alanorth
/
ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
141 Commits 2 Branches 0 Tags 4.5 MiB
Commit Graph

93 Commits

Author SHA1 Message Date
Alan Orth 2d6ce778df
roles/php5-fpm: Add templated php.ini 
Adds a default php.ini for php5-fpm from Ubuntu 14.04 which enables
sane settings for PHP 5.5's opcache as well as disables pathinfo.

Closes #9.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-05-05 11:27:13 +03:00
Alan Orth e675b750c4
roles/nginx: Switch to nginx stable branch 
Remove old mainline repo and add stable repo to get nginx 1.8.0.

See: http://nginx.org/en/CHANGES-1.8

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-04-23 14:52:22 +03:00
Alan Orth 4602f03bed
roles/nginx: Fix comment in main task 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-25 12:59:10 +03:00
Alan Orth bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers 
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).

Here is OpenDNS:

    # mtr --report 208.67.222.222
    Start: Sun Mar 22 15:31:50 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router1-lon.linode.com     0.0%    10    0.5   0.9   0.5   3.4   0.7
      2.|-- 212.111.33.233             0.0%    10    1.4   1.4   1.2   1.9   0.0
      3.|-- 217.20.44.194              0.0%    10    0.7   0.8   0.7   1.2   0.0
      4.|-- lonap.rtr1.lon.opendns.co  0.0%    10    1.2   1.1   0.9   1.4   0.0
      5.|-- resolver1.opendns.com      0.0%    10    1.0   0.9   0.8   1.0   0.0

And here is Linode's:

    # mtr --report 109.74.192.20
    Start: Sun Mar 22 15:32:30 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router2-lon.linode.com     0.0%    10    0.5   0.6   0.5   0.8   0.0
      2.|-- resolver1.london.linode.c  0.0%    10    0.4   0.4   0.3   0.8   0.0

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-22 19:06:33 +03:00
Alan Orth ae8937eb96 roles/nginx: Just enable OCSP 
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-22 19:05:50 +03:00
Alan Orth 9ce7ac72f9
roles/nginx: Add extra-security headers to PHP block 
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-19 09:32:06 +03:00
Alan Orth 934db06887 roles/nginx: Add HTTP Strict Transport Security headers to PHP block 
nginx blocks inherit headers set in blocks above them UNLESS the
current level also sets headers[0]. This was causing PHP requests
to not have STS headers because of the FastCGI cache header which
is set in that block.

[0] http://nginx.org/en/docs/http/ngx_http_headers_module.html

Fixes GitHub #7.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-19 09:30:26 +03:00
Alan Orth 04e453df51 Revert "roles/nginx: Correct HSTS header in https template" 
This reverts commit 5c7404d228.

'always' is legal in nginx >= 1.7.5:

If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.

See: http://nginx.org/en/docs/http/ngx_http_headers_module.html
 2015-03-18 18:33:19 +03:00
Alan Orth 5c7404d228
roles/nginx: Correct HSTS header in https template 
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.

See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-18 10:20:55 +03:00
Alan Orth 6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS 
We don't need to give Google EVERYTHING.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-18 09:06:22 +03:00
Alan Orth a3d29a559b
roles/munin: Remove unused config file 
We are using a Jinja template instead.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-18 09:00:06 +03:00
Alan Orth 3a5b50f941
roles/common: Set I/O scheduler via udev 
All servers with non-rotating disks (SSDs) should be running noop,
and the rest should be running deadline.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:52:05 +03:00
Alan Orth 9fda345a24
roles/common: Fix one logic mistake in rc.local task 
I think it was originally supposed to be `ansible_os_family` but
we don't have anything other than Ubuntu, so let's just use that.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:43:21 +03:00
Alan Orth 2367b843d9
roles/common: Remove I/O scheduler logic from rc.local 
It's better to set this using udev rules anyways

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:40:54 +03:00
Alan Orth 4a1158e163
roles/common: Remove CentOS rclocal task 
No CentOS hosts here!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:40:07 +03:00
Alan Orth 891bd35171 roles/common: Move tags from subtask to main one 
Child tasks inherit the tag of the parent.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:34:13 +03:00
Alan Orth 4efb6edb7e
roles/common: Indent some yaml stuff in main.yml 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:31:29 +03:00
Alan Orth b70ae58f48
roles/common: Simplify `when` logic in main template 
Less syntax is more readable syntax.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:29:41 +03:00
Alan Orth 58222706ba
roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl 
We don't have anything near 2.6.32 anymore.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:25:33 +03:00
Alan Orth 60ba4dacbd
roles/common: Add TCP/IP tweaks to sysctl template 
Disable TCP slow start and increase the number of ports available
for client connections.

