Commit Graph

40 Commits

Author SHA1 Message Date
96cefc7f74
roles/nginx: Parameterize HSTS header
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
2021-03-23 15:36:28 +02:00
a34cb1e666
roles/nginx: Switch to acme.sh for Let's Encrypt
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
2021-03-19 23:39:30 +02:00
0a39051a95
roles/nginx: Allow custom resolvers for TLS stapling
Allows to specify custom DNS resolvers for TLS stapling, with a default
of Cloudflare's public DNS servers.
2018-04-30 18:04:17 +03:00
bda95b6a1c
roles/nginx: Default to Cloudflare public DNS for TLS stapling
No need to give Google even more data or free advertising by using
this as the default! In practice I always use the DNS servers from
the VPS provider anyways.
2018-04-30 17:51:59 +03:00
aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no"
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
2016-08-17 12:55:14 +03:00
de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes"
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
2016-08-17 12:42:48 +03:00
78dbdae783
roles/nginx: Fix variable check in HTTPS template
Don't assume the variables for TLS certs exist.
2016-07-05 19:42:56 +03:00
0cd2735c82
roles/nginx: Rework Let's Encrypt stuff
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
2016-06-27 23:52:39 +03:00
b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
2016-06-27 19:07:48 +03:00
8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers
From Linode's Frankfurt datacenter.
2016-06-27 18:40:25 +03:00
a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
2016-06-27 18:32:59 +03:00
37b4809546 roles/nginx: Add IPv6 DNS resolvers for OCSP stapling 2016-04-25 13:25:05 +03:00
d50212c66c roles/nginx: Remove extra semi colon in HSTS preload header
Google's preload check application pointed out that there was an
extra semi colon in the HTTP header:

    $ hstspreload checkdomain alaninkenya.org

    Warning:

    1. Syntax warning: Header includes an empty directive or extra semicolon.

The tool can be downloaded here: https://github.com/chromium/hstspreload

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-31 13:35:44 +03:00
940b2720da
Rename nginx_* variables underneath nginx_vhosts
It's just deduplication, since it's already obvious that the dict
is for nginx-related vars:

    - nginx_domain_name→domain_name
    - nginx_domain_aliases→domain_aliases
    - nginx_enable_https→enable_https
    - nginx_enable_hsts→enable_hsts

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:25:44 +02:00
27a4abfcfd
roles/nginx: Add comments about defaults in templates
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00
a7094e0964
roles/nginx: Adjust spacing in template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:19:46 +02:00
98afeddbbf
roles/nginx: Allow using self-signed TLS certs with dev hosts
Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev
hosts where we don't have real domains or real certs. But everything
should have TLS.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:18:21 +02:00
60c37821d6
roles/nginx: Only use Linode DNS resolvers for OCSP if it's a linode host
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 17:40:32 +02:00
c0431d4247 Switch HTTPS vhosts to Let's Encrypt certificates
For now I generated the certs manually, but in the future the play-
book should run the letsencrypt-auto client for us!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-07 20:53:39 +03:00
48978407b8
roles/nginx: Move HTTP Strict Transport Security toggle to vhosts
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:24:58 +03:00
24a3724dfe roles/nginx: Remove spdy_headers_comp
It was deprecated when nginx added support for HTTP/2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-23 18:20:38 +03:00
8b77fd7f94 roles/nginx: Templatize SSL parameters using role defaults
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
7212b87f09
roles/nginx: Adjust HSTS headers for https block of vhost template
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:56:19 +03:00
bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).

Here is OpenDNS:

    # mtr --report 208.67.222.222
    Start: Sun Mar 22 15:31:50 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router1-lon.linode.com     0.0%    10    0.5   0.9   0.5   3.4   0.7
      2.|-- 212.111.33.233             0.0%    10    1.4   1.4   1.2   1.9   0.0
      3.|-- 217.20.44.194              0.0%    10    0.7   0.8   0.7   1.2   0.0
      4.|-- lonap.rtr1.lon.opendns.co  0.0%    10    1.2   1.1   0.9   1.4   0.0
      5.|-- resolver1.opendns.com      0.0%    10    1.0   0.9   0.8   1.0   0.0

And here is Linode's:

    # mtr --report 109.74.192.20
    Start: Sun Mar 22 15:32:30 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router2-lon.linode.com     0.0%    10    0.5   0.6   0.5   0.8   0.0
      2.|-- resolver1.london.linode.c  0.0%    10    0.4   0.4   0.3   0.8   0.0

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:06:33 +03:00
ae8937eb96 roles/nginx: Just enable OCSP
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:05:50 +03:00
04e453df51 Revert "roles/nginx: Correct HSTS header in https template"
This reverts commit 5c7404d228.

'always' is legal in nginx >= 1.7.5:

If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.

See: http://nginx.org/en/docs/http/ngx_http_headers_module.html
2015-03-18 18:33:19 +03:00
5c7404d228
roles/nginx: Correct HSTS header in https template
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.

See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 10:20:55 +03:00
6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS
We don't need to give Google EVERYTHING.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:06:22 +03:00
d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:44:27 +03:00
7457ac3b93
roles/nginx: Always set HSTS header
nginx 1.7.5 allows us to always set HTTP headers:

See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:40:48 +03:00
6ccfdb99fa roles/nginx: Enable OCSP stapling
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.

Seems to be working, test with:

    $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status

Look for "OCSP Response" with "Cert Status: good".

[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:28:05 +03:00
f23f0713d2
roles/nginx: Enable SPDY header compression
Recommended by Ilya Grigorik to be set to 6.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:40:39 +03:00
15603ba9e8
roles/nginx: Disable SSL session tickets
Session tickets increase performance, but decrease security, so
let's just turn them off.  See the following posts:

- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:37:00 +03:00
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly.  Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:19:12 +03:00
d8cd31049b
roles/nginx: Format and add comments to nginx https config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:17:52 +03:00
be6c76a2af roles/nginx: Set nginx SSL buffer size to 1400
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU.  nginx default is 16k!

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:16:07 +03:00
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-06 10:46:04 +03:00
e6ffdf8652
roles/nginx: Update nginx https stuff
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
162197ad25
roles/nginx: Re-work vhost template to support HTTPS
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00