diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index bd0cbeb..231a61d 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -15,6 +15,7 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; location / { ## Headers diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index cd9c68d..514ceab 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -14,8 +14,7 @@ server { {% if var_dokuwiki_and_nginx_tls_enable %} ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; - ssl_session_timeout 5m; - ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; + include /etc/nginx/ssl-hardening.conf; {% endif %} # Maximum file upload size is 4MB - change accordingly if needed diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 312df8b..08330a6 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -8,6 +8,7 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; root {{var_element_and_nginx_path}}; } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index eabfcb9..4208162 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -51,21 +51,7 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired - # resolver_timeout 5s; - - # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + include /etc/nginx/ssl-hardening.conf; real_ip_header X-Real-IP; real_ip_recursive off; diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 0760df4..08e630c 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -11,20 +11,21 @@ server { ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; location / { proxy_pass http://localhost:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /socket.io/ { proxy_pass http://localhost:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; diff --git a/roles/nginx/files/ssl-hardening.conf b/roles/nginx/files/ssl-hardening.conf new file mode 100644 index 0000000..1d5f5f4 --- /dev/null +++ b/roles/nginx/files/ssl-hardening.conf @@ -0,0 +1,18 @@ +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /etc/nginx/dhparam; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=63072000" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 664b54c..5d7135b 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -5,10 +5,26 @@ "ansible.builtin.apt": { "update_cache": true, "pkg": [ - "nginx" + "nginx", + "openssl" ] } }, + { + "name": "generate dhparams file", + "ansible.builtin.command": "openssl dhparam -out /etc/nginx/dhparam 4096", + "args": { + "creates": "/etc/nginx/dhparam" + } + }, + { + "name": "place hardening config", + "become": true, + "ansible.builtin.copy": { + "src": "ssl-hardening.conf", + "dest": "/etc/nginx/ssl-hardening.conf" + } + }, { "name": "ufw | check", "become": true, diff --git a/roles/nginx/tasks/main.json.orig b/roles/nginx/tasks/main.json.orig deleted file mode 100644 index 3941ce5..0000000 --- a/roles/nginx/tasks/main.json.orig +++ /dev/null @@ -1,86 +0,0 @@ -[ - { - "name": "install packages", - "become": true, - "ansible.builtin.apt": { - "update_cache": true, - "pkg": [ - "nginx" - ] - } - }, - { -<<<<<<< HEAD -======= - "name": "generate dhparams file", - "become": true, - "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" - }, - "args": { - "creates": "/etc/nginx/dhparam" - } - }, - { - "name": "place hardening config", - "become": true, - "ansible.builtin.copy": { - "src": "ssl-hardening.conf", - "dest": "/etc/nginx/ssl-hardening.conf" - } - }, - { - "name": "ufw | check", - "become": true, - "check_mode": true, - "community.general.ufw": { - "state": "enabled" - }, - "register": "ufw_enable_check" - }, - { - "name": "ufw | allow port 80", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "80", - "proto": "tcp" - } - }, - { - "name": "ufw | allow port 443", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "443", - "proto": "tcp" - } - }, - { - "name": "auto reload", - "when": "auto_reload_interval != None", - "become": true, - "ansible.builtin.cron": { - "name": "nginx_auto_reload", - "disabled": true, - "minute": "0", - "hour": "*/{{var_nginx_auto_reload_interval | string}}", - "day": "*", - "month": "*", - "weekday": "*", - "job": "systemctl reload nginx" - } - }, - { ->>>>>>> f55f317 ([fix] role:nginx) - "name": "restart service", - "become": true, - "ansible.builtin.systemd_service": { - "state": "restarted", - "name": "nginx" - } - } -] - diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index b9b94c6..e59fb99 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -12,7 +12,8 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr;