1 files changed, 55 insertions, 0 deletions
diff --git a/ansible/roles/nginx/files/tls/ssl_params b/ansible/roles/nginx/files/tls/ssl_params
new file mode 100644
index 0000000..37798fc
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_params
@@ -0,0 +1,55 @@
+# Test OCSP with:
+# openssl s_client -connect $site:443 -tls1 -tlsextdebug -status
+#
+# also test with:
+# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher RSA </dev/null
+#
+# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher ECDSA </dev/null
+# Duration client SSL session tickets are valid for:
+ssl_session_timeout 1d;
+# NOTE NOTE NOTE NOTE NOTE
+# nginx only regenerates its ssl_session_ticket_key on reload or restart.
+# the ticket key is basically a symmetric key that effectively breaks
+# forward secrecy if leaked.
+# With ssl_session_tickets enabled, you should reload nginx daily to reset
+# the internal cached ticket key.
+# If you are using external ticket keys, those should also be rotated daily.
+# END NOTE END NOTE END NOTE
+# Internal cache of SSL sessions
+ssl_session_cache shared:SSL:500m; # 500MB = 2M cached sessions (4k sessions/MB)
+# session tickets are reused for the life of the server.
+# For multiple servers serving the same host,
+# have them all share the same key and rotate as necessary:
+# ssl_session_ticket_key [keyfile];
+# Without a ticket key file defined, a reload of nginx resets the key.
+ssl_session_tickets on;
+# Individual cipher files are included externally
+# (one of ssl_ciphers_{intermediate,modern})
+ssl_prefer_server_ciphers on;
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+# OCSP Stapling ---
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
+ssl_trusted_certificate /etc/ssl/lets-encrypt-x3-cross-signed.pem;
+# Instead of using resolver, take response from file:
+# ssl_stapling_file <-- must be set PER domain, but nginx so far has refused
+# to add the ability to have one stapling file per certificate now that nginx
+# supports both RSA and EC per domain. So, this is useless if you have multiple
+# certificates per domain.
+# 'valid' ignores DNS TTL and caches lookups for specified duration
+# This should be replaced with a local dnsmasq resolver at 127.0.0.1
+resolver 127.0.0.53 4.2.2.2 8.8.8.8 1.1.1.1 valid=600s ipv6=off;
+resolver_timeout 4s;

diff --git a/ansible/roles/nginx/files/tls/ssl_params b/ansible/roles/nginx/files/tls/ssl_params new file mode 100644 index 0000000..37798fc --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_params
@@ -0,0 +1,55 @@
	1	# Test OCSP with:
	2	# openssl s_client -connect $site:443 -tls1 -tlsextdebug -status
	3	#
	4	# also test with:
	5	# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher RSA </dev/null
	6	#
	7	# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher ECDSA </dev/null
	8
	9
	10	# Duration client SSL session tickets are valid for:
	11	ssl_session_timeout 1d;
	12	# NOTE NOTE NOTE NOTE NOTE
	13	# nginx only regenerates its ssl_session_ticket_key on reload or restart.
	14	# the ticket key is basically a symmetric key that effectively breaks
	15	# forward secrecy if leaked.
	16	# With ssl_session_tickets enabled, you should reload nginx daily to reset
	17	# the internal cached ticket key.
	18	# If you are using external ticket keys, those should also be rotated daily.
	19	# END NOTE END NOTE END NOTE
	20
	21	# Internal cache of SSL sessions
	22	ssl_session_cache shared:SSL:500m; # 500MB = 2M cached sessions (4k sessions/MB)
	23
	24	# session tickets are reused for the life of the server.
	25	# For multiple servers serving the same host,
	26	# have them all share the same key and rotate as necessary:
	27	# ssl_session_ticket_key [keyfile];
	28	# Without a ticket key file defined, a reload of nginx resets the key.
	29	ssl_session_tickets on;
	30
	31	# Individual cipher files are included externally
	32	# (one of ssl_ciphers_{intermediate,modern})
	33	ssl_prefer_server_ciphers on;
	34
	35	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	36	add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
	37
	38	# OCSP Stapling ---
	39	# fetch OCSP records from URL in ssl_certificate and cache them
	40	ssl_stapling on;
	41	ssl_stapling_verify on;
	42
	43	# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
	44	ssl_trusted_certificate /etc/ssl/lets-encrypt-x3-cross-signed.pem;
	45
	46	# Instead of using resolver, take response from file:
	47	# ssl_stapling_file <-- must be set PER domain, but nginx so far has refused
	48	# to add the ability to have one stapling file per certificate now that nginx
	49	# supports both RSA and EC per domain. So, this is useless if you have multiple
	50	# certificates per domain.
	51
	52	# 'valid' ignores DNS TTL and caches lookups for specified duration
	53	# This should be replaced with a local dnsmasq resolver at 127.0.0.1
	54	resolver 127.0.0.53 4.2.2.2 8.8.8.8 1.1.1.1 valid=600s ipv6=off;
	55	resolver_timeout 4s;