Commit Graph

80 Commits

Author SHA1 Message Date
dc5c09036c
Change pattern from nginx_tls_vhosts→nginx_vhosts
All hosts should have TLS now, whether self-signed "snakeoil" certs
or otherwise.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:54:18 +02:00
27a4abfcfd
roles/nginx: Add comments about defaults in templates
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00
86ee36da77
roles/nginx: Clean up template spacing
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:25:38 +02:00
a8005404f1
roles/nginx: Use more consistent naming for per-host nginx options
The `enable_https` option in host_vars becomes `nginx_enable_https`
to be more consistent with other nginx options used in host_vars.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:21:19 +02:00
a7094e0964
roles/nginx: Adjust spacing in template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:19:46 +02:00
98afeddbbf
roles/nginx: Allow using self-signed TLS certs with dev hosts
Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev
hosts where we don't have real domains or real certs. But everything
should have TLS.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:18:21 +02:00
4507e20155 roles/nginx: Change owner/group of WordPress folder to nginx after cloning
Otherwise stuff like theme and plugin installs won't work.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 16:58:54 +02:00
60c37821d6
roles/nginx: Only use Linode DNS resolvers for OCSP if it's a linode host
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 17:40:32 +02:00
c0431d4247 Switch HTTPS vhosts to Let's Encrypt certificates
For now I generated the certs manually, but in the future the play-
book should run the letsencrypt-auto client for us!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-07 20:53:39 +03:00
cb67d6aa40
Rename 'use_https' to 'enable_https'
To be consistent with other similar variables.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:34:40 +03:00
52dc0c357b
roles/nginx: Add HSTS check to vhost template
We need to actually check if HSTS was requested before setting the
header in the block handing PHP requests. We check in the main vhost
block, but nginx headers are only inherited if you don't set ANY
headers in child blocks (ie, headers set in parent blocks are cleared
if you set any new ones in the child).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:27:41 +03:00
48978407b8
roles/nginx: Move HTTP Strict Transport Security toggle to vhosts
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:24:58 +03:00
24a3724dfe roles/nginx: Remove spdy_headers_comp
It was deprecated when nginx added support for HTTP/2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-23 18:20:38 +03:00
a3e71e75d2
roles/nginx: SPDY -> HTTP/2
nginx 1.9.5 mainline adds support for HTTP/2 and deprecates SPDY.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-22 19:40:30 +03:00
9c70ab29e3
roles/nginx: Rename nginx sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:24:43 +03:00
b214bdfae8
roles/nginx: Add Debian support to nginx sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:22:36 +03:00
16a0bb9086 roles/nginx: Use utopic (14.10) nginx builds on 15.04
Upstream hasn't made 15.04 builds yet...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
78cb49c88b roles/nginx: Add missing nginx tag to blank vhost task
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
151fb29687 roles/nginx: Add blank vhost
For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
8b77fd7f94 roles/nginx: Templatize SSL parameters using role defaults
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
fe765f5d3a
roles/nginx: Fix TLS cert loop to use the current item
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:46:06 +03:00
4b74964963
roles/nginx: Do a shallow clone of WordPress git
I realized there was no need to do a full clone when I was working
in a Vagrant environment in a coffee shop with slow Internet. ;)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:32:05 +03:00
a17cb2a0a0 roles/nginx: Add initial IPv6 support to vhost template
Still need to add ip6tables rules

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 11:53:57 +03:00
3746e798b6
roles/nginx: Use template for nginx repo
A template is better than ansible's `apt_repository` module because
we can idempotently control the contents of the file based on vari-
ables.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 00:15:49 +03:00
7212b87f09
roles/nginx: Adjust HSTS headers for https block of vhost template
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:56:19 +03:00
caec2440bb
roles/nginx: Fix HSTS header in vhost config
We always want to add the header, not add a header with value
"always"!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:54:10 +03:00
f9ea01ba8f roles/nginx: Use stronger HSTS header
Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.

See: https://hstspreload.appspot.com/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-13 18:35:26 +03:00
e675b750c4
roles/nginx: Switch to nginx stable branch
Remove old mainline repo and add stable repo to get nginx 1.8.0.

See: http://nginx.org/en/CHANGES-1.8

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-23 14:52:22 +03:00
4602f03bed
roles/nginx: Fix comment in main task
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-25 12:59:10 +03:00
bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).

