diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index bd0cbeb..8649a39 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -1,21 +1,22 @@ server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:80; listen 80; - + return 301 https://$server_name$request_uri; } server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location / { ## Headers proxy_set_header Host $host; @@ -52,10 +53,10 @@ server { proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; - + proxy_pass http://localhost:9091; } - + location /api/verify { proxy_pass http://localhost:9091; } diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index cd9c68d..90278d0 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -4,45 +4,44 @@ server { server_name {{var_dokuwiki_and_nginx_domain}}; return 301 https://$server_name$request_uri; } - + server { listen [::]:443 ssl; listen 443 ssl; - + server_name {{var_dokuwiki_and_nginx_domain}}; - + {% if var_dokuwiki_and_nginx_tls_enable %} ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; - ssl_session_timeout 5m; - ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; + include /etc/nginx/ssl-hardening.conf; {% endif %} - + # Maximum file upload size is 4MB - change accordingly if needed client_max_body_size 4M; client_body_buffer_size 128k; - + root {{var_dokuwiki_and_nginx_directory}}; index doku.php; - + #Remember to comment the below out when you're installing, and uncomment it when done. location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; } - + #Support for X-Accel-Redirect location ~ ^/data/ { internal; } - + location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ { expires 365d; } - + location / { try_files $uri $uri/ @dokuwiki; } - + location @dokuwiki { # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; @@ -50,7 +49,7 @@ server { rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; } - + location ~ \.php$ { try_files $uri $uri/ /doku.php; include fastcgi_params; diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 312df8b..cec8475 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -3,11 +3,12 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + server_name {{var_element_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + root {{var_element_and_nginx_path}}; } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index eabfcb9..c6430f6 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -32,12 +32,12 @@ map $http_referer $gitlab_ssl_filtered_http_referer { server { listen 80 default_server; listen [::]:80 ipv6only=on default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + return 301 https://$http_host$request_uri; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; } @@ -45,61 +45,47 @@ server { server { listen 0.0.0.0:443 ssl http2; listen [::]:443 ipv6only=on ssl http2 default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired - # resolver_timeout 5s; - - # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - + include /etc/nginx/ssl-hardening.conf; + real_ip_header X-Real-IP; real_ip_recursive off; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; - + location / { client_max_body_size 0; gzip off; - + proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; - + proxy_http_version 1.1; - + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab; - + # proxy_pass http://gitlab-workhorse; proxy_pass http://localhost:8080; } - + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; error_page 503 /503.html; - + location ~ ^/(404|422|500|502|503)\.html$ { root /home/git/gitlab/public; internal; diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 0760df4..19723d1 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -5,26 +5,27 @@ map $http_upgrade $connection_upgrade { server { server_name {{var_hedgedoc_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location / { proxy_pass http://localhost:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } - + location /socket.io/ { proxy_pass http://localhost:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; diff --git a/roles/nginx/files/dhparam b/roles/nginx/files/dhparam new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/roles/nginx/files/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx/files/ssl-hardening.conf b/roles/nginx/files/ssl-hardening.conf new file mode 100644 index 0000000..1d5f5f4 --- /dev/null +++ b/roles/nginx/files/ssl-hardening.conf @@ -0,0 +1,18 @@ +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /etc/nginx/dhparam; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=63072000" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index c8e2b40..2d9e9ed 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -9,6 +9,22 @@ ] } }, + { + "name": "place dhparams file", + "become": true, + "ansible.builtin.copy": { + "src": "dhparam", + "dest": "/etc/nginx/dhparam" + } + }, + { + "name": "place hardening config", + "become": true, + "ansible.builtin.copy": { + "src": "ssl-hardening.conf", + "dest": "/etc/nginx/ssl-hardening.conf" + } + }, { "name": "restart service", "become": true, diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index b9b94c6..a8ba62b 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -3,24 +3,25 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + ## For the federation port listen 8448 ssl http2 default_server; listen [::]:8448 ssl http2 default_server; - + server_name {{var_synapse_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - + client_max_body_size 50M; - + proxy_http_version 1.1; } }