nginx: Reworked global ssl and https configuration

6 years ago · 01fafa5ca1
parent c2bd392675
commit 01fafa5ca1
7 changed files with 24 additions and 13 deletions
--- a/roles/nginx/application/defaults/main.yml
+++ b/roles/nginx/application/defaults/main.yml
@ -6,6 +6,7 @@ nginx_installation_directory: "/etc/nginx"
 nginx_upstreams_directory: "{{ nginx_installation_directory }}/upstreams"
 nginx_sites_directory: "{{ nginx_installation_directory }}/sites"
 nginx_streams_directory: "{{ nginx_installation_directory }}/streams"
+nginx_snippets_directory: "{{ nginx_installation_directory }}/snippets"

 nginx_global_log_directory: "/var/log/nginx"
 nginx_global_access_log: "{{ nginx_global_log_directory }}/access.log"
--- a/roles/nginx/application/tasks/main.yml
+++ b/roles/nginx/application/tasks/main.yml
@ -23,6 +23,16 @@
    - "{{ nginx_upstreams_directory }}"
    - "{{ nginx_sites_directory }}"
    - "{{ nginx_streams_directory }}"
+    - "{{ nginx_snippets_directory }}"
+
+- name: Upload snippets to nginx
+  copy:
+    src: "{{ item }}.conf"
+    dest: "{{ nginx_snippets_directory }}/{{ item }}.conf"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  with_items: "{{ nginx_snippets }}"

 - name: Enable nginx service
  systemd:
--- a/roles/nginx/application/templates/https.conf
+++ b/roles/nginx/application/templates/https.conf
@ -0,0 +1,3 @@
+include {{ nginx_snippets_directory }}/ssl.conf;
+add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload;'; # default max age: 2592000 = 30 * 24 * 60 * 60s
+add_header 'Referrer-Policy' 'same-origin';
--- a/roles/nginx/application/templates/ssl.conf
+++ b/roles/nginx/application/templates/ssl.conf
@ -0,0 +1,5 @@
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
--- a/roles/nginx/application/vars/main.yml
+++ b/roles/nginx/application/vars/main.yml
@ -4,14 +4,6 @@ nginx_unnecessary_files:
  - sites-available
  - sites-enabled

-nginx_ssl_configuration: |
-  ssl_protocols TLSv1.2;
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-
-nginx_https_configuration: |
-  {{ nginx_ssl_configuration }}
-  add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload;'; # default max age: 2592000 = 30 * 24 * 60 * 60s
-  add_header 'Referrer-Policy' 'same-origin';
+nginx_snippets:
+  - https
+  - ssl
--- a/roles/nginx/forward/templates/forward.conf
+++ b/roles/nginx/forward/templates/forward.conf
@ -7,7 +7,7 @@ server {
  ssl_certificate {{ acme_certificate_location }};
  ssl_certificate_key {{ acme_key_location }};

-  {{ nginx_https_configuration }}
+  include {{ nginx_snippets_directory }}/https;

  redirect 301 https://{{ destination }}$request_uri;
 }
--- a/roles/nginx/mail_proxy/templates/mail_proxy.conf
+++ b/roles/nginx/mail_proxy/templates/mail_proxy.conf
@ -11,6 +11,6 @@ server {
  ssl_certificate {{ acme_certificate_location }};
  ssl_certificate_key {{ acme_key_location }};

-  {{ nginx_ssl_configuration }}
+  include {{ nginx_snippets_directory }}/ssl;

 }