ansible-personal/roles/nginx/templates/blank-vhost.conf.j2
Alan Orth 151fb29687 roles/nginx: Add blank vhost
For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00

37 lines
1.3 KiB
Django/Jinja

# default blank vhost
#
# clients asking for "example.com" should only get a response if we have
# a vhost serving that domain.
server {
listen 80 default;
{% if nginx_tls_vhosts is defined %}
listen 443 ssl spdy default;
{% endif %}
server_name _;
{% if nginx_tls_vhosts is defined %}
# "snakeoil" certificate (self signed!)
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }};
ssl_buffer_size {{ nginx_ssl_buffer_size }};
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% endif %}
return 403;
}