From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Wed, 8 Feb 2023 00:40:09 -0800 Subject: fork https://github.com/mattsta/mailweb --- ansible/roles/nginx/defaults/main.yml | 6 ++ ansible/roles/nginx/files/conf.d/http.custom.conf | 84 +++++++++++++++ .../roles/nginx/files/tls/ssl_ciphers_intermediate | 10 ++ ansible/roles/nginx/files/tls/ssl_ciphers_modern | 7 ++ ansible/roles/nginx/files/tls/ssl_ciphers_tls13 | 7 ++ ansible/roles/nginx/files/tls/ssl_params | 55 ++++++++++ ansible/roles/nginx/handlers/main.yml | 3 + ansible/roles/nginx/tasks/main.yml | 118 +++++++++++++++++++++ ansible/roles/nginx/templates/basic-site.conf.j2 | 68 ++++++++++++ 9 files changed, 358 insertions(+) create mode 100644 ansible/roles/nginx/defaults/main.yml create mode 100644 ansible/roles/nginx/files/conf.d/http.custom.conf create mode 100644 ansible/roles/nginx/files/tls/ssl_ciphers_intermediate create mode 100644 ansible/roles/nginx/files/tls/ssl_ciphers_modern create mode 100644 ansible/roles/nginx/files/tls/ssl_ciphers_tls13 create mode 100644 ansible/roles/nginx/files/tls/ssl_params create mode 100644 ansible/roles/nginx/handlers/main.yml create mode 100644 ansible/roles/nginx/tasks/main.yml create mode 100644 ansible/roles/nginx/templates/basic-site.conf.j2 (limited to 'ansible/roles/nginx') diff --git a/ansible/roles/nginx/defaults/main.yml b/ansible/roles/nginx/defaults/main.yml new file mode 100644 index 0000000..34ac696 --- /dev/null +++ b/ansible/roles/nginx/defaults/main.yml @@ -0,0 +1,6 @@ +--- +nginx: + # Don't disable anything by default, but provide it here + # so you don't need to include empty 'disabled' in your own + # host configs. + disabled: [] diff --git a/ansible/roles/nginx/files/conf.d/http.custom.conf b/ansible/roles/nginx/files/conf.d/http.custom.conf new file mode 100644 index 0000000..5f70166 --- /dev/null +++ b/ansible/roles/nginx/files/conf.d/http.custom.conf @@ -0,0 +1,84 @@ + +## Proxy options +proxy_buffering on; +# proxy_cache_min_uses 3; +proxy_cache_path /var/nginx/proxy-cache/ levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000M; +proxy_cache_valid any 10m; +proxy_ignore_client_abort off; +proxy_intercept_errors on; +proxy_next_upstream error timeout invalid_header; +proxy_redirect off; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_connect_timeout 60; +proxy_send_timeout 60; +proxy_read_timeout 60; + +# We used to use this header when we ran dual http/https stacks to verify +# user login pages were being only requested over https, but now we forward +# every site to https, so we can assume our schemes are aligned to our interests +# (as long as all our backend code stopped checking for X-Forwarded-Proto too). +#proxy_set_header X-Forwarded-Proto $scheme; + +## Size Limits +# May need to override these (server or location blocks) if doing large uploads. +# Setting to zero disables any size checking. +client_body_buffer_size 16k; +client_max_body_size 15m; + +# If clients send headers larger than 1k, +# they get upgraded to large_client_header_buffers. +client_header_buffer_size 1k; +large_client_header_buffers 32 64k; + +## Timeouts +client_body_timeout 5s; +client_header_timeout 5s; +keepalive_timeout 5s 5s; +#keepalive_timeout 0; +send_timeout 5s; + +## General Options +ignore_invalid_headers on; +recursive_error_pages on; +#sendfile on; # enabled by top level config +server_name_in_redirect off; +server_tokens off; + +# For per-client rate limiting, see config options at: +# https://nginx.org/en/docs/http/ngx_http_limit_conn_module.html + +## Compression +#gzip on; # enabled by top level config +gzip_static on; +gzip_buffers 16 32k; +gzip_comp_level 6; +gzip_http_version 1.0; +gzip_min_length 500; +gzip_types text/plain application/x-javascript text/xml text/css image/x-icon application/xml application/xml+rss text/javascript application/javascript application/json image/svg+xml font/truetype font/opentype application/vnd.ms-fontobject; +gzip_vary on; +gzip_proxied