Merge branch 'dev-nginx-hardening' into 'main'

Harden nginx ssl/tls config See merge request roydfalk/ansible-base!2
2024-06-09 09:05:11 +00:00 · 2024-06-09 09:05:11 +00:00 · a60858e48a
commit a60858e48a
parent a6169291f6 6fe4f5fd56
9 changed files with 48 additions and 111 deletions
--- a/roles/authelia-and-nginx/templates/conf.j2
+++ b/roles/authelia-and-nginx/templates/conf.j2
@ -15,6 +15,7 @@ server {
 	
 	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
 	
 	location / {
 		## Headers
--- a/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/roles/dokuwiki-and-nginx/templates/conf.j2
@ -14,8 +14,7 @@ server {
 {% if var_dokuwiki_and_nginx_tls_enable %}
 	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
-	ssl_session_timeout 5m;
-	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
+	include /etc/nginx/ssl-hardening.conf;
 {% endif %}
 	
 	# Maximum file upload size is 4MB - change accordingly if needed
--- a/roles/element-and-nginx/templates/conf.j2
+++ b/roles/element-and-nginx/templates/conf.j2
@ -8,6 +8,7 @@ server {
 	
 	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
 	
 	root {{var_element_and_nginx_path}};
 }
--- a/roles/gitlab-and-nginx/templates/conf.j2
+++ b/roles/gitlab-and-nginx/templates/conf.j2
@ -51,21 +51,7 @@ server {
 	
 	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
-	
-	ssl_session_timeout 1d;
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_tickets off;
-	
-	ssl_protocols TLSv1.3;
-	ssl_prefer_server_ciphers off;
-	
-	# ssl_stapling on;
-	# ssl_stapling_verify on;
-	# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
-	# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
-	# resolver_timeout 5s;
-	
-	# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+	include /etc/nginx/ssl-hardening.conf;
 	
 	real_ip_header X-Real-IP;
 	real_ip_recursive off;
--- a/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/roles/hedgedoc-and-nginx/templates/conf.j2
@ -11,20 +11,21 @@ server {
 	
 	ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
 	
 	location / {
 		proxy_pass http://localhost:3000;
-		proxy_set_header Host $host; 
-		proxy_set_header X-Real-IP $remote_addr; 
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 	
 	location /socket.io/ {
 		proxy_pass http://localhost:3000;
-		proxy_set_header Host $host; 
-		proxy_set_header X-Real-IP $remote_addr; 
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection $connection_upgrade;
--- a/roles/nginx/files/ssl-hardening.conf
+++ b/roles/nginx/files/ssl-hardening.conf
@ -0,0 +1,18 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /etc/nginx/dhparam;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@ -5,10 +5,26 @@
 		"ansible.builtin.apt": {
 			"update_cache": true,
 			"pkg": [
-				"nginx"
+				"nginx",
+				"openssl"
 			]
 		}
 	},
+	{
+		"name": "generate dhparams file",
+		"ansible.builtin.command": "openssl dhparam -out /etc/nginx/dhparam 4096",
+		"args": {
+			"creates": "/etc/nginx/dhparam"
+		}
+	},
+	{
+		"name": "place hardening config",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "ssl-hardening.conf",
+			"dest": "/etc/nginx/ssl-hardening.conf"
+		}
+	},
 	{
 		"name": "ufw | check",
 		"become": true,
--- a/roles/nginx/tasks/main.json.orig
+++ b/roles/nginx/tasks/main.json.orig
@ -1,86 +0,0 @@
-[
-	{
-		"name": "install packages",
-		"become": true,
-		"ansible.builtin.apt": {
-			"update_cache": true,
-			"pkg": [
-				"nginx"
-			]
-		}
-	},
-	{
-<<<<<<< HEAD
-=======
-		"name": "generate dhparams file",
-		"become": true,
-		"ansible.builtin.command": {
-			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
-		},
-		"args": {
-			"creates": "/etc/nginx/dhparam"
-		}
-	},
-	{
-		"name": "place hardening config",
-		"become": true,
-		"ansible.builtin.copy": {
-			"src": "ssl-hardening.conf",
-			"dest": "/etc/nginx/ssl-hardening.conf"
-		}
-	},
-	{
-		"name": "ufw | check",
-		"become": true,
-		"check_mode": true,
-		"community.general.ufw": {
-			"state": "enabled"
-		},
-		"register": "ufw_enable_check"
-	},
-	{
-		"name": "ufw | allow port 80",
-		"when": "not ufw_enable_check.changed",
-		"become": true,
-		"community.general.ufw": {
-			"rule": "allow",
-			"port": "80",
-			"proto": "tcp"
-		}
-	},
-	{
-		"name": "ufw | allow port 443",
-		"when": "not ufw_enable_check.changed",
-		"become": true,
-		"community.general.ufw": {
-			"rule": "allow",
-			"port": "443",
-			"proto": "tcp"
-		}
-	},
-	{
-		"name": "auto reload",
-		"when": "auto_reload_interval != None",
-		"become": true,
-		"ansible.builtin.cron": {
-			"name": "nginx_auto_reload",
-			"disabled": true,
-			"minute": "0",
-			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
-			"day": "*",
-			"month": "*",
-			"weekday": "*",
-			"job": "systemctl reload nginx"
-		}
-	},
-	{
->>>>>>> f55f317 ([fix] role:nginx)
-		"name": "restart service",
-		"become": true,
-		"ansible.builtin.systemd_service": {
-			"state": "restarted",
-			"name": "nginx"
-		}
-	}
-]
-
--- a/roles/synapse-and-nginx/templates/conf.j2
+++ b/roles/synapse-and-nginx/templates/conf.j2
@ -12,7 +12,8 @@ server {
 	
 	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
-    
+	include /etc/nginx/ssl-hardening.conf;
+	
 	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;