summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/nginx/files/tls')
-rw-r--r--ansible/roles/nginx/files/tls/ssl_ciphers_intermediate10
-rw-r--r--ansible/roles/nginx/files/tls/ssl_ciphers_modern7
-rw-r--r--ansible/roles/nginx/files/tls/ssl_ciphers_tls137
-rw-r--r--ansible/roles/nginx/files/tls/ssl_params55
4 files changed, 79 insertions, 0 deletions
diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate b/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate
new file mode 100644
index 0000000..bc79954
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate
@@ -0,0 +1,10 @@
1# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
2# as of 2018-07-12
3
4# No TLSv1.3 support yet!
5
6ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
7ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
8
9# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
10ssl_dhparam /etc/ssl/ffdhe2048.pem;
diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_modern b/ansible/roles/nginx/files/tls/ssl_ciphers_modern
new file mode 100644
index 0000000..ab93ffc
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_ciphers_modern
@@ -0,0 +1,7 @@
1# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
2# as of 2018-07-12
3
4# No TLSv1.3 support yet!
5
6ssl_protocols TLSv1.2;
7ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_tls13 b/ansible/roles/nginx/files/tls/ssl_ciphers_tls13
new file mode 100644
index 0000000..db04c36
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_ciphers_tls13
@@ -0,0 +1,7 @@
1# From https://github.com/cloudflare/sslconfig/blob/796bc5ac7224f1e540394d792323ccafa86aaeea/conf
2
3# nginx >= 1.11.0 (2016-05-24) created the 'ssl_ecdh_curve' parameter
4
5ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
6ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
7ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
diff --git a/ansible/roles/nginx/files/tls/ssl_params b/ansible/roles/nginx/files/tls/ssl_params
new file mode 100644
index 0000000..37798fc
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_params
@@ -0,0 +1,55 @@
1# Test OCSP with:
2# openssl s_client -connect $site:443 -tls1 -tlsextdebug -status
3#
4# also test with:
5# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher RSA </dev/null
6#
7# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher ECDSA </dev/null
8
9
10# Duration client SSL session tickets are valid for:
11ssl_session_timeout 1d;
12# NOTE NOTE NOTE NOTE NOTE
13# nginx only regenerates its ssl_session_ticket_key on reload or restart.
14# the ticket key is basically a symmetric key that effectively breaks
15# forward secrecy if leaked.
16# With ssl_session_tickets enabled, you should reload nginx daily to reset
17# the internal cached ticket key.
18# If you are using external ticket keys, those should also be rotated daily.
19# END NOTE END NOTE END NOTE
20
21# Internal cache of SSL sessions
22ssl_session_cache shared:SSL:500m; # 500MB = 2M cached sessions (4k sessions/MB)
23
24# session tickets are reused for the life of the server.
25# For multiple servers serving the same host,
26# have them all share the same key and rotate as necessary:
27# ssl_session_ticket_key [keyfile];
28# Without a ticket key file defined, a reload of nginx resets the key.
29ssl_session_tickets on;
30
31# Individual cipher files are included externally
32# (one of ssl_ciphers_{intermediate,modern})
33ssl_prefer_server_ciphers on;
34
35# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
36add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
37
38# OCSP Stapling ---
39# fetch OCSP records from URL in ssl_certificate and cache them
40ssl_stapling on;
41ssl_stapling_verify on;
42
43# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
44ssl_trusted_certificate /etc/ssl/lets-encrypt-x3-cross-signed.pem;
45
46# Instead of using resolver, take response from file:
47# ssl_stapling_file <-- must be set PER domain, but nginx so far has refused
48# to add the ability to have one stapling file per certificate now that nginx
49# supports both RSA and EC per domain. So, this is useless if you have multiple
50# certificates per domain.
51
52# 'valid' ignores DNS TTL and caches lookups for specified duration
53# This should be replaced with a local dnsmasq resolver at 127.0.0.1
54resolver 127.0.0.53 4.2.2.2 8.8.8.8 1.1.1.1 valid=600s ipv6=off;
55resolver_timeout 4s;
Powered by cgit v1.2.3 (git 2.41.0)