Here is OpenDNS:

    # mtr --report 208.67.222.222
    Start: Sun Mar 22 15:31:50 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router1-lon.linode.com     0.0%    10    0.5   0.9   0.5   3.4   0.7
      2.|-- 212.111.33.233             0.0%    10    1.4   1.4   1.2   1.9   0.0
      3.|-- 217.20.44.194              0.0%    10    0.7   0.8   0.7   1.2   0.0
      4.|-- lonap.rtr1.lon.opendns.co  0.0%    10    1.2   1.1   0.9   1.4   0.0
      5.|-- resolver1.opendns.com      0.0%    10    1.0   0.9   0.8   1.0   0.0

And here is Linode's:

    # mtr --report 109.74.192.20
    Start: Sun Mar 22 15:32:30 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router2-lon.linode.com     0.0%    10    0.5   0.6   0.5   0.8   0.0
      2.|-- resolver1.london.linode.c  0.0%    10    0.4   0.4   0.3   0.8   0.0

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:06:33 +03:00
ae8937eb96 roles/nginx: Just enable OCSP
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:05:50 +03:00
9ce7ac72f9
roles/nginx: Add extra-security headers to PHP block
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:32:06 +03:00
934db06887 roles/nginx: Add HTTP Strict Transport Security headers to PHP block
nginx blocks inherit headers set in blocks above them UNLESS the
current level also sets headers[0]. This was causing PHP requests
to not have STS headers because of the FastCGI cache header which
is set in that block.

[0] http://nginx.org/en/docs/http/ngx_http_headers_module.html

Fixes GitHub #7.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:30:26 +03:00
04e453df51 Revert "roles/nginx: Correct HSTS header in https template"
This reverts commit 5c7404d228.

'always' is legal in nginx >= 1.7.5:

If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.

See: http://nginx.org/en/docs/http/ngx_http_headers_module.html
2015-03-18 18:33:19 +03:00
5c7404d228
roles/nginx: Correct HSTS header in https template
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.

See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 10:20:55 +03:00
6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS
We don't need to give Google EVERYTHING.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:06:22 +03:00
942f45834f
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-11 13:51:48 +03:00
3dcc5e1411
roles/nginx: Move some common fastcgi settings out of vhost template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-10 11:59:43 +03:00
2b02d94254
roles/nginx: Don't cache 404 errors in munin config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:32:09 +03:00
41f055306f
roles/nginx: Re-order $request_method in fastcgi_cache_key
Everyone else on the Internet has it this way, so why not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:18:02 +03:00
53d2c85bf0 roles/nginx: Adjust fastcgi_cache_valid
Only cache 200, 301, and 302 requests!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:23:48 +03:00
066bf6fa85
roles/nginx: Set gzip_comp_level to 6
Seems to be the sweet spot, as gzip itself defaults to this.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:21:34 +03:00
bb92bd080d
roles/nginx: Add $request_method to nginx fastcgi_cache_key
nginx is caching HEAD requests, then when users come along and do
a GET request they get an HTTP 200 with no request body. It seems
setting fastcgi_request_methods to GET doesn't stop nginx from caching
HEADs, so for now just add the $request_method to the key.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:19:34 +03:00
1174db87bc
roles/nginx: Add task to clone WordPress git
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:39:17 +03:00
d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00
cd65475d0d
roles/nginx: Add protection for PHP scripts in uploads directory
By the way, :? starts a non-capturing group (ie, don't save the
back references).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:05:50 +03:00
29f7a76545
roles/nginx: Update location regex for PHP scripts
Just use the same one as the Nginx wiki and some other resources.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:40:38 +03:00
b93da27fde
roles/nginx: Create fastcgi cache dir
Or else nginx doesn't start.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-19 18:49:39 +03:00
0b90bad6a9
roles/nginx: Add fastcgi caching
Bypasses caching for logged in users (right now only for sessions
where the "wordpress_logged_in" cookie is set. Doubles the trans-
actions per second as measured by siege:

    $ siege -d1 -t1M -c50 https://mjanja.ch

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-10 23:04:28 +03:00
4ea152bf51
roles/nginx: Add HTTP headers for web application security
See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 13:05:42 +03:00