ansible-personal/roles/nginx/templates/https.j2
Alan Orth 27a4abfcfd
roles/nginx: Add comments about defaults in templates
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00

57 lines
2.5 KiB
Django/Jinja

{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.nginx_domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.nginx_enable_hsts | default("no") %}
{# use self-signed certs? yes on development, no on production #}
{% set use_snakeoil_cert = item.use_snakeoil_cert | default("no") %}
{# better to check for "not yes" then "no" #}
{% if use_snakeoil_cert != "yes" %}
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}/fullchain.pem;
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}/privkey.pem;
{% else %}
# "snakeoil" certificate (self signed!)
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
{% endif %}
ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }};
ssl_buffer_size {{ nginx_ssl_buffer_size }};
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
{# OSCP stapling only works with real certs #}
{% if use_snakeoil_cert != "yes" %}
# OCSP stapling...
ssl_stapling on;
ssl_stapling_verify on;
{% if linode_id is defined %}
# use Linode internal DNS
resolver 109.74.192.20 109.74.193.20;
{% else %}
resolver 8.8.8.8 8.8.4.4;
{% endif %} {# end: linode_id #}
{% endif %} {# end: use_snakeoil_cert #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
{% endif %}