From 108884732652b08e15fc54eca2a5f40c0844b252 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 12:51:16 +0200 Subject: [PATCH] SSL snippet and drop TLS 1.0 and 1.1 --- roles/nginx-reverseproxy/tasks/main.yml | 16 +++++---- .../templates/letsencrypt/dhparam.j2 | 8 +++++ .../nginx/{ => sites-available}/redirect.j2 | 34 +++++-------------- .../{ => sites-available}/reverseproxy.j2 | 17 +++------- .../reverseproxy_redirect_dname.j2 | 17 +++------- .../nginx/snippets/options-ssl.conf.j2 | 17 ++++++++++ 6 files changed, 51 insertions(+), 58 deletions(-) create mode 100644 roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/redirect.j2 (58%) rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy.j2 (75%) rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy_redirect_dname.j2 (61%) create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 1fee6a3c..55af7c18 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -9,15 +9,19 @@ retries: 3 until: apt_result is succeeded -- name: Copy certbot SSL snippet - copy: - remote_src: true - src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf - dest: /etc/letsencrypt/options-ssl-nginx.conf +- name: Copy snippets + template: + src: nginx/snippets/options-ssl.conf.j2 + dest: /etc/nginx/snippets/options-ssl.conf + +- name: Copy dhparam + template: + src: letsencrypt/dhparam.j2 + dest: /etc/letsencrypt/dhparam - name: Copy reverse proxy sites template: - src: "nginx/{{ item }}.j2" + src: "nginx/sites-available/{{ item }}.j2" dest: "/etc/nginx/sites-available/{{ item }}" loop: - reverseproxy diff --git a/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 new file mode 100644 index 00000000..9b182b72 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 similarity index 58% rename from roles/nginx-reverseproxy/templates/nginx/redirect.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 index 4d60807e..9cdb545b 100644 --- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 @@ -15,22 +15,13 @@ server { # Redirect https://{{ site.from }} to https://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ site.from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ site.to }}$request_uri; @@ -58,22 +49,13 @@ server { # Redirect https://{{ from }} to https://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ site.to }}$request_uri; diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 similarity index 75% rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 31c34462..50ef7b2e 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -15,22 +15,13 @@ server { # Reverse proxify https://{{ site.from }} to http://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ site.from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; # Log into separate log files access_log /var/log/nginx/{{ site.from }}.log; diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 similarity index 61% rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 index 8fc57808..db2084a4 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -19,22 +19,13 @@ server { # Redirect https://{{ from }} to https://{{ to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ to }}$request_uri; diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 new file mode 100644 index 00000000..c585cc26 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +ssl_certificate {{ nginx.ssl.cert }}; +ssl_certificate_key {{ nginx.ssl.cert_key }}; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; +ssl_dhparam /etc/letsencrypt/dhparam; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; +