24a3724dfe
roles/nginx: Remove spdy_headers_comp
...
It was deprecated when nginx added support for HTTP/2.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-23 18:20:38 +03:00
8b77fd7f94
roles/nginx: Templatize SSL parameters using role defaults
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
7212b87f09
roles/nginx: Adjust HSTS headers for https block of vhost template
...
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:56:19 +03:00
bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers
...
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).
Here is OpenDNS:
# mtr --report 208.67.222.222
Start: Sun Mar 22 15:31:50 2015
HOST: mjanja Loss% Snt Last Avg Best Wrst StDev
1.|-- router1-lon.linode.com 0.0% 10 0.5 0.9 0.5 3.4 0.7
2.|-- 212.111.33.233 0.0% 10 1.4 1.4 1.2 1.9 0.0
3.|-- 217.20.44.194 0.0% 10 0.7 0.8 0.7 1.2 0.0
4.|-- lonap.rtr1.lon.opendns.co 0.0% 10 1.2 1.1 0.9 1.4 0.0
5.|-- resolver1.opendns.com 0.0% 10 1.0 0.9 0.8 1.0 0.0
And here is Linode's:
# mtr --report 109.74.192.20
Start: Sun Mar 22 15:32:30 2015
HOST: mjanja Loss% Snt Last Avg Best Wrst StDev
1.|-- router2-lon.linode.com 0.0% 10 0.5 0.6 0.5 0.8 0.0
2.|-- resolver1.london.linode.c 0.0% 10 0.4 0.4 0.3 0.8 0.0
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:06:33 +03:00
ae8937eb96
roles/nginx: Just enable OCSP
...
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:05:50 +03:00
04e453df51
Revert "roles/nginx: Correct HSTS header in https template"
...
This reverts commit 5c7404d228http://nginx.org/en/docs/http/ngx_http_headers_module.html
2015-03-18 18:33:19 +03:00
5c7404d228
roles/nginx: Correct HSTS header in https template
...
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.
See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 10:20:55 +03:00
6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS
...
We don't need to give Google EVERYTHING.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:06:22 +03:00
d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:44:27 +03:00
7457ac3b93
roles/nginx: Always set HSTS header
...
nginx 1.7.5 allows us to always set HTTP headers:
See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:40:48 +03:00
6ccfdb99fa
roles/nginx: Enable OCSP stapling
...
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5 .
Seems to be working, test with:
$ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status
Look for "OCSP Response" with "Cert Status: good".
[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:28:05 +03:00
f23f0713d2
roles/nginx: Enable SPDY header compression
...
Recommended by Ilya Grigorik to be set to 6.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:40:39 +03:00
15603ba9e8
roles/nginx: Disable SSL session tickets
...
Session tickets increase performance, but decrease security, so
let's just turn them off. See the following posts:
- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:37:00 +03:00
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours
...
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly. Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:19:12 +03:00
d8cd31049b
roles/nginx: Format and add comments to nginx https config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:17:52 +03:00
be6c76a2af
roles/nginx: Set nginx SSL buffer size to 1400
...
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU. nginx default is 16k!
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:16:07 +03:00
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-06 10:46:04 +03:00
e6ffdf8652
roles/nginx: Update nginx https stuff
...
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
162197ad25
roles/nginx: Re-work vhost template to support HTTPS
...
Assumes you have a TLS cert for one domain, but not the others, ie:
http://blah.com \
http://blah.net -> https://blah.io
http://blah.org /
Otherwise, without https, it creates a vhost with all domain names.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00
