Commit Graph

91 Commits

Author SHA1 Message Date
d694616cf3
roles/nginx: Make sure to set HSTS headers on WordPress static files
I realized the other day that due to complex logic in the location
blocks, various WordPress static files like images and stylesheets
didn't get the HTTP Strict Transport Security header set. We need
to include it on each level where we are setting headers, because
nginx overwrites headers if you set them again in a child block.
2016-11-20 17:25:01 +02:00
3a8b64a5ab
roles/nginx: Remove 'public' from Cache-Control header
If a max-age is specified the 'public' is implicit.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-14 07:58:46 +02:00
99caf49a90
roles/nginx: Minor typo in comment 2016-10-18 21:41:46 -04:00
158df52e35
roles/nginx: Fix systemd unit for renewing Let's Encrypt certs
The `ConditionFileIsExecutable` goes in the [Unit] section! This
fixes the error:

  systemd[1]: [/etc/systemd/system/renew-letsencrypt.service:6] Unknown lvalue 'ConditionFileIsExecutable' in section 'Service'
2016-09-25 15:55:45 +03:00
422caec2a7
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 15:59:24 +03:00
586ad76d6b
roles/nginx: Only use index.php on hosts that need it
Otherwise, use index.html.
2016-09-13 15:58:40 +03:00
740e5195a0
roles/nginx: Add new variable "needs_php"
Used to indicate if a vhost needs PHP configuration or not, like
for a static site. Set in the hosts's nginx_vhosts block. Defaults
to "False" if unset.
2016-09-13 14:53:12 +03:00
4866083539
roles/nginx: Update comment for option variables 2016-09-13 14:51:49 +03:00
e036349661
roles/nginx: Only check WordPress variables is vhost is using WordPress
This variable is used to control the FastCGI cache, and doesn't
need to be checked if the vhost isn't using WordPress.
2016-09-12 20:57:10 +03:00
aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no"
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
2016-08-17 12:55:14 +03:00
de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes"
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
2016-08-17 12:42:48 +03:00
60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
2016-08-17 12:27:33 +03:00
b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2016-07-21 14:45:41 +03:00
b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service 2016-07-07 14:36:29 +03:00
78dbdae783
roles/nginx: Fix variable check in HTTPS template
Don't assume the variables for TLS certs exist.
2016-07-05 19:42:56 +03:00
0cd2735c82
roles/nginx: Rework Let's Encrypt stuff
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
2016-06-27 23:52:39 +03:00
b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
2016-06-27 19:07:48 +03:00
8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers
From Linode's Frankfurt datacenter.
2016-06-27 18:40:25 +03:00
a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
2016-06-27 18:32:59 +03:00
b41bd432df
roles/nginx: Add "ansible managed" string to configs
Generates a placeholder text to say that the file is managed by
ansible.
2016-06-27 17:50:49 +03:00
24ca33c605
roles/nginx: Disable rules for Yoast SEO
Not using Yoast anymore. Now using the much simpler SEO Framework:

https://github.com/sybrew/the-seo-framework
2016-06-02 11:03:35 +03:00
447db17e33
roles/nginx: Update apt sources for Ubuntu now that nginx 1.10.0 is out 2016-04-27 15:04:17 +03:00
81e6af8f2b
roles/nginx: Add IPv6 listener in default HTTPS vhost 2016-04-25 21:49:41 +03:00
1ffc4eebc9
roles/nginx: Use default_server instead of default
Seems to be the new keyword for quite some time now, despite not
causing an error:

    http://nginx.org/en/docs/http/server_names.html
2016-04-25 21:48:36 +03:00
03519831cb
roles/nginx: Return HTTP 444 for requests to invalid hostnames
444 is a special nginx return code that means the request was
closed without a response, see:

