diff --git a/CHANGELOG.md b/CHANGELOG.md index ba70757ddd..f4d3ad8cca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Nginx role improvements: use more h5bp configs ([#428](https://github.com/roots/trellis/pull/428)) * Add global `deploy_before` and `deploy_after` hooks ([#427](https://github.com/roots/trellis/pull/427)) * Fix HSTS headers ([#424](https://github.com/roots/trellis/pull/424)) * Notify Windows users about SSH forwarding ([#423](https://github.com/roots/trellis/pull/423)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 5d32852d6d..cac7ce51d4 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,4 +1,5 @@ --- +nginx_path: /etc/nginx nginx_logs_root: /var/log/nginx nginx_user: www-data strip_www: true diff --git a/roles/nginx/files/ssl-stapling.conf b/roles/nginx/files/ssl-stapling.conf deleted file mode 100644 index 618be94001..0000000000 --- a/roles/nginx/files/ssl-stapling.conf +++ /dev/null @@ -1,5 +0,0 @@ -ssl_stapling on; -ssl_stapling_verify on; - -resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s; -resolver_timeout 2s; diff --git a/roles/nginx/files/ssl.conf b/roles/nginx/files/ssl.conf deleted file mode 100644 index 0e01f7470b..0000000000 --- a/roles/nginx/files/ssl.conf +++ /dev/null @@ -1,37 +0,0 @@ -# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add -# SSLv3 to the list of protocols below. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx -ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; -ssl_prefer_server_ciphers on; - -# Protect against Logjam attack by generating a strong and unique Diffie-Hellman group: https://weakdh.org/sysadmin.html -ssl_dhparam /etc/nginx/ssl/dhparams.pem; - -# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. -# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. -# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. -# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. -ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions -ssl_session_timeout 24h; - -# SSL buffer size was added in 1.5.9 -ssl_buffer_size 1400; # 1400 bytes to fit in one MTU - -# Session tickets appeared in version 1.5.9 -# -# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and -# when a restart is performed the previous key is lost, which resets all previous -# sessions. The fix for this is to setup a manual rotation mechanism: -# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx -# -# Note that you'll have to define and rotate the keys securely by yourself. In absence -# of such infrastructure, consider turning off session tickets: -ssl_session_tickets off; - -# Use a higher keepalive timeout to reduce the need for repeated handshakes -keepalive_timeout 300; # up from 75 secs default -spdy_keepalive_timeout 300; - -spdy_headers_comp 6; diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index f3f7b2aa51..e058983708 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,47 +1,63 @@ --- - name: Add Nginx PPA - apt_repository: repo="ppa:nginx/stable" update_cache=yes + apt_repository: + repo: "ppa:nginx/stable" + update_cache: yes - name: Install Nginx - apt: name=nginx state=present force=yes + apt: + name: nginx + state: present + force: yes - name: Create SSL directory - file: dest=/etc/nginx/ssl state=directory + file: + dest: "{{ nginx_path }}/ssl" + state: directory - name: Generate strong unique Diffie-Hellman group. command: openssl dhparam -out dhparams.pem 2048 args: - chdir: /etc/nginx/ssl/ - creates: /etc/nginx/ssl/dhparams.pem + chdir: "{{ nginx_path }}/ssl" + creates: "{{ nginx_path }}/ssl/dhparams.pem" notify: reload nginx - name: Grab h5bp/server-configs-nginx - git: repo="https://github.com/h5bp/server-configs-nginx.git" - dest=/etc/nginx/h5bp-server-configs - version=94b3680c9d13f108d6d62c22cba251b84f795aa8 - force=yes + git: + repo: "https://github.com/h5bp/server-configs-nginx.git" + dest: "{{ nginx_path }}/h5bp-server-configs" + version: 82181a672a7c26f9bc8744fead80318d8a2520b1 + force: yes - name: Move h5bp configs - command: creates=/etc/nginx/h5bp/ cp -R /etc/nginx/h5bp-server-configs/h5bp /etc/nginx/h5bp - -- name: Copy conf files - copy: src="{{ item }}" dest=/etc/nginx/{{ item | basename }} mode=644 - with_fileglob: '*' + command: cp -R {{ nginx_path }}/h5bp-server-configs/h5bp {{ nginx_path }}/h5bp + args: + creates: "{{ nginx_path }}/h5bp/" - name: Create nginx.conf - template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf + template: + src: nginx.conf.j2 + dest: "{{ nginx_path }}/nginx.conf" notify: reload nginx - name: Disable default server - file: path=/etc/nginx/sites-enabled/default state=absent + file: + path: "{{ nginx_path }}/sites-enabled/default" + state: absent notify: reload nginx - name: Enable better default site to drop unknown requests - command: creates=/etc/nginx/sites-enabled/no-default.conf cp /etc/nginx/h5bp-server-configs/sites-available/no-default /etc/nginx/sites-enabled/no-default.conf + command: cp {{ nginx_path }}/h5bp-server-configs/sites-available/no-default {{ nginx_path }}/sites-enabled/no-default.conf + args: + creates: "{{ nginx_path }}/sites-enabled/no-default.conf" notify: reload nginx - name: Create base WordPress config - template: src=wordpress.conf.j2 dest=/etc/nginx/wordpress.conf + template: + src: wordpress.conf.j2 + dest: "{{ nginx_path }}/wordpress.conf" - name: Create base WordPress subdirectory Multisite config - template: src=wordpress_multisite_subdirectories.conf.j2 dest=/etc/nginx/wordpress_multisite_subdirectories.conf + template: + src: wordpress_multisite_subdirectories.conf.j2 + dest: "{{ nginx_path }}/wordpress_multisite_subdirectories.conf" diff --git a/roles/nginx/templates/wordpress.conf.j2 b/roles/nginx/templates/wordpress.conf.j2 index 3d7a76d4b2..2310e5203b 100644 --- a/roles/nginx/templates/wordpress.conf.j2 +++ b/roles/nginx/templates/wordpress.conf.j2 @@ -13,5 +13,6 @@ location / { client_max_body_size {{ php_post_max_size | default('25m') | lower }}; include h5bp/directive-only/x-ua-compatible.conf; +include h5bp/directive-only/extra-security.conf; include h5bp/location/cross-domain-fonts.conf; include h5bp/location/protect-system-files.conf; diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 09e07e0fa6..85e104d930 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -31,13 +31,14 @@ server { {%- endif %} add_header Fastcgi-Cache $upstream_cache_status; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Xss-Protection "1; mode=block" always; {% if item.value.ssl is defined and item.value.ssl.enabled | default(false) %} - include ssl.conf; - include ssl-stapling.conf; + include h5bp/directive-only/spdy.conf; + include h5bp/directive-only/ssl.conf; + include h5bp/directive-only/ssl-stapling.conf; + + ssl_dhparam /etc/nginx/ssl/dhparams.pem; + ssl_buffer_size 1400; # 1400 bytes to fit in one MTU {% set hsts_max_age = item.value.ssl.hsts_max_age | default(nginx_hsts_max_age) %} {% set hsts_include_subdomains = item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubdomains', None) %}