See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
See: http://www.chromium.org/spdy/spdy-best-practices

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-15 17:23:10 +03:00
Alan Orth 942f45834f
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-11 13:51:48 +03:00
Alan Orth 3dcc5e1411
roles/nginx: Move some common fastcgi settings out of vhost template 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-10 11:59:43 +03:00
Alan Orth 2b02d94254
roles/nginx: Don't cache 404 errors in munin config 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-09 13:32:09 +03:00
Alan Orth 41f055306f
roles/nginx: Re-order $request_method in fastcgi_cache_key 
Everyone else on the Internet has it this way, so why not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-09 13:18:02 +03:00
Alan Orth 53d2c85bf0 roles/nginx: Adjust fastcgi_cache_valid 
Only cache 200, 301, and 302 requests!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-09 10:23:48 +03:00
Alan Orth 066bf6fa85
roles/nginx: Set gzip_comp_level to 6 
Seems to be the sweet spot, as gzip itself defaults to this.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-09 10:21:34 +03:00
Alan Orth bb92bd080d
roles/nginx: Add $request_method to nginx fastcgi_cache_key 
nginx is caching HEAD requests, then when users come along and do
a GET request they get an HTTP 200 with no request body. It seems
setting fastcgi_request_methods to GET doesn't stop nginx from caching
HEADs, so for now just add the $request_method to the key.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-09 10:19:34 +03:00
Alan Orth 1174db87bc
roles/nginx: Add task to clone WordPress git 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-26 17:39:17 +03:00
Alan Orth d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-26 17:38:30 +03:00
Alan Orth cd65475d0d
roles/nginx: Add protection for PHP scripts in uploads directory 
By the way, :? starts a non-capturing group (ie, don't save the
back references).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-26 17:05:50 +03:00
Alan Orth 19f5b60cb7
Remove references to provisioning.yml 
We aren't managing the provisioning user anymore, it is just assumed
to be there.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-26 16:53:48 +03:00
Alan Orth 29f7a76545
roles/nginx: Update location regex for PHP scripts 
Just use the same one as the Nginx wiki and some other resources.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-26 16:40:38 +03:00
Alan Orth 55fddf03b3
Remove provisioning user management 
It's just too tricky to manage this. Ubuntu / RedHat preseeds and
kickstarts can create the user and add it to groups, but only when
we control the initial boot environment (ie not on Linode, Digital
Ocean, etc), so let's just say we assume this user exists and can
get root with sudo by the some we are running ansible on it.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-20 15:06:45 +03:00
Alan Orth 6b528ecc92
roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts 
Ansible's union thing only works on sets and lists, here we have a
dict.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-19 19:41:48 +03:00
Alan Orth b93da27fde
roles/nginx: Create fastcgi cache dir 
Or else nginx doesn't start.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-19 18:49:39 +03:00
Alan Orth 0b90bad6a9
roles/nginx: Add fastcgi caching 
Bypasses caching for logged in users (right now only for sessions
where the "wordpress_logged_in" cookie is set. Doubles the trans-
actions per second as measured by siege:

    $ siege -d1 -t1M -c50 https://mjanja.ch

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-10 23:04:28 +03:00
Alan Orth 4ea152bf51
roles/nginx: Add HTTP headers for web application security 
See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 13:05:42 +03:00
Alan Orth 0dc4d3f147
roles/nginx: Add a second OCSP stapling responder 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 12:44:27 +03:00
Alan Orth 7457ac3b93
roles/nginx: Always set HSTS header 
nginx 1.7.5 allows us to always set HTTP headers:

See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 12:40:48 +03:00
Alan Orth c3bc6d949d
roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-23 12:26:24 +03:00
Alan Orth 171798c76d roles/common: Add DSA/ECDSA cleanup to ssh tasks 
We don't want to support these signature algorithms!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-20 16:31:37 +03:00
Alan Orth 0d2763fb59
roles/common: Remove ECDSA SSH public key for aorth@noma 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-12 18:19:49 +03:00
Alan Orth d7dd81bc84
roles/common: Add ED25519 SSH public key for aorth@noma 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-12 18:19:21 +03:00
Alan Orth 13b592dfcd roles/common: Tune sshd_config to be more strict 
Disable ECDSA as a signature algorithm and drop some older message
authentication algorithms.

See: https://stribika.github.io/2015/01/04/secure-secure-shell.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-07 01:47:06 +03:00
Alan Orth a80cb49957 roles/common: Update sshd_config template to explicitly allow the provisioning user 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-06 17:45:06 +03:00
Alan Orth 3b6c9745ab
roles/common: Add provisioning user to sudoers 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-05 08:24:13 +03:00
Alan Orth 0f5b088c08 roles/common: Add createhome:yes to provisioning user task 
Need to make sure the user gets created on a fresh install, like on
Amazon EC2 or OpenStack images where the first user is `ubuntu' and
you can't assume `provisioning' is already created.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-04 02:24:53 +03:00
Alan Orth 6ccfdb99fa roles/nginx: Enable OCSP stapling 
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.

Seems to be working, test with:

    $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status

Look for "OCSP Response" with "Cert Status: good".

[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 23:28:05 +03:00
Alan Orth f23f0713d2
roles/nginx: Enable SPDY header compression 
Recommended by Ilya Grigorik to be set to 6.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:40:39 +03:00
Alan Orth 15603ba9e8
roles/nginx: Disable SSL session tickets 
Session tickets increase performance, but decrease security, so
let's just turn them off.  See the following posts:

- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:37:00 +03:00