    http://nginx.org/en/docs/http/request_processing.html
2016-04-25 21:45:21 +03:00
37b4809546 roles/nginx: Add IPv6 DNS resolvers for OCSP stapling 2016-04-25 13:25:05 +03:00
cd77b088e9
Fix a few references to php5-fpm
Unless we really mean php5-fpm, let's just say php-fpm.
2016-04-25 12:33:12 +03:00
0bed8e4c0b
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04 2016-04-22 18:19:30 +03:00
f90eff6b1a roles/nginx: Update sources.list template for Ubuntu 16.04
Use Ubuntu 15.10 builds for now.
2016-04-22 11:25:35 +03:00
d50212c66c roles/nginx: Remove extra semi colon in HSTS preload header
Google's preload check application pointed out that there was an
extra semi colon in the HTTP header:

    $ hstspreload checkdomain alaninkenya.org

    Warning:

    1. Syntax warning: Header includes an empty directive or extra semicolon.

The tool can be downloaded here: https://github.com/chromium/hstspreload

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-31 13:35:44 +03:00
27a3ee9651
roles/nginx: Add cache control header for SVG images
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:17:40 +02:00
43a7039dc9
roles/nginx: Remove "enable_https" config logic
Everything is HTTPS now, whether self-signed or otherwise, so it
doesn't make sense to have a config switch for this.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:38:53 +02:00
940b2720da
Rename nginx_* variables underneath nginx_vhosts
It's just deduplication, since it's already obvious that the dict
is for nginx-related vars:

    - nginx_domain_name→domain_name
    - nginx_domain_aliases→domain_aliases
    - nginx_enable_https→enable_https
    - nginx_enable_hsts→enable_hsts

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:25:44 +02:00
41547defb9
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts
Everything is TLS now (whether self-signed or not), so it's pointless
to distinguish.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:14:47 +02:00
27a4abfcfd
roles/nginx: Add comments about defaults in templates
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00
86ee36da77
roles/nginx: Clean up template spacing
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:25:38 +02:00
a8005404f1
roles/nginx: Use more consistent naming for per-host nginx options
The `enable_https` option in host_vars becomes `nginx_enable_https`
to be more consistent with other nginx options used in host_vars.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:21:19 +02:00
a7094e0964
roles/nginx: Adjust spacing in template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:19:46 +02:00
98afeddbbf
roles/nginx: Allow using self-signed TLS certs with dev hosts
Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev
hosts where we don't have real domains or real certs. But everything
should have TLS.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:18:21 +02:00
60c37821d6
roles/nginx: Only use Linode DNS resolvers for OCSP if it's a linode host
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 17:40:32 +02:00
c0431d4247 Switch HTTPS vhosts to Let's Encrypt certificates
For now I generated the certs manually, but in the future the play-
book should run the letsencrypt-auto client for us!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-07 20:53:39 +03:00
cb67d6aa40
Rename 'use_https' to 'enable_https'
To be consistent with other similar variables.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:34:40 +03:00
52dc0c357b
roles/nginx: Add HSTS check to vhost template
We need to actually check if HSTS was requested before setting the
header in the block handing PHP requests. We check in the main vhost
block, but nginx headers are only inherited if you don't set ANY
headers in child blocks (ie, headers set in parent blocks are cleared
if you set any new ones in the child).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:27:41 +03:00
48978407b8
roles/nginx: Move HTTP Strict Transport Security toggle to vhosts
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:24:58 +03:00
24a3724dfe roles/nginx: Remove spdy_headers_comp
It was deprecated when nginx added support for HTTP/2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-23 18:20:38 +03:00
a3e71e75d2
roles/nginx: SPDY -> HTTP/2
nginx 1.9.5 mainline adds support for HTTP/2 and deprecates SPDY.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-22 19:40:30 +03:00
9c70ab29e3
roles/nginx: Rename nginx sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:24:43 +03:00
b214bdfae8
roles/nginx: Add Debian support to nginx sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:22:36 +03:00
16a0bb9086 roles/nginx: Use utopic (14.10) nginx builds on 15.04
Upstream hasn't made 15.04 builds yet...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
151fb29687 roles/nginx: Add blank vhost
For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00