ansible-personal

Author	SHA1	Message	Date
Alan Orth	bb55506464	roles/nginx: Use Linode DNS servers for OCSP resolvers I didn't realize Linode had DNS resolvers, but they are much closer than anything else (obviously). Here is OpenDNS: # mtr --report 208.67.222.222 Start: Sun Mar 22 15:31:50 2015 HOST: mjanja Loss% Snt Last Avg Best Wrst StDev 1.\|-- router1-lon.linode.com 0.0% 10 0.5 0.9 0.5 3.4 0.7 2.\|-- 212.111.33.233 0.0% 10 1.4 1.4 1.2 1.9 0.0 3.\|-- 217.20.44.194 0.0% 10 0.7 0.8 0.7 1.2 0.0 4.\|-- lonap.rtr1.lon.opendns.co 0.0% 10 1.2 1.1 0.9 1.4 0.0 5.\|-- resolver1.opendns.com 0.0% 10 1.0 0.9 0.8 1.0 0.0 And here is Linode's: # mtr --report 109.74.192.20 Start: Sun Mar 22 15:32:30 2015 HOST: mjanja Loss% Snt Last Avg Best Wrst StDev 1.\|-- router2-lon.linode.com 0.0% 10 0.5 0.6 0.5 0.8 0.0 2.\|-- resolver1.london.linode.c 0.0% 10 0.4 0.4 0.3 0.8 0.0 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-22 19:06:33 +03:00
Alan Orth	ae8937eb96	roles/nginx: Just enable OCSP I was attempting to make the config easier to use in test environments where the key is self-signed, but meh, I rarely do that and I think this logic doesn't actually work. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-22 19:05:50 +03:00
Alan Orth	04e453df51	Revert "roles/nginx: Correct HSTS header in https template" This reverts commit 5c7404d22856a332ea4176beb88be3723a6a169e. 'always' is legal in nginx >= 1.7.5: If the always parameter is specified (1.7.5), the header field will be added regardless of the response code. See: http://nginx.org/en/docs/http/ngx_http_headers_module.html	2015-03-18 18:33:19 +03:00
Alan Orth	5c7404d228	roles/nginx: Correct HSTS header in https template Apparently the "always" syntax isn't used anymore (ever?), not sure where I got it from but this definitely causes HSTS to not work. See: https://mozilla.github.io/server-side-tls/ssl-config-generator/ See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-18 10:20:55 +03:00
Alan Orth	6422cb7507	roles/nginx: Switch nginx OCSP resolver to OpenDNS We don't need to give Google EVERYTHING. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-18 09:06:22 +03:00
Alan Orth	d08a37526f	roles/nginx: Don't send OCSP responses for hosts using self-signed certs Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:38:30 +03:00
Alan Orth	0dc4d3f147	roles/nginx: Add a second OCSP stapling responder Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:44:27 +03:00
Alan Orth	7457ac3b93	roles/nginx: Always set HSTS header nginx 1.7.5 allows us to always set HTTP headers: See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:40:48 +03:00
Alan Orth	6ccfdb99fa	roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 23:28:05 +03:00
Alan Orth	f23f0713d2	roles/nginx: Enable SPDY header compression Recommended by Ilya Grigorik to be set to 6. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:40:39 +03:00
Alan Orth	15603ba9e8	roles/nginx: Disable SSL session tickets Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:37:00 +03:00
Alan Orth	23d76a535f	roles/nginx: Set nginx SSL session timeout to 24 hours Default is 5 minutes, but it seems like unless you're a high-traff- ic site, there's no need to expire sessions so quickly. Also, the istlsfastyet.com configs are using 24 hours, so surely we can. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:19:12 +03:00
Alan Orth	d8cd31049b	roles/nginx: Format and add comments to nginx https config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:17:52 +03:00
Alan Orth	be6c76a2af	roles/nginx: Set nginx SSL buffer size to 1400 istlsfastyet.com recommends setting the buffer size to 1400 so it can fit into a single MTU. nginx default is 16k! http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:16:07 +03:00
Alan Orth	ad90f7f0fb	roles/nginx: Use HSTS for https vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-06 10:46:04 +03:00
Alan Orth	e6ffdf8652	roles/nginx: Update nginx https stuff - re-organize tls vhost configuration - copy TLS cert from host_vars directly to file Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-13 23:16:54 +03:00
Alan Orth	162197ad25	roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-06 21:32:37 +03:00

17 Commits