diff --git a/salt/roots/base/nginx.conf b/salt/roots/base/nginx.conf index 7e6a853..dfeb36d 100644 --- a/salt/roots/base/nginx.conf +++ b/salt/roots/base/nginx.conf @@ -26,13 +26,6 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - ## - # SSL Settings - ## - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - ## # Logging Settings ## diff --git a/salt/roots/base/nginx.sls b/salt/roots/base/nginx.sls index 89f149a..21afb3a 100644 --- a/salt/roots/base/nginx.sls +++ b/salt/roots/base/nginx.sls @@ -19,3 +19,20 @@ nginx-common: - pkg: nginx-common - watch_in: - service: nginx + +{% set nginx_ssl_keydir = salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') %} +{% set nginx_ssl_certdir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %} + +{{ nginx_ssl_certdir }}: + file.directory: + - user: root + - group: root + - mode: 0755 + - makedirs: True + +{{ nginx_ssl_keydir }}: + file.directory: + - user: root + - group: root + - mode: 0750 + - makedirs: True diff --git a/salt/roots/webserver/init.sls b/salt/roots/webserver/init.sls index 22fa765..0fc0155 100644 --- a/salt/roots/webserver/init.sls +++ b/salt/roots/webserver/init.sls @@ -1,2 +1,50 @@ include: - base.nginx + +/etc/nginx/conf.d/logformat.conf: + file.managed: + - user: root + - group: root + - mode: 0644 + - source: salt://webserver/nginx-logformat.conf + - require: + - pkg: nginx + - watch_in: + - service: nginx + +{% set ssldir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %} + +generate-dhparam-nginx: + cmd.run: + - name: openssl dhparam -out {{ ssldir }}/dhparams.pem 2048 + - umask: 022 + - user: root + - group: root + - creates: {{ ssldir }}/dhparams.pem + - require_in: + - file: /etc/nginx/conf.d/ssl.conf + - watch_in: + - service: nginx + +/etc/nginx/conf.d/ssl.conf: + file.managed: + - user: root + - group: root + - mode: 0644 + - source: salt://webserver/nginx-ssl.conf + - template: jinja + - require: + - pkg: nginx + - watch_in: + - service: nginx + +/etc/nginx/snippets/security.conf: + file.managed: + - user: root + - group: root + - mode: 0644 + - source: salt://webserver/nginx-security.conf + - require: + - pkg: nginx + - watch_in: + - service: nginx diff --git a/salt/roots/webserver/nginx-logformat.conf b/salt/roots/webserver/nginx-logformat.conf new file mode 100644 index 0000000..bb26d9e --- /dev/null +++ b/salt/roots/webserver/nginx-logformat.conf @@ -0,0 +1,4 @@ +log_format main '$remote_addr - $remote_user [$time_local] ' + '$server_name ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; diff --git a/salt/roots/webserver/nginx-security.conf b/salt/roots/webserver/nginx-security.conf new file mode 100644 index 0000000..5585189 --- /dev/null +++ b/salt/roots/webserver/nginx-security.conf @@ -0,0 +1,19 @@ +# Security - Basic configuration + location = /favicon.ico { + log_not_found off; + access_log off; + expires max; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny access to hidden files + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } diff --git a/salt/roots/webserver/nginx-ssl.conf b/salt/roots/webserver/nginx-ssl.conf new file mode 100644 index 0000000..e0cb1ef --- /dev/null +++ b/salt/roots/webserver/nginx-ssl.conf @@ -0,0 +1,15 @@ +# Default TLS settings +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers kEECDH+AESGCM:kEECDH+AES:kEECDH:EDH+AESGCM:kEDH+AES:kEDH:AESGCM:ALL:!LOW:!EXP:!MD5:!aNULL:!eNULL:!RC4:!DSS; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; + +ssl_dhparam {{ salt['pillar.get']('nginx:sslcertdir') }}/dhparams.pem; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + +# use Google's DNS +resolver 8.8.8.8; +resolver_timeout 5s;