58222706ba
roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl
...
We don't have anything near 2.6.32 anymore.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:25:33 +03:00
60ba4dacbd
roles/common: Add TCP/IP tweaks to sysctl template
...
Disable TCP slow start and increase the number of ports available
for client connections.
See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
See: http://www.chromium.org/spdy/spdy-best-practices
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:23:10 +03:00
942f45834f
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-11 13:51:48 +03:00
3dcc5e1411
roles/nginx: Move some common fastcgi settings out of vhost template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-10 11:59:43 +03:00
2b02d94254
roles/nginx: Don't cache 404 errors in munin config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:32:09 +03:00
41f055306f
roles/nginx: Re-order $request_method in fastcgi_cache_key
...
Everyone else on the Internet has it this way, so why not.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:18:02 +03:00
53d2c85bf0
roles/nginx: Adjust fastcgi_cache_valid
...
Only cache 200, 301, and 302 requests!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:23:48 +03:00
066bf6fa85
roles/nginx: Set gzip_comp_level to 6
...
Seems to be the sweet spot, as gzip itself defaults to this.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:21:34 +03:00
bb92bd080d
roles/nginx: Add $request_method to nginx fastcgi_cache_key
...
nginx is caching HEAD requests, then when users come along and do
a GET request they get an HTTP 200 with no request body. It seems
setting fastcgi_request_methods to GET doesn't stop nginx from caching
HEADs, so for now just add the $request_method to the key.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:19:34 +03:00
1174db87bc
roles/nginx: Add task to clone WordPress git
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:39:17 +03:00
d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00
cd65475d0d
roles/nginx: Add protection for PHP scripts in uploads directory
...
By the way, :? starts a non-capturing group (ie, don't save the
back references).
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:05:50 +03:00
19f5b60cb7
Remove references to provisioning.yml
...
We aren't managing the provisioning user anymore, it is just assumed
to be there.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:53:48 +03:00
29f7a76545
roles/nginx: Update location regex for PHP scripts
...
Just use the same one as the Nginx wiki and some other resources.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:40:38 +03:00
55fddf03b3
Remove provisioning user management
...
It's just too tricky to manage this. Ubuntu / RedHat preseeds and
kickstarts can create the user and add it to groups, but only when
we control the initial boot environment (ie not on Linode, Digital
Ocean, etc), so let's just say we assume this user exists and can
get root with sudo by the some we are running ansible on it.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-20 15:06:45 +03:00
6b528ecc92
roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts
...
Ansible's union thing only works on sets and lists, here we have a
dict.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-19 19:41:48 +03:00
b93da27fde
roles/nginx: Create fastcgi cache dir
...
Or else nginx doesn't start.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-19 18:49:39 +03:00
0b90bad6a9
roles/nginx: Add fastcgi caching
...
Bypasses caching for logged in users (right now only for sessions
where the "wordpress_logged_in" cookie is set. Doubles the trans-
actions per second as measured by siege:
$ siege -d1 -t1M -c50 https://mjanja.ch
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-10 23:04:28 +03:00
4ea152bf51
roles/nginx: Add HTTP headers for web application security
...
See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 13:05:42 +03:00
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:44:27 +03:00
7457ac3b93
roles/nginx: Always set HSTS header
...
nginx 1.7.5 allows us to always set HTTP headers:
See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:40:48 +03:00
c3bc6d949d
roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-23 12:26:24 +03:00
171798c76d
roles/common: Add DSA/ECDSA cleanup to ssh tasks
...
We don't want to support these signature algorithms!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-20 16:31:37 +03:00
0d2763fb59
roles/common: Remove ECDSA SSH public key for aorth@noma
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-12 18:19:49 +03:00
d7dd81bc84
roles/common: Add ED25519 SSH public key for aorth@noma
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-12 18:19:21 +03:00
13b592dfcd
roles/common: Tune sshd_config to be more strict
...
Disable ECDSA as a signature algorithm and drop some older message
authentication algorithms.
See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-07 01:47:06 +03:00
a80cb49957
roles/common: Update sshd_config template to explicitly allow the provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-06 17:45:06 +03:00
3b6c9745ab
roles/common: Add provisioning user to sudoers
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-05 08:24:13 +03:00
0f5b088c08
roles/common: Add createhome:yes to provisioning user task
...
Need to make sure the user gets created on a fresh install, like on
Amazon EC2 or OpenStack images where the first user is `ubuntu' and
you can't assume `provisioning' is already created.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-04 02:24:53 +03:00
6ccfdb99fa
roles/nginx: Enable OCSP stapling
...
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5 .
Seems to be working, test with:
$ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status
Look for "OCSP Response" with "Cert Status: good".
[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:28:05 +03:00
f23f0713d2
roles/nginx: Enable SPDY header compression
...
Recommended by Ilya Grigorik to be set to 6.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:40:39 +03:00
15603ba9e8
roles/nginx: Disable SSL session tickets
...
Session tickets increase performance, but decrease security, so
let's just turn them off. See the following posts:
- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:37:00 +03:00
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours
...
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly. Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:19:12 +03:00
d8cd31049b
roles/nginx: Format and add comments to nginx https config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:17:52 +03:00
be6c76a2af
roles/nginx: Set nginx SSL buffer size to 1400
...
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU. nginx default is 16k!
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:16:07 +03:00
d04293a664
roles/nginx: Set nginx state to 'latest' in apt
...
This way we can upgrade nginx simply by running the nginx tags.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-02 18:48:11 +03:00
956fbefc1a
roles/nginx: Switch to nginx mainline (1.7)
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 01:02:44 +03:00
3f5634110a
roles/nginx: Add comment about try_files for serving static files from disk
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:41:07 +03:00
c870044584
roles/nginx: Adjust Cache-Control headers
...
Use "public" with "max-age" instead of Expires, as "max-age" is always
preferred if it's present. Note: setting "public" doesn't make the
resource "more cacheable", but it is just more explicit.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:29:53 +03:00
08a920d0cb
Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file"
...
This reverts commit 59b9bd70b8
.
Might not be so ingenious. Can't get this to work anymore...
2014-10-27 21:16:43 +03:00
c3f5e27642
roles/common: Add ECDSA public key for noma
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:25:48 +03:00
a265e48a9f
roles/common: Remove RSA public key
...
Both client and server support ed25519, so there's no need to even
have the RSA key here.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:23:01 +03:00
59b9bd70b8
roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file
...
This is kinda crazy, but makes the host_vars much easier to read.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:42:44 +03:00
5e0da37542
roles/common: Remove task which removes irqbalance
...
Prevailing wisdom is actually that this *can* help virtual hosts,
especially when the VM guest has multiple CPUs.
See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:31:23 +03:00
1ee7b385bf
roles/common: Rename SSH keys
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:19:32 +03:00
1e2193efc9
roles/common: Add functionality to copy user keys to provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:13:45 +03:00
c53dd18181
roles/common: Add role to manage provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:11:44 +03:00
42b893b2a7
roles/nginx: Add expires to static files
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-10 11:05:42 +03:00
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
...
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...
https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
d06ddf8a81
roles/nginx: Update TLS vhost task for Ansible > 1.7.1
...
Seems there is some YAML sublety that causes this syntax to insert
double spaces on the destination file... using native YAML hashes
are a workaround, see GitHub issues:
https://github.com/ansible/ansible/issues/9067
https://github.com/ansible/ansible/issues/9172
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:57:24 +03:00