From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001
From: clarkzjw <i@jinwei.me>
Date: Wed, 8 Feb 2023 00:40:09 -0800
Subject: fork https://github.com/mattsta/mailweb

---
 .../roles/nginx/files/tls/ssl_ciphers_intermediate | 10 ++++
 ansible/roles/nginx/files/tls/ssl_ciphers_modern   |  7 +++
 ansible/roles/nginx/files/tls/ssl_ciphers_tls13    |  7 +++
 ansible/roles/nginx/files/tls/ssl_params           | 55 ++++++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 ansible/roles/nginx/files/tls/ssl_ciphers_intermediate
 create mode 100644 ansible/roles/nginx/files/tls/ssl_ciphers_modern
 create mode 100644 ansible/roles/nginx/files/tls/ssl_ciphers_tls13
 create mode 100644 ansible/roles/nginx/files/tls/ssl_params

(limited to 'ansible/roles/nginx/files/tls')

diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate b/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate
new file mode 100644
index 0000000..bc79954
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate
@@ -0,0 +1,10 @@
+# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
+# as of 2018-07-12
+
+# No TLSv1.3 support yet!
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+
+# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+ssl_dhparam /etc/ssl/ffdhe2048.pem;
diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_modern b/ansible/roles/nginx/files/tls/ssl_ciphers_modern
new file mode 100644
index 0000000..ab93ffc
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_ciphers_modern
@@ -0,0 +1,7 @@
+# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
+# as of 2018-07-12
+
+# No TLSv1.3 support yet!
+
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_tls13 b/ansible/roles/nginx/files/tls/ssl_ciphers_tls13
new file mode 100644
index 0000000..db04c36
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_ciphers_tls13
@@ -0,0 +1,7 @@
+# From https://github.com/cloudflare/sslconfig/blob/796bc5ac7224f1e540394d792323ccafa86aaeea/conf
+
+# nginx >= 1.11.0 (2016-05-24) created the 'ssl_ecdh_curve' parameter
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
+ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
diff --git a/ansible/roles/nginx/files/tls/ssl_params b/ansible/roles/nginx/files/tls/ssl_params
new file mode 100644
index 0000000..37798fc
--- /dev/null
+++ b/ansible/roles/nginx/files/tls/ssl_params
@@ -0,0 +1,55 @@
+# Test OCSP with:
+# openssl s_client -connect $site:443 -tls1 -tlsextdebug -status
+#
+# also test with:
+# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher RSA </dev/null
+#
+# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher ECDSA </dev/null
+
+
+# Duration client SSL session tickets are valid for:
+ssl_session_timeout 1d;
+# NOTE NOTE NOTE NOTE NOTE
+# nginx only regenerates its ssl_session_ticket_key on reload or restart.
+# the ticket key is basically a symmetric key that effectively breaks
+# forward secrecy if leaked.
+# With ssl_session_tickets enabled, you should reload nginx daily to reset
+# the internal cached ticket key.
+# If you are using external ticket keys, those should also be rotated daily.
+# END NOTE END NOTE END NOTE
+
+# Internal cache of SSL sessions
+ssl_session_cache shared:SSL:500m; # 500MB = 2M cached sessions (4k sessions/MB)
+
+# session tickets are reused for the life of the server.
+# For multiple servers serving the same host,
+# have them all share the same key and rotate as necessary:
+# ssl_session_ticket_key [keyfile];
+# Without a ticket key file defined, a reload of nginx resets the key.
+ssl_session_tickets on;
+
+# Individual cipher files are included externally
+# (one of ssl_ciphers_{intermediate,modern})
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+
+# OCSP Stapling ---
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
+ssl_trusted_certificate /etc/ssl/lets-encrypt-x3-cross-signed.pem;
+
+# Instead of using resolver, take response from file:
+# ssl_stapling_file <-- must be set PER domain, but nginx so far has refused
+# to add the ability to have one stapling file per certificate now that nginx
+# supports both RSA and EC per domain. So, this is useless if you have multiple
+# certificates per domain.
+
+# 'valid' ignores DNS TTL and caches lookups for specified duration
+# This should be replaced with a local dnsmasq resolver at 127.0.0.1
+resolver 127.0.0.53 4.2.2.2 8.8.8.8 1.1.1.1 valid=600s ipv6=off;
+resolver_timeout 4s;
-- 
cgit v1.2.3