Harden nginx ssl/tls config

According to https://ssl-config.mozilla.org/
2024-04-19 00:20:46 +02:00 · 2024-04-19 00:20:46 +02:00 · a03e50c933
commit a03e50c933
parent f231fb75b0
9 changed files with 99 additions and 68 deletions
--- a/roles/authelia-and-nginx/templates/conf.j2
+++ b/roles/authelia-and-nginx/templates/conf.j2
@ -1,21 +1,22 @@
 server {
 	server_name {{var_authelia_and_nginx_domain}};
-	
+
 	listen [::]:80;
 	listen 80;
-	
+
 	return 301 https://$server_name$request_uri;
 }
 server {
 	server_name {{var_authelia_and_nginx_domain}};
-	
+
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
-	
+
 	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
-	
+	include /etc/nginx/ssl-hardening.conf;
 	location / {
 		## Headers
 		proxy_set_header Host $host;
@ -52,10 +53,10 @@ server {
 		proxy_read_timeout 360;
 		proxy_send_timeout 360;
 		proxy_connect_timeout 360;
-		
+
 		proxy_pass http://localhost:9091;
 	}
-	
+
 	location /api/verify {
 		proxy_pass http://localhost:9091;
 	}
--- a/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/roles/dokuwiki-and-nginx/templates/conf.j2
@ -4,45 +4,44 @@ server {
 	server_name {{var_dokuwiki_and_nginx_domain}};
 	return 301 https://$server_name$request_uri;
 }
- 
+
 server {
 	listen [::]:443 ssl;
 	listen 443 ssl;
-	
+
 	server_name {{var_dokuwiki_and_nginx_domain}};
-	
+
 {% if var_dokuwiki_and_nginx_tls_enable %}
 	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
-	ssl_session_timeout 5m;
+	include /etc/nginx/ssl-hardening.conf;
 	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
 {% endif %}
-	
+
 	# Maximum file upload size is 4MB - change accordingly if needed
 	client_max_body_size 4M;
 	client_body_buffer_size 128k;
-	
+
 	root {{var_dokuwiki_and_nginx_directory}};
 	index doku.php;
-	
+
 	#Remember to comment the below out when you're installing, and uncomment it when done.
 	location ~ /(conf/|bin/|inc/|vendor/|install.php) {
 		deny all;
 	}
-	
+
 	#Support for X-Accel-Redirect
 	location ~ ^/data/ {
 		internal;
 	}
-	
+
 	location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ {
 		expires 365d;
 	}
-	
+
 	location / {
 		try_files $uri $uri/ @dokuwiki;
 	}
-	
+
 	location @dokuwiki {
 		# rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
 		rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
@ -50,7 +49,7 @@ server {
 		rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
 		rewrite ^/(.*) /doku.php?id=$1&$args last;
 	}
-	
+
 	location ~ \.php$ {
 		try_files $uri $uri/ /doku.php;
 		include fastcgi_params;
--- a/roles/element-and-nginx/templates/conf.j2
+++ b/roles/element-and-nginx/templates/conf.j2
@ -3,11 +3,12 @@ server {
 	listen [::]:80;
 	listen 443 ssl;
 	listen [::]:443 ssl;
-	
+
 	server_name {{var_element_and_nginx_domain}};
-	
+
 	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
-	
+	include /etc/nginx/ssl-hardening.conf;
 	root {{var_element_and_nginx_path}};
 }
--- a/roles/gitlab-and-nginx/templates/conf.j2
+++ b/roles/gitlab-and-nginx/templates/conf.j2
@ -32,12 +32,12 @@ map $http_referer $gitlab_ssl_filtered_http_referer {
 server {
 	listen 80 default_server;
 	listen [::]:80 ipv6only=on default_server;
-	
+
 	server_name {{var_gitlab_and_nginx_domain}};
 	server_tokens off;
-	
+
 	return 301 https://$http_host$request_uri;
-	
+
 	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
 	error_log /var/log/nginx/gitlab_error.log;
 }
@ -45,61 +45,47 @@ server {
 server {
 	listen 0.0.0.0:443 ssl http2;
 	listen [::]:443 ipv6only=on ssl http2 default_server;
-	
+
 	server_name {{var_gitlab_and_nginx_domain}};
 	server_tokens off;
-	
+
 	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
