alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
100 Commits 2 Branches 0 Tags 4.2 MiB
55fddf03b3
Commit Graph

11 Commits

Author SHA1 Message Date
Alan Orth
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 12:44:27 +03:00
Alan Orth
7457ac3b93
roles/nginx: Always set HSTS header 
nginx 1.7.5 allows us to always set HTTP headers:

See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 12:40:48 +03:00
Alan Orth
6ccfdb99fa roles/nginx: Enable OCSP stapling 
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.

Seems to be working, test with:

    $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status

Look for "OCSP Response" with "Cert Status: good".

[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 23:28:05 +03:00
Alan Orth
f23f0713d2
roles/nginx: Enable SPDY header compression 
Recommended by Ilya Grigorik to be set to 6.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:40:39 +03:00
Alan Orth
15603ba9e8
roles/nginx: Disable SSL session tickets 
Session tickets increase performance, but decrease security, so
let's just turn them off.  See the following posts:

- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:37:00 +03:00
Alan Orth
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours 
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly.  Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:19:12 +03:00
Alan Orth
d8cd31049b
roles/nginx: Format and add comments to nginx https config 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:17:52 +03:00
Alan Orth
be6c76a2af roles/nginx: Set nginx SSL buffer size to 1400 
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU.  nginx default is 16k!

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:16:07 +03:00
Alan Orth
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-06 10:46:04 +03:00
Alan Orth
e6ffdf8652
roles/nginx: Update nginx https stuff 
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-13 23:16:54 +03:00
Alan Orth
162197ad25
roles/nginx: Re-work vhost template to support HTTPS 
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-06 21:32:37 +03:00