{# helper variables and per-site defaults that we can't set in role defaults #} {% set domain_name = item.domain_name %} {# assume HSTS is off unless a vhost explicitly sets it to "yes" #} {% set enable_hsts = item.enable_hsts | default("no") %} {# first, check if the current vhost has a custom cert (perhaps self-signed) #} {% if item.tls_certificate_path is defined and item.tls_key_path is defined %} # concatenated key + cert # See: http://nginx.org/en/docs/http/configuring_https_servers.html ssl_certificate {{ item.tls_certificate_path }}; ssl_certificate_key {{ item.tls_key_path }}; {# otherwise, assume host is using letsencrypt #} {% else %} # concatenated key + cert # See: http://nginx.org/en/docs/http/configuring_https_servers.html ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem; ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem; {% endif %} ssl_session_timeout {{ nginx_ssl_session_timeout }}; ssl_session_cache {{ nginx_ssl_session_cache }}; ssl_buffer_size {{ nginx_ssl_buffer_size }}; ssl_dhparam {{ nginx_ssl_dhparam }}; ssl_protocols {{ nginx_ssl_protocols }}; ssl_ciphers "{{ tls_cipher_suite }}"; ssl_prefer_server_ciphers on; {# OSCP stapling only works with real certs #} {% if use_letsencrypt == "yes" or item.tls_certificate_path %} # OCSP stapling... ssl_stapling on; ssl_stapling_verify on; {% if linode_id is defined %} # use Linode internal DNS resolver 139.162.139.5 139.162.130.5 [2a01:7e01::5] [2a01:7e01::6]; {% else %} resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8844] [2001:4860:4860::8888]; {% endif %} {# end: linode_id #} {% endif %} {# end: use_letsencrypt #} # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and # when a restart is performed the previous key is lost, which resets all previous # sessions. The fix for this is to setup a manual rotation mechanism: # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx # # Note that you'll have to define and rotate the keys securely by yourself. In absence # of such infrastructure, consider turning off session tickets: ssl_session_tickets off; {% if enable_hsts == "yes" %} # Enable this if you want HSTS (recommended, but be careful) # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # See: https://hstspreload.appspot.com/ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; {% endif %}