-	
+	include /etc/nginx/ssl-hardening.conf;
-	ssl_session_timeout 1d;
+
 	ssl_session_cache shared:SSL:10m;
 	ssl_session_tickets off;
 	ssl_protocols TLSv1.3;
 	ssl_prefer_server_ciphers off;
 	# ssl_stapling on;
 	# ssl_stapling_verify on;
 	# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
 	# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
 	# resolver_timeout 5s;
 	# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 	real_ip_header X-Real-IP;
 	real_ip_recursive off;
-	
+
 	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
 	error_log /var/log/nginx/gitlab_error.log;
-	
+
 	location / {
 		client_max_body_size 0;
 		gzip off;
-		
+
 		proxy_read_timeout 300;
 		proxy_connect_timeout 300;
 		proxy_redirect off;
-		
+
 		proxy_http_version 1.1;
-		
+
 		proxy_set_header Host $http_host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection $connection_upgrade_gitlab;
-		
+
 		# proxy_pass http://gitlab-workhorse;
 		proxy_pass http://localhost:8080;
 	}
-	
+
 	error_page 404 /404.html;
 	error_page 422 /422.html;
 	error_page 500 /500.html;
 	error_page 502 /502.html;
 	error_page 503 /503.html;
-	
+
 	location ~ ^/(404|422|500|502|503)\.html$ {
 		root /home/git/gitlab/public;
 		internal;
--- a/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/roles/hedgedoc-and-nginx/templates/conf.j2
@ -5,26 +5,27 @@ map $http_upgrade $connection_upgrade {
 server {
 	server_name {{var_hedgedoc_and_nginx_domain}};
-	
+
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
-	
+
 	ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
-	
+	include /etc/nginx/ssl-hardening.conf;
 	location / {
 		proxy_pass http://localhost:3000;
-		proxy_set_header Host $host; 
+		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
-	
+
 	location /socket.io/ {
 		proxy_pass http://localhost:3000;
-		proxy_set_header Host $host; 
+		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection $connection_upgrade;
--- a/roles/nginx/files/dhparam
+++ b/roles/nginx/files/dhparam
@ -0,0 +1,8 @@
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
 +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
 ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 -----END DH PARAMETERS-----
--- a/roles/nginx/files/ssl-hardening.conf
+++ b/roles/nginx/files/ssl-hardening.conf
@ -0,0 +1,18 @@
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 ssl_session_tickets off;
 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
 ssl_dhparam /etc/nginx/dhparam;
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
 add_header Strict-Transport-Security "max-age=63072000" always;
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@ -9,6 +9,22 @@
 			]
 		}
 	},
 	{
 		"name": "place dhparams file",
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "dhparam",
 			"dest": "/etc/nginx/dhparam"
 		}
 	},
 	{
 		"name": "place hardening config",
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "ssl-hardening.conf",
 			"dest": "/etc/nginx/ssl-hardening.conf"
 		}
 	},
 	{
 		"name": "restart service",
 		"become": true,
--- a/roles/synapse-and-nginx/templates/conf.j2
+++ b/roles/synapse-and-nginx/templates/conf.j2
@ -3,24 +3,25 @@ server {
 	listen [::]:80;
 	listen 443 ssl;
 	listen [::]:443 ssl;
-	
+
 	## For the federation port
 	listen 8448 ssl http2 default_server;
 	listen [::]:8448 ssl http2 default_server;
-	
+
 	server_name {{var_synapse_and_nginx_domain}};
-	
+
 	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
-    
+	include /etc/nginx/ssl-hardening.conf;
 	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Host $host;
-		
+
 		client_max_body_size 50M;
-		
+
 		proxy_http_version 1.1;
 	}
 }