From a8fa5d69ff6f181ef59aa7777e5f055389a714d3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 10:53:44 +0100 Subject: [PATCH 1/3] Add proxy snippets and use nginx-light --- roles/nginx-reverse-proxy/tasks/main.yml | 25 ++++++++++++---- .../{ => nginx}/nginx-sites-available-main.j2 | 19 ++++++++---- .../{ => nginx}/nginx-sites-available.j2 | 13 ++++++--- .../nginx/snippets/proxy-common-ssl.conf.j2 | 29 +++++++++++++++++++ .../nginx/snippets/proxy-common.conf.j2 | 12 ++++++++ 5 files changed, 82 insertions(+), 16 deletions(-) rename roles/nginx-reverse-proxy/templates/{ => nginx}/nginx-sites-available-main.j2 (86%) rename roles/nginx-reverse-proxy/templates/{ => nginx}/nginx-sites-available.j2 (82%) create mode 100644 roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 create mode 100644 roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 diff --git a/roles/nginx-reverse-proxy/tasks/main.yml b/roles/nginx-reverse-proxy/tasks/main.yml index 7f7483d..c646a23 100644 --- a/roles/nginx-reverse-proxy/tasks/main.yml +++ b/roles/nginx-reverse-proxy/tasks/main.yml @@ -1,18 +1,31 @@ --- # nginx is the proxy server +# nginx-light contains less modules +# but also reduces the surface of attack - name: Install NGINX server apt: - name: nginx + name: nginx-light update_cache: true register: apt_result retries: 3 until: apt_result is succeeded +# Install proxy snippets +- name: Configure NGINX proxy snippets + template: + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + mode: 0644 + loop: + - proxy-common.conf + - proxy-common-ssl.conf + notify: Reload NGINX service + # Install sites - name: Configure NGINX sites template: - src: nginx-sites-available.j2 - dest: /etc/nginx/sites-available/{{ item.name }} + src: nginx/nginx-sites-available.j2 + dest: "/etc/nginx/sites-available/{{ item.name }}" mode: 0644 loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service @@ -27,8 +40,8 @@ # Activate sites - name: Activate sites file: - src: /etc/nginx/sites-available/{{ item.name }} - dest: /etc/nginx/sites-enabled/{{ item.name }} + src: "/etc/nginx/sites-available/{{ item.name }}" + dest: "/etc/nginx/sites-enabled/{{ item.name }}" state: link loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service @@ -36,7 +49,7 @@ # Install main site - name: Configure NGINX main site template: - src: nginx-sites-available-main.j2 + src: nginx/nginx-sites-available-main.j2 dest: /etc/nginx/sites-available/main mode: 0644 notify: Reload NGINX service diff --git a/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 similarity index 86% rename from roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 rename to roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 index 43f678f..1df30fd 100644 --- a/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 @@ -1,16 +1,21 @@ # {{ ansible_managed }} server { - server_name auro.re; + # Common proxy snippet include "snippets/proxy-common.conf"; - location / { - return 302 https://$host$request_uri; - } + # Set witch server name we define + server_name auro.re; + + # Permanentely moved to HTTPS + return 301 https://$host$request_uri; } server { + # Common proxy snippet include "snippets/proxy-common-ssl.conf"; + + # Set witch server name we define server_name auro.re; # Separate log files @@ -48,8 +53,10 @@ server { } server { - listen 8448 ssl default_server; - listen [::]:8448 ssl default_server; + listen 8448 ssl; + listen [::]:8448 ssl; + + # Set witch server name we define server_name auro.re; # Separate log files diff --git a/roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 similarity index 82% rename from roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 rename to roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 index 0ddd2df..a733f23 100644 --- a/roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 @@ -1,16 +1,21 @@ # {{ ansible_managed }} server { - server_name {{ item.from }}; + # Common proxy snippet include "snippets/proxy-common.conf"; - location / { - return 302 https://$host$request_uri; - } + # Set witch server name we define + server_name {{ item.from }}; + + # Permanentely moved to HTTPS + return 301 https://$host$request_uri; } server { + # Common proxy snippet include "snippets/proxy-common-ssl.conf"; + + # Set witch server name we define server_name {{ item.from }}; # Separate log files diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 new file mode 100644 index 0000000..1385eb0 --- /dev/null +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -0,0 +1,29 @@ +# {{ ansible_managed }} + +# Listen for IPv4 and IPv6 with HTTP2 +listen [::]:443 ssl http2; +listen 443 ssl http2; + +# Hide NGINX version +server_tokens off; + +# Reverse Proxy Adm +set_real_ip_from 10.128.0.0/16; +real_ip_header P-Real-Ip; + +# SSL +ssl on; +ssl_session_timeout 5m; +ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES"; +ssl_prefer_server_ciphers off; +ssl_session_cache shared:SSL:10m; + +# In buster we will be able to use TLSv1.3 +ssl_protocols TLSv1.2; + +# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer +ssl_dhparam /etc/ssl/certs/dhparam.pem; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 new file mode 100644 index 0000000..b479c14 --- /dev/null +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} + +# Listen for IPv4 and IPv6 with HTTP2 +listen 80 http2; +listen [::]:80 http2; + +# Hide NGINX version +server_tokens off; + +# Reverse Proxy Adm +set_real_ip_from 10.128.0.0/16; +real_ip_header P-Real-Ip; From af07bb7c0afad053ebca1654d4e4e585319a46f5 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 11:53:55 +0100 Subject: [PATCH 2/3] Better SSL conf --- .../templates/nginx/snippets/proxy-common-ssl.conf.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 index 1385eb0..3c670a1 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -14,10 +14,13 @@ real_ip_header P-Real-Ip; # SSL ssl on; ssl_session_timeout 5m; -ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES"; -ssl_prefer_server_ciphers off; +ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256-GCM-SHA256:!AES256-GCM-SHA128:!aNULL:!MD5"; +ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; +# Use more secure ECDH curve +ssl_ecdh_curve secp521r1:secp384r1; + # In buster we will be able to use TLSv1.3 ssl_protocols TLSv1.2; From fb11981e8a932e1133f286755d036cf552f965dd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 12:25:27 +0100 Subject: [PATCH 3/3] Follow Mozilla guidelines --- .../nginx/snippets/proxy-common-ssl.conf.j2 | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 index 3c670a1..50f4977 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -11,22 +11,22 @@ server_tokens off; set_real_ip_from 10.128.0.0/16; real_ip_header P-Real-Ip; -# SSL +# SSL based on https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl on; -ssl_session_timeout 5m; -ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256-GCM-SHA256:!AES256-GCM-SHA128:!aNULL:!MD5"; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_protocols TLSv1.2; +ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; ssl_prefer_server_ciphers on; -ssl_session_cache shared:SSL:10m; +add_header Strict-Transport-Security max-age=15768000; + +# OCSP Stapling, +ssl_stapling on; +ssl_stapling_verify on; # Use more secure ECDH curve ssl_ecdh_curve secp521r1:secp384r1; -# In buster we will be able to use TLSv1.3 -ssl_protocols TLSv1.2; - # Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer ssl_dhparam /etc/ssl/certs/dhparam.pem; - -# Enable OCSP Stapling, point to certificate chain -ssl_stapling on; -ssl_stapling_verify on;