For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.
If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
A template is better than ansible's `apt_repository` module because
we can idempotently control the contents of the file based on vari-
ables.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.
See: https://hstspreload.appspot.com/
Signed-off-by: Alan Orth <alan.orth@gmail.com>
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
nginx blocks inherit headers set in blocks above them UNLESS the
current level also sets headers[0]. This was causing PHP requests
to not have STS headers because of the FastCGI cache header which
is set in that block.
[0] http://nginx.org/en/docs/http/ngx_http_headers_module.html
Fixes GitHub #7.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Bypasses caching for logged in users (right now only for sessions
where the "wordpress_logged_in" cookie is set. Doubles the trans-
actions per second as measured by siege:
$ siege -d1 -t1M -c50 https://mjanja.ch
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.
Seems to be working, test with:
$ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status
Look for "OCSP Response" with "Cert Status: good".
[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly. Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Use "public" with "max-age" instead of Expires, as "max-age" is always
preferred if it's present. Note: setting "public" doesn't make the
resource "more cacheable", but it is just more explicit.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
My WordPress blogs have a /wordpress subdirectory in the document
root, but I don't serve from the /wordpress URI.
Technically, all we need is the tweaks to the try_files:
- `?args` passes query strings to php5-fpm
- removing 404 from the vhost's try_files so we don't return 404
when the requested file doesn't exist (obviously not all request
URI's in WordPress are actual files on the disk)
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Assumes you have a TLS cert for one domain, but not the others, ie:
http://blah.com \
http://blah.net -> https://blah.iohttp://blah.org /
Otherwise, without https, it creates a vhost with all domain names.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Without this, all requests to directory URIs throw 403 errors due
to directory listings not being allowed.
Signed-off-by: Alan Orth <alan.orth@gmail.com>