ansible-personal

Commit Graph

Author	SHA1	Message	Date
Alan Orth	7212b87f09	roles/nginx: Adjust HSTS headers for https block of vhost template I was only setting it on the PHP block, which is for all dynamic requests (ie pages from WordPress), but it should also be the same for all static files not served from that block. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-05-20 15:56:19 +03:00
Alan Orth	bb55506464	roles/nginx: Use Linode DNS servers for OCSP resolvers I didn't realize Linode had DNS resolvers, but they are much closer than anything else (obviously). Here is OpenDNS: # mtr --report 208.67.222.222 Start: Sun Mar 22 15:31:50 2015 HOST: mjanja Loss% Snt Last Avg Best Wrst StDev 1.\|-- router1-lon.linode.com 0.0% 10 0.5 0.9 0.5 3.4 0.7 2.\|-- 212.111.33.233 0.0% 10 1.4 1.4 1.2 1.9 0.0 3.\|-- 217.20.44.194 0.0% 10 0.7 0.8 0.7 1.2 0.0 4.\|-- lonap.rtr1.lon.opendns.co 0.0% 10 1.2 1.1 0.9 1.4 0.0 5.\|-- resolver1.opendns.com 0.0% 10 1.0 0.9 0.8 1.0 0.0 And here is Linode's: # mtr --report 109.74.192.20 Start: Sun Mar 22 15:32:30 2015 HOST: mjanja Loss% Snt Last Avg Best Wrst StDev 1.\|-- router2-lon.linode.com 0.0% 10 0.5 0.6 0.5 0.8 0.0 2.\|-- resolver1.london.linode.c 0.0% 10 0.4 0.4 0.3 0.8 0.0 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-22 19:06:33 +03:00
Alan Orth	ae8937eb96	roles/nginx: Just enable OCSP I was attempting to make the config easier to use in test environments where the key is self-signed, but meh, I rarely do that and I think this logic doesn't actually work. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-22 19:05:50 +03:00
Alan Orth	04e453df51	Revert "roles/nginx: Correct HSTS header in https template" This reverts commit `5c7404d228`. 'always' is legal in nginx >= 1.7.5: If the always parameter is specified (1.7.5), the header field will be added regardless of the response code. See: http://nginx.org/en/docs/http/ngx_http_headers_module.html	2015-03-18 18:33:19 +03:00
Alan Orth	5c7404d228	roles/nginx: Correct HSTS header in https template Apparently the "always" syntax isn't used anymore (ever?), not sure where I got it from but this definitely causes HSTS to not work. See: https://mozilla.github.io/server-side-tls/ssl-config-generator/ See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-18 10:20:55 +03:00
Alan Orth	6422cb7507	roles/nginx: Switch nginx OCSP resolver to OpenDNS We don't need to give Google EVERYTHING. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-18 09:06:22 +03:00
Alan Orth	d08a37526f	roles/nginx: Don't send OCSP responses for hosts using self-signed certs Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:38:30 +03:00
Alan Orth	0dc4d3f147	roles/nginx: Add a second OCSP stapling responder Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:44:27 +03:00
Alan Orth	7457ac3b93	roles/nginx: Always set HSTS header nginx 1.7.5 allows us to always set HTTP headers: See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:40:48 +03:00
Alan Orth	6ccfdb99fa	roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 23:28:05 +03:00
Alan Orth	f23f0713d2	roles/nginx: Enable SPDY header compression Recommended by Ilya Grigorik to be set to 6. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:40:39 +03:00
Alan Orth	15603ba9e8	roles/nginx: Disable SSL session tickets Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:37:00 +03:00
Alan Orth	23d76a535f	roles/nginx: Set nginx SSL session timeout to 24 hours Default is 5 minutes, but it seems like unless you're a high-traff- ic site, there's no need to expire sessions so quickly. Also, the istlsfastyet.com configs are using 24 hours, so surely we can. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:19:12 +03:00
Alan Orth	d8cd31049b	roles/nginx: Format and add comments to nginx https config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:17:52 +03:00
Alan Orth	be6c76a2af	roles/nginx: Set nginx SSL buffer size to 1400 istlsfastyet.com recommends setting the buffer size to 1400 so it can fit into a single MTU. nginx default is 16k! http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:16:07 +03:00
Alan Orth	ad90f7f0fb	roles/nginx: Use HSTS for https vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-06 10:46:04 +03:00
Alan Orth	e6ffdf8652	roles/nginx: Update nginx https stuff - re-organize tls vhost configuration - copy TLS cert from host_vars directly to file Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-13 23:16:54 +03:00
Alan Orth	162197ad25	roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-06 21:32:37 +03:00

18 Commits