From e68b778711c77ed3ce05094a75a25fd0ec787c14 Mon Sep 17 00:00:00 2001 From: Mark Heiges Date: Thu, 21 Apr 2016 13:57:11 -0400 Subject: [PATCH] generate and use random Ephemeral Diffie-Hellman group --- roles/easyredmine/tasks/nginx.yml | 15 +++ .../easyredmine/templates/easyredmine.conf.j2 | 26 +++++ roles/easyredmine/templates/nginx.conf.j2 | 97 ++++++++++++++----- roles/easyredmine/vars/main.yml | 2 + 4 files changed, 114 insertions(+), 26 deletions(-) create mode 100644 roles/easyredmine/templates/easyredmine.conf.j2 diff --git a/roles/easyredmine/tasks/nginx.yml b/roles/easyredmine/tasks/nginx.yml index 0f4cc17..9367e13 100644 --- a/roles/easyredmine/tasks/nginx.yml +++ b/roles/easyredmine/tasks/nginx.yml @@ -21,7 +21,22 @@ - nginx - passenger +- stat: path='{{ dharam_pem_path }}' + register: dharam_pem + +# https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score +- name: generate new Diffie-Hellman group + command: 'openssl dhparam -out {{ dharam_pem_path }} 2048' + sudo: yes + notify: restart nginx + when: dharam_pem.stat.exists == False + - template: dest='/etc/nginx/conf.d/easyredmine.conf' + src=easyredmine.conf.j2 + sudo: yes + notify: restart nginx + +- template: dest='/etc/nginx/nginx.conf' src=nginx.conf.j2 sudo: yes notify: restart nginx diff --git a/roles/easyredmine/templates/easyredmine.conf.j2 b/roles/easyredmine/templates/easyredmine.conf.j2 new file mode 100644 index 0000000..7be148c --- /dev/null +++ b/roles/easyredmine/templates/easyredmine.conf.j2 @@ -0,0 +1,26 @@ +server { + listen 80; + {% if is_production_vm %} + server_name redmine.apidb.org; + {% else %} + server_name {{ ansible_fqdn }}; + {% endif %} + return 301 https://$host$request_uri; +} + +server { + listen 443; + {% if is_production_vm %} + server_name redmine.apidb.org; + {% else %} + server_name {{ ansible_fqdn }}; + {% endif %} + + ssl on; + ssl_certificate /etc/pki/tls/certs/{{ ansible_fqdn }}.pem; + ssl_certificate_key /etc/pki/tls/certs/{{ ansible_fqdn }}.pem; + + root {{ redmine_root_dir }}/public; + passenger_enabled on; + client_max_body_size 50M; +} diff --git a/roles/easyredmine/templates/nginx.conf.j2 b/roles/easyredmine/templates/nginx.conf.j2 index 03ed8cd..d697210 100644 --- a/roles/easyredmine/templates/nginx.conf.j2 +++ b/roles/easyredmine/templates/nginx.conf.j2 @@ -1,32 +1,77 @@ -server { - listen 80; - {% if is_production_vm %} - server_name redmine.apidb.org; - {% else %} - server_name {{ ansible_fqdn }}; - {% endif %} - return 301 https://$host$request_uri; +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log; +#error_log /var/log/nginx/error.log notice; +#error_log /var/log/nginx/error.log info; + +pid /run/nginx.pid; + + +events { + worker_connections 1024; } -server { - listen 443; - {% if is_production_vm %} - server_name redmine.apidb.org; - {% else %} - server_name {{ ansible_fqdn }}; - {% endif %} - ssl on; - ssl_certificate /etc/pki/tls/certs/{{ ansible_fqdn }}.pem; - ssl_certificate_key /etc/pki/tls/certs/{{ ansible_fqdn }}.pem; - ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!DSS:!DH+3DES; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; +http { - server_tokens off; - add_header X-Frame-Options SAMEORIGIN; + include /etc/nginx/mime.types; + default_type application/octet-stream; - root {{ redmine_root_dir }}/public; - passenger_enabled on; - client_max_body_size 50M; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + keepalive_timeout 65; + index index.html index.htm; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!DSS:!DH+3DES; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + # https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score + ssl_dhparam {{ dharam_pem_path }}; + + server_tokens off; + add_header X-Frame-Options SAMEORIGIN; + + server { + listen 80 default_server; + server_name localhost; + root /usr/share/nginx/html; + + #charset koi8-r; + + #access_log /var/log/nginx/host.access.log main; + + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; + + location / { + } + + # redirect server error pages to the static page /40x.html + # + error_page 404 /404.html; + location = /40x.html { + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + } } diff --git a/roles/easyredmine/vars/main.yml b/roles/easyredmine/vars/main.yml index 6fb925d..52fb419 100644 --- a/roles/easyredmine/vars/main.yml +++ b/roles/easyredmine/vars/main.yml @@ -1,2 +1,4 @@ --- # vars file for easyredmine + +dharam_pem_path: /etc/pki/tls/private/dhparam.pem \ No newline at end of file