +03:00
roles/nginx: Add $request_method to nginx fastcgi_cache_key
nginx is caching HEAD requests, then when users come along and do
a GET request they get an HTTP 200 with no request body. It seems
setting fastcgi_request_methods to GET doesn't stop nginx from caching
HEADs, so for now just add the $request_method to the key.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:19:34 +03:00
roles/nginx: Add task to clone WordPress git
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:39:17 +03:00
roles/nginx: Don't send OCSP responses for hosts using self-signed certs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00
roles/nginx: Add protection for PHP scripts in uploads directory
By the way, :? starts a non-capturing group (ie, don't save the
back references).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:05:50 +03:00
roles/nginx: Update location regex for PHP scripts
Just use the same one as the Nginx wiki and some other resources.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:40:38 +03:00
roles/nginx: Create fastcgi cache dir
Or else nginx doesn't start.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-19 18:49:39 +03:00
roles/nginx: Add fastcgi caching
Bypasses caching for logged in users (right now only for sessions
where the "wordpress_logged_in" cookie is set. Doubles the trans-
actions per second as measured by siege:

    $ siege -d1 -t1M -c50 https://mjanja.ch

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-10 23:04:28 +03:00
roles/nginx: Add HTTP headers for web application security
See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 13:05:42 +03:00
roles/nginx: Add a second OCSP stapling responder
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:44:27 +03:00
roles/nginx: Always set HSTS header
nginx 1.7.5 allows us to always set HTTP headers:

See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:40:48 +03:00
roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-23 12:26:24 +03:00
6ccfdb99fa roles/nginx: Enable OCSP stapling
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.

Seems to be working, test with:

    $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status

Look for "OCSP Response" with "Cert Status: good".

[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:28:05 +03:00
roles/nginx: Enable SPDY header compression
Recommended by Ilya Grigorik to be set to 6.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:40:39 +03:00
roles/nginx: Disable SSL session tickets
Session tickets increase performance, but decrease security, so
let's just turn them off.  See the following posts:

- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:37:00 +03:00
roles/nginx: Set nginx SSL session timeout to 24 hours
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly.  Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:19:12 +03:00
roles/nginx: Format and add comments to nginx https config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:17:52 +03:00
be6c76a2af roles/nginx: Set nginx SSL buffer size to 1400
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU.  nginx default is 16k!


Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:16:07 +03:00
roles/nginx: Set nginx state to 'latest' in apt
This way we can upgrade nginx simply by running the nginx tags.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-02 18:48:11 +03:00
roles/nginx: Switch to nginx mainline (1.7)
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 01:02:44 +03:00
roles/nginx: Add comment about try_files for serving static files from disk
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:41:07 +03:00
roles/nginx: Adjust Cache-Control headers
Use "public" with "max-age" instead of Expires, as "max-age" is always
preferred if it's present.  Note: setting "public" doesn't make the
resource "more cacheable", but it is just more explicit.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:29:53 +03:00
08a920d0cb Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file"
This reverts commit 59b9bd70b8055d4274044bef4f9aef6d41367144.

Might not be so ingenious.  Can't get this to work anymore...
2014-10-27 21:16:43 +03:00
59b9bd70b8 roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file
This is kinda crazy, but makes the host_vars much easier to read.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:42:44 +03:00
roles/nginx: Add expires to static files
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-10 11:05:42 +03:00
Downgrade TLS configuration to Mozilla's "intermediate" spec
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...


Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
roles/nginx: Update TLS vhost task for Ansible > 1.7.1
Seems there is some YAML sublety that causes this syntax to insert
double spaces on the destination file... using native YAML hashes
are a workaround, see GitHub issues:


Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:57:24 +03:00
Update TLS configuration to Mozilla's "modern" spec
Details, see:

- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00
roles/nginx: Use HSTS for https vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-06 10:46:04 +03:00
roles/nginx: Add index to munin vhost
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:47:14 +03:00
roles/nginx: Update nginx https stuff
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
roles/nginx: Tweaks for vhosts with WordPress
My WordPress blogs have a /wordpress subdirectory in the document
root, but I don't serve from the /wordpress URI.

Technically, all we need is the tweaks to the try_files:
    - `?args` passes query strings to php5-fpm
    - removing 404 from the vhost's try_files so we don't return 404
    when the requested file doesn't exist (obviously not all request
    URI's in WordPress are actual files on the disk)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 22:51:34 +03:00
roles/nginx: Re-work vhost template to support HTTPS
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00
roles/nginx: Add index to vhost config
Without this, all requests to directory URIs throw 403 errors due
to directory listings not being allowed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 12:27:24 +03:00
roles/nginx: Per-vhost logs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:26:12 +03:00
roles/nginx: Use template to configure nginx vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:03:34 +03:00
roles/nginx: Add defaults for nginx role
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:02:29 +03:00
roles/nginx: Add vim modeline to main.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:00:42 +03:00
Initial commit
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00