any; # required for cloudfront to receive a gzip'd response + +## Filesystem Operation Cache (caches fds, sizes, times, errors, etc) +open_file_cache max=6000 inactive=5m; +open_file_cache_valid 2m; +open_file_cache_min_uses 1; +open_file_cache_errors on; + +# For reading a response from disk +output_buffers 32 32k; + +## Optimize Large File Transfers (can be overriden in hosts and locations) +aio threads; # use default thread pool, create thread pools: threads=NAME; +aio_write on; # use threaded writes for temporary files and proxied data + +# For files larger than 8 MB, use O_DIRECT instead of sendfile() +directio 8m; +directio_alignment 512; # if using XFS, set as 4096 + +## Access Log Caches +open_log_file_cache max=64 inactive=20s min_uses=1 valid=1m; + +log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate b/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate new file mode 100644 index 0000000..bc79954 --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_ciphers_intermediate @@ -0,0 +1,10 @@ +# From https://mozilla.github.io/server-side-tls/ssl-config-generator/ +# as of 2018-07-12 + +# No TLSv1.3 support yet! + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + +# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits +ssl_dhparam /etc/ssl/ffdhe2048.pem; diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_modern b/ansible/roles/nginx/files/tls/ssl_ciphers_modern new file mode 100644 index 0000000..ab93ffc --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_ciphers_modern @@ -0,0 +1,7 @@ +# From https://mozilla.github.io/server-side-tls/ssl-config-generator/ +# as of 2018-07-12 + +# No TLSv1.3 support yet! + +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; diff --git a/ansible/roles/nginx/files/tls/ssl_ciphers_tls13 b/ansible/roles/nginx/files/tls/ssl_ciphers_tls13 new file mode 100644 index 0000000..db04c36 --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_ciphers_tls13 @@ -0,0 +1,7 @@ +# From https://github.com/cloudflare/sslconfig/blob/796bc5ac7224f1e540394d792323ccafa86aaeea/conf + +# nginx >= 1.11.0 (2016-05-24) created the 'ssl_ecdh_curve' parameter + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; +ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521; +ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; diff --git a/ansible/roles/nginx/files/tls/ssl_params b/ansible/roles/nginx/files/tls/ssl_params new file mode 100644 index 0000000..37798fc --- /dev/null +++ b/ansible/roles/nginx/files/tls/ssl_params @@ -0,0 +1,55 @@ +# Test OCSP with: +# openssl s_client -connect $site:443 -tls1 -tlsextdebug -status +# +# also test with: +# openssl s_client -connect $site:443 -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -status -tlsextdebug -cipher RSA = 1.11.0 (2016-05-24) allows loading redundant certs and keys so you + # can serve modern EC clients and less modern RSA clients at the same time. + ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem; + ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem; + + root /srv/web/{{ item.domain }}; + +{% if nginx.google is defined %} + location /{{ nginx.google.siteKey }}.html { + root {{ nginx.google.siteKeyServeDir }}}; + } +{% endif %} + +{% if item.customConfig is defined %} +{{ item.customConfig }} +{% endif %} + +{% for location in item.uri %} + location {{ location.path }} { +{% if location.appServer is defined %} + proxy_pass {{ location.appServer }}/$request_uri; + proxy_set_header Host $host; +{% else %} + root /srv/web/{{ item.domain }}; +{% endif %} + } +{% endfor %} +} + +server { + listen {{ item.domain }} fastopen=4096 reuseport; + server_name www.{{ item.domain }} {{ item.domain }}; + + access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k; + error_log /var/log/nginx/{{ item.domain }}.error.log error; + + location /.well-known/acme-challenge/ { + alias /srv/web/challenges/; + try_files $uri =404; + } + + location / { + return 301 https://{{ item.domain }}$request_uri; + } +} -- cgit v1.2.3