alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
174 Commits 2 Branches 0 Tags 4.2 MiB
c535cce6a5
Commit Graph

19 Commits

Author SHA1 Message Date
Alan Orth
8b77fd7f94 roles/nginx: Templatize SSL parameters using role defaults 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-06-06 00:07:50 +03:00
Alan Orth
7212b87f09
roles/nginx: Adjust HSTS headers for https block of vhost template 
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-05-20 15:56:19 +03:00
Alan Orth
bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers 
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).

Here is OpenDNS:

    # mtr --report 208.67.222.222
    Start: Sun Mar 22 15:31:50 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router1-lon.linode.com     0.0%    10    0.5   0.9   0.5   3.4   0.7
      2.|-- 212.111.33.233             0.0%    10    1.4   1.4   1.2   1.9   0.0
      3.|-- 217.20.44.194              0.0%    10    0.7   0.8   0.7   1.2   0.0
      4.|-- lonap.rtr1.lon.opendns.co  0.0%    10    1.2   1.1   0.9   1.4   0.0
      5.|-- resolver1.opendns.com      0.0%    10    1.0   0.9   0.8   1.0   0.0

And here is Linode's:

    # mtr --report 109.74.192.20
    Start: Sun Mar 22 15:32:30 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router2-lon.linode.com     0.0%    10    0.5   0.6   0.5   0.8   0.0
      2.|-- resolver1.london.linode.c  0.0%    10    0.4   0.4   0.3   0.8   0.0

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-22 19:06:33 +03:00
Alan Orth
ae8937eb96 roles/nginx: Just enable OCSP 
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-22 19:05:50 +03:00
Alan Orth
04e453df51 Revert "roles/nginx: Correct HSTS header in https template" 
This reverts commit 5c7404d228.

'always' is legal in nginx >= 1.7.5:

If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.

See: http://nginx.org/en/docs/http/ngx_http_headers_module.html
 2015-03-18 18:33:19 +03:00
Alan Orth
5c7404d228
roles/nginx: Correct HSTS header in https template 
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.

See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-18 10:20:55 +03:00
Alan Orth
6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS 
We don't need to give Google EVERYTHING.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-03-18 09:06:22 +03:00
Alan Orth
d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-02-26 17:38:30 +03:00
Alan Orth
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 12:44:27 +03:00
Alan Orth
7457ac3b93
roles/nginx: Always set HSTS header 
nginx 1.7.5 allows us to always set HTTP headers:

See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 12:40:48 +03:00
Alan Orth
6ccfdb99fa roles/nginx: Enable OCSP stapling 
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.

Seems to be working, test with:

    $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status

Look for "OCSP Response" with "Cert Status: good".

[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 23:28:05 +03:00
Alan Orth
f23f0713d2
roles/nginx: Enable SPDY header compression 
Recommended by Ilya Grigorik to be set to 6.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:40:39 +03:00
Alan Orth
15603ba9e8
roles/nginx: Disable SSL session tickets 
Session tickets increase performance, but decrease security, so
let's just turn them off.  See the following posts:

- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:37:00 +03:00
Alan Orth
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours 
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly.  Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:19:12 +03:00
Alan Orth
d8cd31049b
roles/nginx: Format and add comments to nginx https config 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:17:52 +03:00
Alan Orth
be6c76a2af roles/nginx: Set nginx SSL buffer size to 1400 
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU.  nginx default is 16k!

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:16:07 +03:00
Alan Orth
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-06 10:46:04 +03:00
Alan Orth
e6ffdf8652
roles/nginx: Update nginx https stuff 
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-13 23:16:54 +03:00
Alan Orth
162197ad25
roles/nginx: Re-work vhost template to support HTTPS 
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-06 21:32:37 +03:00