From b9f9b0bf3c6905c550e45f5a43867d51364705fb Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Sat, 27 Aug 2022 18:56:12 -0400
Subject: [PATCH] Update TLS settings in nginx proxy

---
 roles/proxy/tasks/main.yml                 |  5 +++++
 roles/proxy/templates/nginx.conf.j2        |  8 ++++++++
 roles/proxy/templates/server-nginx.conf.j2 | 14 +++++++++-----
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index 734fe68..f87fec8 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -10,6 +10,11 @@
     state: started
     enabled: true
 
+- name: Generate DH Parameters
+  openssl_dhparam:
+    path: /etc/ssl/dhparams.pem
+    size: 4096
+
 - name: Install nginx base configuration
   template:
     src: nginx.conf.j2
diff --git a/roles/proxy/templates/nginx.conf.j2 b/roles/proxy/templates/nginx.conf.j2
index 39c94a0..60c0f1c 100644
--- a/roles/proxy/templates/nginx.conf.j2
+++ b/roles/proxy/templates/nginx.conf.j2
@@ -21,6 +21,14 @@ http {
   keepalive_timeout 65;
   server_names_hash_bucket_size 128;
 
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_dhparam /etc/ssl/dhparams.pem;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+
   include           /etc/nginx/conf.d/*.conf;
   include           /etc/nginx/sites-enabled/*;
 }
diff --git a/roles/proxy/templates/server-nginx.conf.j2 b/roles/proxy/templates/server-nginx.conf.j2
index 2bf74bb..66684f8 100644
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -1,12 +1,13 @@
 server {
-    listen 80;
-
-    server_name {{ item.domain }};
-    return 301 https://{{ item.domain }}$request_uri;
+  listen 80;
+  listen [::]:80;
+  server_name {{ item.domain }};
+  return 301 https://{{ item.domain }}$request_uri;
 }
 
 server {
-  listen              443 ssl;
+  listen              443      ssl http2;
+  listen              [::]:443 ssl http2;
   server_name         {{ item.domain }};
   access_log          /var/log/nginx/{{ item.domain }}.log main;
 {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
@@ -27,6 +28,9 @@ server {
   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
+{% if item.hsts is defined %}
+  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
+{% endif %}
 {% if item.client_max_body_size is defined %}
   client_max_body_size {{ item.client_max_body_size }};
 {% endif %}