diff --git a/roles/nginx/application/defaults/main.yml b/roles/nginx/application/defaults/main.yml index 786a4a9..a3a88a5 100644 --- a/roles/nginx/application/defaults/main.yml +++ b/roles/nginx/application/defaults/main.yml @@ -6,6 +6,7 @@ nginx_installation_directory: "/etc/nginx" nginx_upstreams_directory: "{{ nginx_installation_directory }}/upstreams" nginx_sites_directory: "{{ nginx_installation_directory }}/sites" nginx_streams_directory: "{{ nginx_installation_directory }}/streams" +nginx_snippets_directory: "{{ nginx_installation_directory }}/snippets" nginx_global_log_directory: "/var/log/nginx" nginx_global_access_log: "{{ nginx_global_log_directory }}/access.log" diff --git a/roles/nginx/application/tasks/main.yml b/roles/nginx/application/tasks/main.yml index 2178dd8..6380d3c 100644 --- a/roles/nginx/application/tasks/main.yml +++ b/roles/nginx/application/tasks/main.yml @@ -23,6 +23,16 @@ - "{{ nginx_upstreams_directory }}" - "{{ nginx_sites_directory }}" - "{{ nginx_streams_directory }}" + - "{{ nginx_snippets_directory }}" + +- name: Upload snippets to nginx + copy: + src: "{{ item }}.conf" + dest: "{{ nginx_snippets_directory }}/{{ item }}.conf" + owner: root + group: root + mode: "u=rw,g=r,o=r" + with_items: "{{ nginx_snippets }}" - name: Enable nginx service systemd: diff --git a/roles/nginx/application/templates/https.conf b/roles/nginx/application/templates/https.conf new file mode 100644 index 0000000..b57e2d4 --- /dev/null +++ b/roles/nginx/application/templates/https.conf @@ -0,0 +1,3 @@ +include {{ nginx_snippets_directory }}/ssl.conf; +add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload;'; # default max age: 2592000 = 30 * 24 * 60 * 60s +add_header 'Referrer-Policy' 'same-origin'; diff --git a/roles/nginx/application/templates/ssl.conf b/roles/nginx/application/templates/ssl.conf new file mode 100644 index 0000000..0d3e57c --- /dev/null +++ b/roles/nginx/application/templates/ssl.conf @@ -0,0 +1,5 @@ +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; diff --git a/roles/nginx/application/vars/main.yml b/roles/nginx/application/vars/main.yml index 86e9dd6..0f8ab5a 100644 --- a/roles/nginx/application/vars/main.yml +++ b/roles/nginx/application/vars/main.yml @@ -4,14 +4,6 @@ nginx_unnecessary_files: - sites-available - sites-enabled -nginx_ssl_configuration: | - ssl_protocols TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - -nginx_https_configuration: | - {{ nginx_ssl_configuration }} - add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload;'; # default max age: 2592000 = 30 * 24 * 60 * 60s - add_header 'Referrer-Policy' 'same-origin'; +nginx_snippets: + - https + - ssl diff --git a/roles/nginx/forward/templates/forward.conf b/roles/nginx/forward/templates/forward.conf index 3bfc116..96e5fce 100644 --- a/roles/nginx/forward/templates/forward.conf +++ b/roles/nginx/forward/templates/forward.conf @@ -7,7 +7,7 @@ server { ssl_certificate {{ acme_certificate_location }}; ssl_certificate_key {{ acme_key_location }}; - {{ nginx_https_configuration }} + include {{ nginx_snippets_directory }}/https; redirect 301 https://{{ destination }}$request_uri; } diff --git a/roles/nginx/mail_proxy/templates/mail_proxy.conf b/roles/nginx/mail_proxy/templates/mail_proxy.conf index fc74421..4702d86 100644 --- a/roles/nginx/mail_proxy/templates/mail_proxy.conf +++ b/roles/nginx/mail_proxy/templates/mail_proxy.conf @@ -11,6 +11,6 @@ server { ssl_certificate {{ acme_certificate_location }}; ssl_certificate_key {{ acme_key_location }}; - {{ nginx_ssl_configuration }} + include {{ nginx_snippets_directory }}/ssl; }