Harden nginx ssl/tls config

According to https://ssl-config.mozilla.org/
2024-04-19 00:20:46 +02:00 · 2024-04-19 00:20:46 +02:00 · a03e50c933
commit a03e50c933
parent f231fb75b0
9 changed files with 99 additions and 68 deletions
--- a/roles/authelia-and-nginx/templates/conf.j2
+++ b/roles/authelia-and-nginx/templates/conf.j2
@ -15,6 +15,7 @@ server {

 	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;

 	location / {
 		## Headers
--- a/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/roles/dokuwiki-and-nginx/templates/conf.j2
@ -14,8 +14,7 @@ server {
 {% if var_dokuwiki_and_nginx_tls_enable %}
 	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
-	ssl_session_timeout 5m;
-	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
+	include /etc/nginx/ssl-hardening.conf;
 {% endif %}

 	# Maximum file upload size is 4MB - change accordingly if needed
--- a/roles/element-and-nginx/templates/conf.j2
+++ b/roles/element-and-nginx/templates/conf.j2
@ -8,6 +8,7 @@ server {

 	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;

 	root {{var_element_and_nginx_path}};
 }
--- a/roles/gitlab-and-nginx/templates/conf.j2
+++ b/roles/gitlab-and-nginx/templates/conf.j2
@ -51,21 +51,7 @@ server {

 	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
-	
-	ssl_session_timeout 1d;
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_tickets off;
-	
-	ssl_protocols TLSv1.3;
-	ssl_prefer_server_ciphers off;
-	
-	# ssl_stapling on;
-	# ssl_stapling_verify on;
-	# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
-	# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
-	# resolver_timeout 5s;
-	
-	# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+	include /etc/nginx/ssl-hardening.conf;

 	real_ip_header X-Real-IP;
 	real_ip_recursive off;
--- a/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/roles/hedgedoc-and-nginx/templates/conf.j2
@ -11,6 +11,7 @@ server {

 	ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;

 	location / {
 		proxy_pass http://localhost:3000;
--- a/roles/nginx/files/dhparam
+++ b/roles/nginx/files/dhparam
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
--- a/roles/nginx/files/ssl-hardening.conf
+++ b/roles/nginx/files/ssl-hardening.conf
@ -0,0 +1,18 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /etc/nginx/dhparam;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@ -9,6 +9,22 @@
 			]
 		}
 	},
+	{
+		"name": "place dhparams file",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "dhparam",
+			"dest": "/etc/nginx/dhparam"
+		}
+	},
+	{
+		"name": "place hardening config",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "ssl-hardening.conf",
+			"dest": "/etc/nginx/ssl-hardening.conf"
+		}
+	},
 	{
 		"name": "restart service",
 		"become": true,
--- a/roles/synapse-and-nginx/templates/conf.j2
+++ b/roles/synapse-and-nginx/templates/conf.j2
@ -12,6 +12,7 @@ server {

 	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;

 	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;