From a03e50c9339a147aee3f8e8a4210a3bce5a74f5a Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Fri, 19 Apr 2024 00:20:46 +0200 Subject: [PATCH 1/5] Harden nginx ssl/tls config According to https://ssl-config.mozilla.org/ --- roles/authelia-and-nginx/templates/conf.j2 | 15 ++++---- roles/dokuwiki-and-nginx/templates/conf.j2 | 25 ++++++------ roles/element-and-nginx/templates/conf.j2 | 7 ++-- roles/gitlab-and-nginx/templates/conf.j2 | 44 ++++++++-------------- roles/hedgedoc-and-nginx/templates/conf.j2 | 21 ++++++----- roles/nginx/files/dhparam | 8 ++++ roles/nginx/files/ssl-hardening.conf | 18 +++++++++ roles/nginx/tasks/main.json | 16 ++++++++ roles/synapse-and-nginx/templates/conf.j2 | 13 ++++--- 9 files changed, 99 insertions(+), 68 deletions(-) create mode 100644 roles/nginx/files/dhparam create mode 100644 roles/nginx/files/ssl-hardening.conf diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index bd0cbeb..8649a39 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -1,21 +1,22 @@ server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:80; listen 80; - + return 301 https://$server_name$request_uri; } server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location / { ## Headers proxy_set_header Host $host; @@ -52,10 +53,10 @@ server { proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; - + proxy_pass http://localhost:9091; } - + location /api/verify { proxy_pass http://localhost:9091; } diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index cd9c68d..90278d0 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -4,45 +4,44 @@ server { server_name {{var_dokuwiki_and_nginx_domain}}; return 301 https://$server_name$request_uri; } - + server { listen [::]:443 ssl; listen 443 ssl; - + server_name {{var_dokuwiki_and_nginx_domain}}; - + {% if var_dokuwiki_and_nginx_tls_enable %} ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; - ssl_session_timeout 5m; - ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; + include /etc/nginx/ssl-hardening.conf; {% endif %} - + # Maximum file upload size is 4MB - change accordingly if needed client_max_body_size 4M; client_body_buffer_size 128k; - + root {{var_dokuwiki_and_nginx_directory}}; index doku.php; - + #Remember to comment the below out when you're installing, and uncomment it when done. location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; } - + #Support for X-Accel-Redirect location ~ ^/data/ { internal; } - + location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ { expires 365d; } - + location / { try_files $uri $uri/ @dokuwiki; } - + location @dokuwiki { # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; @@ -50,7 +49,7 @@ server { rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; } - + location ~ \.php$ { try_files $uri $uri/ /doku.php; include fastcgi_params; diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 312df8b..cec8475 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -3,11 +3,12 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + server_name {{var_element_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + root {{var_element_and_nginx_path}}; } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index eabfcb9..c6430f6 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -32,12 +32,12 @@ map $http_referer $gitlab_ssl_filtered_http_referer { server { listen 80 default_server; listen [::]:80 ipv6only=on default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + return 301 https://$http_host$request_uri; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; } @@ -45,61 +45,47 @@ server { server { listen 0.0.0.0:443 ssl http2; listen [::]:443 ipv6only=on ssl http2 default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired - # resolver_timeout 5s; - - # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - + include /etc/nginx/ssl-hardening.conf; + real_ip_header X-Real-IP; real_ip_recursive off; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; - + location / { client_max_body_size 0; gzip off; - + proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; - + proxy_http_version 1.1; - + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab; - + # proxy_pass http://gitlab-workhorse; proxy_pass http://localhost:8080; } - + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; error_page 503 /503.html; - + location ~ ^/(404|422|500|502|503)\.html$ { root /home/git/gitlab/public; internal; diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 0760df4..19723d1 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -5,26 +5,27 @@ map $http_upgrade $connection_upgrade { server { server_name {{var_hedgedoc_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location / { proxy_pass http://localhost:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } - + location /socket.io/ { proxy_pass http://localhost:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; diff --git a/roles/nginx/files/dhparam b/roles/nginx/files/dhparam new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/roles/nginx/files/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx/files/ssl-hardening.conf b/roles/nginx/files/ssl-hardening.conf new file mode 100644 index 0000000..1d5f5f4 --- /dev/null +++ b/roles/nginx/files/ssl-hardening.conf @@ -0,0 +1,18 @@ +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /etc/nginx/dhparam; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=63072000" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index c8e2b40..2d9e9ed 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -9,6 +9,22 @@ ] } }, + { + "name": "place dhparams file", + "become": true, + "ansible.builtin.copy": { + "src": "dhparam", + "dest": "/etc/nginx/dhparam" + } + }, + { + "name": "place hardening config", + "become": true, + "ansible.builtin.copy": { + "src": "ssl-hardening.conf", + "dest": "/etc/nginx/ssl-hardening.conf" + } + }, { "name": "restart service", "become": true, diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index b9b94c6..a8ba62b 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -3,24 +3,25 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + ## For the federation port listen 8448 ssl http2 default_server; listen [::]:8448 ssl http2 default_server; - + server_name {{var_synapse_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - + client_max_body_size 50M; - + proxy_http_version 1.1; } } From dcc52b04cc7fe77161220cf2fb4e38908767bcbd Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Sat, 20 Apr 2024 13:11:26 +0200 Subject: [PATCH 2/5] Generate dhparams instead of using a checked in file --- roles/nginx/tasks/main.json | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 2d9e9ed..ca205e5 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -10,11 +10,10 @@ } }, { - "name": "place dhparams file", - "become": true, - "ansible.builtin.copy": { - "src": "dhparam", - "dest": "/etc/nginx/dhparam" + "name": "generate dhparams file", + "ansible.builtin.command": "openssl dhparam -out /etc/nginx/dhparam 4096", + "args": { + "creates": "/etc/nginx/dhparam" } }, { From 882286e1a78cb78812299c27e1a41e48af4a8cba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 24 Apr 2024 17:33:35 +0000 Subject: [PATCH 3/5] Apply 1 suggestion(s) to 1 file(s) --- roles/nginx/tasks/main.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index ca205e5..26f2739 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -5,7 +5,8 @@ "ansible.builtin.apt": { "update_cache": true, "pkg": [ - "nginx" + "nginx", + "openssl" ] } }, From aeac7cceab06574c44fdd908e227d77a2809b055 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 18:14:21 +0200 Subject: [PATCH 4/5] [sty] roles:tls hardening:format --- roles/authelia-and-nginx/templates/conf.j2 | 14 +++++------ roles/dokuwiki-and-nginx/templates/conf.j2 | 22 ++++++++--------- roles/element-and-nginx/templates/conf.j2 | 6 ++--- roles/gitlab-and-nginx/templates/conf.j2 | 28 +++++++++++----------- roles/hedgedoc-and-nginx/templates/conf.j2 | 8 +++---- roles/nginx/files/dhparam | 8 ------- roles/synapse-and-nginx/templates/conf.j2 | 12 +++++----- 7 files changed, 45 insertions(+), 53 deletions(-) delete mode 100644 roles/nginx/files/dhparam diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index 8649a39..231a61d 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -1,22 +1,22 @@ server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:80; listen 80; - + return 301 https://$server_name$request_uri; } server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + location / { ## Headers proxy_set_header Host $host; @@ -53,10 +53,10 @@ server { proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; - + proxy_pass http://localhost:9091; } - + location /api/verify { proxy_pass http://localhost:9091; } diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 90278d0..514ceab 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -4,44 +4,44 @@ server { server_name {{var_dokuwiki_and_nginx_domain}}; return 301 https://$server_name$request_uri; } - + server { listen [::]:443 ssl; listen 443 ssl; - + server_name {{var_dokuwiki_and_nginx_domain}}; - + {% if var_dokuwiki_and_nginx_tls_enable %} ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; {% endif %} - + # Maximum file upload size is 4MB - change accordingly if needed client_max_body_size 4M; client_body_buffer_size 128k; - + root {{var_dokuwiki_and_nginx_directory}}; index doku.php; - + #Remember to comment the below out when you're installing, and uncomment it when done. location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; } - + #Support for X-Accel-Redirect location ~ ^/data/ { internal; } - + location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ { expires 365d; } - + location / { try_files $uri $uri/ @dokuwiki; } - + location @dokuwiki { # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; @@ -49,7 +49,7 @@ server { rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; } - + location ~ \.php$ { try_files $uri $uri/ /doku.php; include fastcgi_params; diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index cec8475..08330a6 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -3,12 +3,12 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + server_name {{var_element_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + root {{var_element_and_nginx_path}}; } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index c6430f6..4208162 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -32,12 +32,12 @@ map $http_referer $gitlab_ssl_filtered_http_referer { server { listen 80 default_server; listen [::]:80 ipv6only=on default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + return 301 https://$http_host$request_uri; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; } @@ -45,47 +45,47 @@ server { server { listen 0.0.0.0:443 ssl http2; listen [::]:443 ipv6only=on ssl http2 default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + real_ip_header X-Real-IP; real_ip_recursive off; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; - + location / { client_max_body_size 0; gzip off; - + proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; - + proxy_http_version 1.1; - + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab; - + # proxy_pass http://gitlab-workhorse; proxy_pass http://localhost:8080; } - + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; error_page 503 /503.html; - + location ~ ^/(404|422|500|502|503)\.html$ { root /home/git/gitlab/public; internal; diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 19723d1..08e630c 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -5,14 +5,14 @@ map $http_upgrade $connection_upgrade { server { server_name {{var_hedgedoc_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + location / { proxy_pass http://localhost:3000; proxy_set_header Host $host; @@ -20,7 +20,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } - + location /socket.io/ { proxy_pass http://localhost:3000; proxy_set_header Host $host; diff --git a/roles/nginx/files/dhparam b/roles/nginx/files/dhparam deleted file mode 100644 index 9b182b7..0000000 --- a/roles/nginx/files/dhparam +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ------END DH PARAMETERS----- diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index a8ba62b..e59fb99 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -3,25 +3,25 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + ## For the federation port listen 8448 ssl http2 default_server; listen [::]:8448 ssl http2 default_server; - + server_name {{var_synapse_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - + client_max_body_size 50M; - + proxy_http_version 1.1; } } From 46e239133dd859b5ccbf33fc250b5f3cee323d3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 9 Jun 2024 11:02:04 +0200 Subject: [PATCH 5/5] [res] --- roles/nginx/tasks/main.json.orig | 86 -------------------------------- 1 file changed, 86 deletions(-) delete mode 100644 roles/nginx/tasks/main.json.orig diff --git a/roles/nginx/tasks/main.json.orig b/roles/nginx/tasks/main.json.orig deleted file mode 100644 index 3941ce5..0000000 --- a/roles/nginx/tasks/main.json.orig +++ /dev/null @@ -1,86 +0,0 @@ -[ - { - "name": "install packages", - "become": true, - "ansible.builtin.apt": { - "update_cache": true, - "pkg": [ - "nginx" - ] - } - }, - { -<<<<<<< HEAD -======= - "name": "generate dhparams file", - "become": true, - "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" - }, - "args": { - "creates": "/etc/nginx/dhparam" - } - }, - { - "name": "place hardening config", - "become": true, - "ansible.builtin.copy": { - "src": "ssl-hardening.conf", - "dest": "/etc/nginx/ssl-hardening.conf" - } - }, - { - "name": "ufw | check", - "become": true, - "check_mode": true, - "community.general.ufw": { - "state": "enabled" - }, - "register": "ufw_enable_check" - }, - { - "name": "ufw | allow port 80", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "80", - "proto": "tcp" - } - }, - { - "name": "ufw | allow port 443", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "443", - "proto": "tcp" - } - }, - { - "name": "auto reload", - "when": "auto_reload_interval != None", - "become": true, - "ansible.builtin.cron": { - "name": "nginx_auto_reload", - "disabled": true, - "minute": "0", - "hour": "*/{{var_nginx_auto_reload_interval | string}}", - "day": "*", - "month": "*", - "weekday": "*", - "job": "systemctl reload nginx" - } - }, - { ->>>>>>> f55f317 ([fix] role:nginx) - "name": "restart service", - "become": true, - "ansible.builtin.systemd_service": { - "state": "restarted", - "name": "nginx" - } - } -] -