Merge branch 'nginx_security' into 'master'

Add proxy snippets and use nginx-light See merge request aurore/ansible!22
2019-03-14 12:28:05 +01:00 · 2019-03-14 12:28:05 +01:00 · 258bf1f90c
commit 258bf1f90c
parent f9473d0769 fb11981e8a
5 changed files with 85 additions and 16 deletions
--- a/roles/nginx-reverse-proxy/tasks/main.yml
+++ b/roles/nginx-reverse-proxy/tasks/main.yml
@ -1,18 +1,31 @@
 ---
 # nginx is the proxy server
+# nginx-light contains less modules
+# but also reduces the surface of attack
 - name: Install NGINX server
  apt:
-    name: nginx
+    name: nginx-light
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded

+# Install proxy snippets
+- name: Configure NGINX proxy snippets
+  template:
+    src: "nginx/snippets/{{ item }}.j2"
+    dest: "/etc/nginx/snippets/{{ item }}"
+    mode: 0644
+  loop:
+    - proxy-common.conf
+    - proxy-common-ssl.conf
+  notify: Reload NGINX service
+
 # Install sites
 - name: Configure NGINX sites
  template:
-    src: nginx-sites-available.j2
-    dest: /etc/nginx/sites-available/{{ item.name }}
+    src: nginx/nginx-sites-available.j2
+    dest: "/etc/nginx/sites-available/{{ item.name }}"
    mode: 0644
  loop: "{{ reversed_proxy_subdomains }}"
  notify: Reload NGINX service
@ -27,8 +40,8 @@
 # Activate sites
 - name: Activate sites
  file:
-    src: /etc/nginx/sites-available/{{ item.name }}
-    dest: /etc/nginx/sites-enabled/{{ item.name }}
+    src: "/etc/nginx/sites-available/{{ item.name }}"
+    dest: "/etc/nginx/sites-enabled/{{ item.name }}"
    state: link
  loop: "{{ reversed_proxy_subdomains }}"
  notify: Reload NGINX service
@ -36,7 +49,7 @@
 # Install main site
 - name: Configure NGINX main site
  template:
-    src: nginx-sites-available-main.j2
+    src: nginx/nginx-sites-available-main.j2
    dest: /etc/nginx/sites-available/main
    mode: 0644
  notify: Reload NGINX service
--- a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2
+++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2
@ -1,16 +1,21 @@
 # {{ ansible_managed }}

 server {
-    server_name auro.re;
+    # Common proxy snippet
    include "snippets/proxy-common.conf";

-    location / {
-        return 302 https://$host$request_uri;
-    }
+    # Set witch server name we define
+    server_name auro.re;
+
+    # Permanentely moved to HTTPS
+    return 301 https://$host$request_uri;
 }

 server {
+    # Common proxy snippet
    include "snippets/proxy-common-ssl.conf";
+
+    # Set witch server name we define
    server_name auro.re;

    # Separate log files
@ -48,8 +53,10 @@ server {
 }

 server {
-    listen 8448 ssl default_server;
-    listen [::]:8448 ssl default_server;
+    listen 8448 ssl;
+    listen [::]:8448 ssl;
+
+    # Set witch server name we define
    server_name auro.re;

    # Separate log files
--- a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2
+++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2
@ -1,16 +1,21 @@
 # {{ ansible_managed }}

 server {
-    server_name {{ item.from }};
+    # Common proxy snippet
    include "snippets/proxy-common.conf";

-    location / {
-        return 302 https://$host$request_uri;
-    }
+    # Set witch server name we define
+    server_name {{ item.from }};
+
+    # Permanentely moved to HTTPS
+    return 301 https://$host$request_uri;
 }

 server {
+    # Common proxy snippet
    include "snippets/proxy-common-ssl.conf";
+
+    # Set witch server name we define
    server_name {{ item.from }};

    # Separate log files
--- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2
+++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2
@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+
+# Listen for IPv4 and IPv6 with HTTP2
+listen [::]:443 ssl http2;
+listen 443 ssl http2;
+
+# Hide NGINX version
+server_tokens off;
+
+# Reverse Proxy Adm
+set_real_ip_from 10.128.0.0/16;
+real_ip_header P-Real-Ip;
+
+# SSL based on https://mozilla.github.io/server-side-tls/ssl-config-generator/
+ssl on;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_protocols TLSv1.2;
+ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+ssl_prefer_server_ciphers on;
+add_header Strict-Transport-Security max-age=15768000;
+
+# OCSP Stapling,
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# Use more secure ECDH curve
+ssl_ecdh_curve secp521r1:secp384r1;
+
+# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
--- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2
+++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2
@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+# Listen for IPv4 and IPv6 with HTTP2
+listen 80 http2;
+listen [::]:80 http2;
+
+# Hide NGINX version
+server_tokens off;
+
+# Reverse Proxy Adm
+set_real_ip_from 10.128.0.0/16;
+real_ip_header P-Real-Ip;