misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Harden nginx ssl/tls config

Browse source 
According to https://ssl-config.mozilla.org/
This commit is contained in:
Marius Melzer 2024-04-19 00:20:46 +02:00
parent f231fb75b0
commit a03e50c933
9 changed files with 99 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
roles/authelia-and-nginx/templates/conf.j2
View file

@ -15,6 +15,7 @@ server {
ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
location / { location / {
## Headers ## Headers

3
roles/dokuwiki-and-nginx/templates/conf.j2
View file

@ -14,8 +14,7 @@ server {
{% if var_dokuwiki_and_nginx_tls_enable %} {% if var_dokuwiki_and_nginx_tls_enable %}
ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
ssl_session_timeout 5m; include /etc/nginx/ssl-hardening.conf;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
{% endif %} {% endif %}
# Maximum file upload size is 4MB - change accordingly if needed # Maximum file upload size is 4MB - change accordingly if needed

1
roles/element-and-nginx/templates/conf.j2
View file

@ -8,6 +8,7 @@ server {
ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
root {{var_element_and_nginx_path}}; root {{var_element_and_nginx_path}};
} }

16
roles/gitlab-and-nginx/templates/conf.j2
View file

@ -51,21 +51,7 @@ server {
ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
# resolver_timeout 5s;
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
real_ip_header X-Real-IP; real_ip_header X-Real-IP;
real_ip_recursive off; real_ip_recursive off;

1
roles/hedgedoc-and-nginx/templates/conf.j2
View file

@ -11,6 +11,7 @@ server {
ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
location / { location / {
proxy_pass http://localhost:3000; proxy_pass http://localhost:3000;

8
roles/nginx/files/dhparam Normal file
View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

18
roles/nginx/files/ssl-hardening.conf Normal file
View file

@ -0,0 +1,18 @@
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

16
roles/nginx/tasks/main.json
View file

@ -9,6 +9,22 @@
] ]
} }
}, },
{
"name": "place dhparams file",
"become": true,
"ansible.builtin.copy": {
"src": "dhparam",
"dest": "/etc/nginx/dhparam"
}
},
{
"name": "place hardening config",
"become": true,
"ansible.builtin.copy": {
"src": "ssl-hardening.conf",
"dest": "/etc/nginx/ssl-hardening.conf"
}
},
{ {
"name": "restart service", "name": "restart service",
"become": true, "become": true,

1
roles/synapse-and-nginx/templates/conf.j2
View file

@ -12,6 +12,7 @@ server {
ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
location ~ ^(/_matrix|/_synapse/client) { location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:8008; proxy_pass http://localhost:8008;