bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers
...
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).
Here is OpenDNS:
# mtr --report 208.67.222.222
Start: Sun Mar 22 15:31:50 2015
HOST: mjanja Loss% Snt Last Avg Best Wrst StDev
1.|-- router1-lon.linode.com 0.0% 10 0.5 0.9 0.5 3.4 0.7
2.|-- 212.111.33.233 0.0% 10 1.4 1.4 1.2 1.9 0.0
3.|-- 217.20.44.194 0.0% 10 0.7 0.8 0.7 1.2 0.0
4.|-- lonap.rtr1.lon.opendns.co 0.0% 10 1.2 1.1 0.9 1.4 0.0
5.|-- resolver1.opendns.com 0.0% 10 1.0 0.9 0.8 1.0 0.0
And here is Linode's:
# mtr --report 109.74.192.20
Start: Sun Mar 22 15:32:30 2015
HOST: mjanja Loss% Snt Last Avg Best Wrst StDev
1.|-- router2-lon.linode.com 0.0% 10 0.5 0.6 0.5 0.8 0.0
2.|-- resolver1.london.linode.c 0.0% 10 0.4 0.4 0.3 0.8 0.0
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:06:33 +03:00
ae8937eb96
roles/nginx: Just enable OCSP
...
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:05:50 +03:00
04e453df51
Revert "roles/nginx: Correct HSTS header in https template"
...
This reverts commit 5c7404d228http://nginx.org/en/docs/http/ngx_http_headers_module.html
2015-03-18 18:33:19 +03:00
5c7404d228
roles/nginx: Correct HSTS header in https template
...
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.
See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 10:20:55 +03:00
6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS
...
We don't need to give Google EVERYTHING.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:06:22 +03:00
d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:44:27 +03:00
7457ac3b93
roles/nginx: Always set HSTS header
...
nginx 1.7.5 allows us to always set HTTP headers:
See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:40:48 +03:00
6ccfdb99fa
roles/nginx: Enable OCSP stapling
...
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5 .
Seems to be working, test with:
$ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status
Look for "OCSP Response" with "Cert Status: good".
[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:28:05 +03:00
f23f0713d2
roles/nginx: Enable SPDY header compression
...
Recommended by Ilya Grigorik to be set to 6.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:40:39 +03:00
15603ba9e8
roles/nginx: Disable SSL session tickets
...
Session tickets increase performance, but decrease security, so
let's just turn them off. See the following posts:
- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:37:00 +03:00
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours
...
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly. Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:19:12 +03:00
d8cd31049b
roles/nginx: Format and add comments to nginx https config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:17:52 +03:00
be6c76a2af
roles/nginx: Set nginx SSL buffer size to 1400
...
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU. nginx default is 16k!
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:16:07 +03:00
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-06 10:46:04 +03:00
e6ffdf8652
roles/nginx: Update nginx https stuff
...
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
162197ad25
roles/nginx: Re-work vhost template to support HTTPS
...
Assumes you have a TLS cert for one domain, but not the others, ie:
http://blah.com \
http://blah.net -> https://blah.io
http://blah.org /
Otherwise, without https, it creates a vhost with all domain names.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00
