ansible-personal/roles/nginx/templates/https.j2
Alan Orth 48978407b8
roles/nginx: Move HTTP Strict Transport Security toggle to vhosts
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:24:58 +03:00

39 lines
1.7 KiB
Django/Jinja

{% set domain_name = item.nginx_domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.nginx_enable_hsts | default("no") %}
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }};
ssl_buffer_size {{ nginx_ssl_buffer_size }};
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
# OCSP stapling...
ssl_stapling on;
ssl_stapling_verify on;
resolver 109.74.192.20 109.74.193.20;
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
{% endif %}