diff --git a/roles/nginx-reverse-proxy/tasks/main.yml b/roles/nginx-reverse-proxy/tasks/main.yml index 7f7483d..c646a23 100644 --- a/roles/nginx-reverse-proxy/tasks/main.yml +++ b/roles/nginx-reverse-proxy/tasks/main.yml @@ -1,18 +1,31 @@ --- # nginx is the proxy server +# nginx-light contains less modules +# but also reduces the surface of attack - name: Install NGINX server apt: - name: nginx + name: nginx-light update_cache: true register: apt_result retries: 3 until: apt_result is succeeded +# Install proxy snippets +- name: Configure NGINX proxy snippets + template: + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + mode: 0644 + loop: + - proxy-common.conf + - proxy-common-ssl.conf + notify: Reload NGINX service + # Install sites - name: Configure NGINX sites template: - src: nginx-sites-available.j2 - dest: /etc/nginx/sites-available/{{ item.name }} + src: nginx/nginx-sites-available.j2 + dest: "/etc/nginx/sites-available/{{ item.name }}" mode: 0644 loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service @@ -27,8 +40,8 @@ # Activate sites - name: Activate sites file: - src: /etc/nginx/sites-available/{{ item.name }} - dest: /etc/nginx/sites-enabled/{{ item.name }} + src: "/etc/nginx/sites-available/{{ item.name }}" + dest: "/etc/nginx/sites-enabled/{{ item.name }}" state: link loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service @@ -36,7 +49,7 @@ # Install main site - name: Configure NGINX main site template: - src: nginx-sites-available-main.j2 + src: nginx/nginx-sites-available-main.j2 dest: /etc/nginx/sites-available/main mode: 0644 notify: Reload NGINX service diff --git a/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 similarity index 86% rename from roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 rename to roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 index 43f678f..1df30fd 100644 --- a/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 @@ -1,16 +1,21 @@ # {{ ansible_managed }} server { - server_name auro.re; + # Common proxy snippet include "snippets/proxy-common.conf"; - location / { - return 302 https://$host$request_uri; - } + # Set witch server name we define + server_name auro.re; + + # Permanentely moved to HTTPS + return 301 https://$host$request_uri; } server { + # Common proxy snippet include "snippets/proxy-common-ssl.conf"; + + # Set witch server name we define server_name auro.re; # Separate log files @@ -48,8 +53,10 @@ server { } server { - listen 8448 ssl default_server; - listen [::]:8448 ssl default_server; + listen 8448 ssl; + listen [::]:8448 ssl; + + # Set witch server name we define server_name auro.re; # Separate log files diff --git a/roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 similarity index 82% rename from roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 rename to roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 index 0ddd2df..a733f23 100644 --- a/roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 @@ -1,16 +1,21 @@ # {{ ansible_managed }} server { - server_name {{ item.from }}; + # Common proxy snippet include "snippets/proxy-common.conf"; - location / { - return 302 https://$host$request_uri; - } + # Set witch server name we define + server_name {{ item.from }}; + + # Permanentely moved to HTTPS + return 301 https://$host$request_uri; } server { + # Common proxy snippet include "snippets/proxy-common-ssl.conf"; + + # Set witch server name we define server_name {{ item.from }}; # Separate log files diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 new file mode 100644 index 0000000..1385eb0 --- /dev/null +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -0,0 +1,29 @@ +# {{ ansible_managed }} + +# Listen for IPv4 and IPv6 with HTTP2 +listen [::]:443 ssl http2; +listen 443 ssl http2; + +# Hide NGINX version +server_tokens off; + +# Reverse Proxy Adm +set_real_ip_from 10.128.0.0/16; +real_ip_header P-Real-Ip; + +# SSL +ssl on; +ssl_session_timeout 5m; +ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES"; +ssl_prefer_server_ciphers off; +ssl_session_cache shared:SSL:10m; + +# In buster we will be able to use TLSv1.3 +ssl_protocols TLSv1.2; + +# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer +ssl_dhparam /etc/ssl/certs/dhparam.pem; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 new file mode 100644 index 0000000..b479c14 --- /dev/null +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} + +# Listen for IPv4 and IPv6 with HTTP2 +listen 80 http2; +listen [::]:80 http2; + +# Hide NGINX version +server_tokens off; + +# Reverse Proxy Adm +set_real_ip_from 10.128.0.0/16; +real_ip_header P-Real-Ip;