diff options
Diffstat (limited to 'ansible/roles/nginx/files/tls')
-rw-r--r-- | ansible/roles/nginx/files/tls/ssl_ciphers_intermediate | 10 | ||||
-rw-r--r-- | ansible/roles/nginx/files/tls/ssl_ciphers_modern | 7 | ||||
-rw-r--r-- | ansible/roles/nginx/files/tls/ssl_ciphers_tls13 | 7 | ||||
-rw-r--r-- | ansible/roles/nginx/files/tls/ssl_params | 55 |
4 files changed, 79 insertions, 0 deletions
diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate b/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate new file mode 100644 index 0000000..bc79954 --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate | |||
@@ -0,0 +1,10 @@ | |||
1 | # From https://mozilla.github.io/server-side-tls/ssl-config-generator/ | ||
2 | # as of 2018-07-12 | ||
3 | |||
4 | # No TLSv1.3 support yet! | ||
5 | |||
6 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
7 | ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; | ||
8 | |||
9 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | ||
10 | ssl_dhparam /etc/ssl/ffdhe2048.pem; | ||
diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_modern b/ansible/roles/nginx/files/tls/ssl_ciphers_modern new file mode 100644 index 0000000..ab93ffc --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_ciphers_modern | |||
@@ -0,0 +1,7 @@ | |||
1 | # From https://mozilla.github.io/server-side-tls/ssl-config-generator/ | ||
2 | # as of 2018-07-12 | ||
3 | |||
4 | # No TLSv1.3 support yet! | ||
5 | |||
6 | ssl_protocols TLSv1.2; | ||
7 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | ||
diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_tls13 b/ansible/roles/nginx/files/tls/ssl_ciphers_tls13 new file mode 100644 index 0000000..db04c36 --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_ciphers_tls13 | |||
@@ -0,0 +1,7 @@ | |||
1 | # From https://github.com/cloudflare/sslconfig/blob/796bc5ac7224f1e540394d792323ccafa86aaeea/conf | ||
2 | |||
3 | # nginx >= 1.11.0 (2016-05-24) created the 'ssl_ecdh_curve' parameter | ||
4 | |||
5 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; | ||
6 | ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521; | ||
7 | ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; | ||
diff --git a/ansible/roles/nginx/files/tls/ssl_params b/ansible/roles/nginx/files/tls/ssl_params new file mode 100644 index 0000000..37798fc --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_params | |||
@@ -0,0 +1,55 @@ | |||
1 | # Test OCSP with: | ||
2 | # openssl s_client -connect $site:443 -tls1 -tlsextdebug -status | ||
3 | # | ||
4 | # also test with: | ||
5 | # openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher RSA </dev/null | ||
6 | # | ||
7 | # openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher ECDSA </dev/null | ||
8 | |||
9 | |||
10 | # Duration client SSL session tickets are valid for: | ||
11 | ssl_session_timeout 1d; | ||
12 | # NOTE NOTE NOTE NOTE NOTE | ||
13 | # nginx only regenerates its ssl_session_ticket_key on reload or restart. | ||
14 | # the ticket key is basically a symmetric key that effectively breaks | ||
15 | # forward secrecy if leaked. | ||
16 | # With ssl_session_tickets enabled, you should reload nginx daily to reset | ||
17 | # the internal cached ticket key. | ||
18 | # If you are using external ticket keys, those should also be rotated daily. | ||
19 | # END NOTE END NOTE END NOTE | ||
20 | |||
21 | # Internal cache of SSL sessions | ||
22 | ssl_session_cache shared:SSL:500m; # 500MB = 2M cached sessions (4k sessions/MB) | ||
23 | |||
24 | # session tickets are reused for the life of the server. | ||
25 | # For multiple servers serving the same host, | ||
26 | # have them all share the same key and rotate as necessary: | ||
27 | # ssl_session_ticket_key [keyfile]; | ||
28 | # Without a ticket key file defined, a reload of nginx resets the key. | ||
29 | ssl_session_tickets on; | ||
30 | |||
31 | # Individual cipher files are included externally | ||
32 | # (one of ssl_ciphers_{intermediate,modern}) | ||
33 | ssl_prefer_server_ciphers on; | ||
34 | |||
35 | # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | ||
36 | add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; | ||
37 | |||
38 | # OCSP Stapling --- | ||
39 | # fetch OCSP records from URL in ssl_certificate and cache them | ||
40 | ssl_stapling on; | ||
41 | ssl_stapling_verify on; | ||
42 | |||
43 | # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate | ||
44 | ssl_trusted_certificate /etc/ssl/lets-encrypt-x3-cross-signed.pem; | ||
45 | |||
46 | # Instead of using resolver, take response from file: | ||
47 | # ssl_stapling_file <-- must be set PER domain, but nginx so far has refused | ||
48 | # to add the ability to have one stapling file per certificate now that nginx | ||
49 | # supports both RSA and EC per domain. So, this is useless if you have multiple | ||
50 | # certificates per domain. | ||
51 | |||
52 | # 'valid' ignores DNS TTL and caches lookups for specified duration | ||
53 | # This should be replaced with a local dnsmasq resolver at 127.0.0.1 | ||
54 | resolver 127.0.0.53 4.2.2.2 8.8.8.8 1.1.1.1 valid=600s ipv6=off; | ||
55 | resolver_timeout 4s; | ||