Merge branch 'nginx_security' into 'master'

Add proxy snippets and use nginx-light

See merge request aurore/ansible!22
This commit is contained in:
Alexandre IOOSS 2019-03-14 12:28:05 +01:00
commit 258bf1f90c
5 changed files with 85 additions and 16 deletions

View file

@ -1,18 +1,31 @@
--- ---
# nginx is the proxy server # nginx is the proxy server
# nginx-light contains less modules
# but also reduces the surface of attack
- name: Install NGINX server - name: Install NGINX server
apt: apt:
name: nginx name: nginx-light
update_cache: true update_cache: true
register: apt_result register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
# Install proxy snippets
- name: Configure NGINX proxy snippets
template:
src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}"
mode: 0644
loop:
- proxy-common.conf
- proxy-common-ssl.conf
notify: Reload NGINX service
# Install sites # Install sites
- name: Configure NGINX sites - name: Configure NGINX sites
template: template:
src: nginx-sites-available.j2 src: nginx/nginx-sites-available.j2
dest: /etc/nginx/sites-available/{{ item.name }} dest: "/etc/nginx/sites-available/{{ item.name }}"
mode: 0644 mode: 0644
loop: "{{ reversed_proxy_subdomains }}" loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service notify: Reload NGINX service
@ -27,8 +40,8 @@
# Activate sites # Activate sites
- name: Activate sites - name: Activate sites
file: file:
src: /etc/nginx/sites-available/{{ item.name }} src: "/etc/nginx/sites-available/{{ item.name }}"
dest: /etc/nginx/sites-enabled/{{ item.name }} dest: "/etc/nginx/sites-enabled/{{ item.name }}"
state: link state: link
loop: "{{ reversed_proxy_subdomains }}" loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service notify: Reload NGINX service
@ -36,7 +49,7 @@
# Install main site # Install main site
- name: Configure NGINX main site - name: Configure NGINX main site
template: template:
src: nginx-sites-available-main.j2 src: nginx/nginx-sites-available-main.j2
dest: /etc/nginx/sites-available/main dest: /etc/nginx/sites-available/main
mode: 0644 mode: 0644
notify: Reload NGINX service notify: Reload NGINX service

View file

@ -1,16 +1,21 @@
# {{ ansible_managed }} # {{ ansible_managed }}
server { server {
server_name auro.re; # Common proxy snippet
include "snippets/proxy-common.conf"; include "snippets/proxy-common.conf";
location / { # Set witch server name we define
return 302 https://$host$request_uri; server_name auro.re;
}
# Permanentely moved to HTTPS
return 301 https://$host$request_uri;
} }
server { server {
# Common proxy snippet
include "snippets/proxy-common-ssl.conf"; include "snippets/proxy-common-ssl.conf";
# Set witch server name we define
server_name auro.re; server_name auro.re;
# Separate log files # Separate log files
@ -48,8 +53,10 @@ server {
} }
server { server {
listen 8448 ssl default_server; listen 8448 ssl;
listen [::]:8448 ssl default_server; listen [::]:8448 ssl;
# Set witch server name we define
server_name auro.re; server_name auro.re;
# Separate log files # Separate log files

View file

@ -1,16 +1,21 @@
# {{ ansible_managed }} # {{ ansible_managed }}
server { server {
server_name {{ item.from }}; # Common proxy snippet
include "snippets/proxy-common.conf"; include "snippets/proxy-common.conf";
location / { # Set witch server name we define
return 302 https://$host$request_uri; server_name {{ item.from }};
}
# Permanentely moved to HTTPS
return 301 https://$host$request_uri;
} }
server { server {
# Common proxy snippet
include "snippets/proxy-common-ssl.conf"; include "snippets/proxy-common-ssl.conf";
# Set witch server name we define
server_name {{ item.from }}; server_name {{ item.from }};
# Separate log files # Separate log files

View file

@ -0,0 +1,32 @@
# {{ ansible_managed }}
# Listen for IPv4 and IPv6 with HTTP2
listen [::]:443 ssl http2;
listen 443 ssl http2;
# Hide NGINX version
server_tokens off;
# Reverse Proxy Adm
set_real_ip_from 10.128.0.0/16;
real_ip_header P-Real-Ip;
# SSL based on https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling,
ssl_stapling on;
ssl_stapling_verify on;
# Use more secure ECDH curve
ssl_ecdh_curve secp521r1:secp384r1;
# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer
ssl_dhparam /etc/ssl/certs/dhparam.pem;

View file

@ -0,0 +1,12 @@
# {{ ansible_managed }}
# Listen for IPv4 and IPv6 with HTTP2
listen 80 http2;
listen [::]:80 http2;
# Hide NGINX version
server_tokens off;
# Reverse Proxy Adm
set_real_ip_from 10.128.0.0/16;
real_ip_header P-Real-Ip;