nginx: Reworked global ssl and https configuration

wip
Felix Stupp 6 years ago
parent c2bd392675
commit 01fafa5ca1
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7

@ -6,6 +6,7 @@ nginx_installation_directory: "/etc/nginx"
nginx_upstreams_directory: "{{ nginx_installation_directory }}/upstreams" nginx_upstreams_directory: "{{ nginx_installation_directory }}/upstreams"
nginx_sites_directory: "{{ nginx_installation_directory }}/sites" nginx_sites_directory: "{{ nginx_installation_directory }}/sites"
nginx_streams_directory: "{{ nginx_installation_directory }}/streams" nginx_streams_directory: "{{ nginx_installation_directory }}/streams"
nginx_snippets_directory: "{{ nginx_installation_directory }}/snippets"
nginx_global_log_directory: "/var/log/nginx" nginx_global_log_directory: "/var/log/nginx"
nginx_global_access_log: "{{ nginx_global_log_directory }}/access.log" nginx_global_access_log: "{{ nginx_global_log_directory }}/access.log"

@ -23,6 +23,16 @@
- "{{ nginx_upstreams_directory }}" - "{{ nginx_upstreams_directory }}"
- "{{ nginx_sites_directory }}" - "{{ nginx_sites_directory }}"
- "{{ nginx_streams_directory }}" - "{{ nginx_streams_directory }}"
- "{{ nginx_snippets_directory }}"
- name: Upload snippets to nginx
copy:
src: "{{ item }}.conf"
dest: "{{ nginx_snippets_directory }}/{{ item }}.conf"
owner: root
group: root
mode: "u=rw,g=r,o=r"
with_items: "{{ nginx_snippets }}"
- name: Enable nginx service - name: Enable nginx service
systemd: systemd:

@ -0,0 +1,3 @@
include {{ nginx_snippets_directory }}/ssl.conf;
add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload;'; # default max age: 2592000 = 30 * 24 * 60 * 60s
add_header 'Referrer-Policy' 'same-origin';

@ -0,0 +1,5 @@
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

@ -4,14 +4,6 @@ nginx_unnecessary_files:
- sites-available - sites-available
- sites-enabled - sites-enabled
nginx_ssl_configuration: | nginx_snippets:
ssl_protocols TLSv1.2; - https
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
nginx_https_configuration: |
{{ nginx_ssl_configuration }}
add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload;'; # default max age: 2592000 = 30 * 24 * 60 * 60s
add_header 'Referrer-Policy' 'same-origin';

@ -7,7 +7,7 @@ server {
ssl_certificate {{ acme_certificate_location }}; ssl_certificate {{ acme_certificate_location }};
ssl_certificate_key {{ acme_key_location }}; ssl_certificate_key {{ acme_key_location }};
{{ nginx_https_configuration }} include {{ nginx_snippets_directory }}/https;
redirect 301 https://{{ destination }}$request_uri; redirect 301 https://{{ destination }}$request_uri;
} }

@ -11,6 +11,6 @@ server {
ssl_certificate {{ acme_certificate_location }}; ssl_certificate {{ acme_certificate_location }};
ssl_certificate_key {{ acme_key_location }}; ssl_certificate_key {{ acme_key_location }};
{{ nginx_ssl_configuration }} include {{ nginx_snippets_directory }}/ssl;
} }

Loading…
Cancel
Save