From f111fcc090c8bb8197088a871b89013b8ca6d147 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sun, 4 Oct 2015 19:32:42 +0200 Subject: [PATCH] setup default nginx ssl/security configuration for vagrant --- roots/base/nginx.conf | 7 ---- roots/base/nginx.sls | 17 ++++++++++ roots/webserver/init.sls | 48 ++++++++++++++++++++++++++++ roots/webserver/nginx-logformat.conf | 4 +++ roots/webserver/nginx-security.conf | 19 +++++++++++ roots/webserver/nginx-ssl.conf | 15 +++++++++ 6 files changed, 103 insertions(+), 7 deletions(-) create mode 100644 roots/webserver/nginx-logformat.conf create mode 100644 roots/webserver/nginx-security.conf create mode 100644 roots/webserver/nginx-ssl.conf diff --git a/roots/base/nginx.conf b/roots/base/nginx.conf index 7e6a853..dfeb36d 100644 --- a/roots/base/nginx.conf +++ b/roots/base/nginx.conf @@ -26,13 +26,6 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - ## - # SSL Settings - ## - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - ## # Logging Settings ## diff --git a/roots/base/nginx.sls b/roots/base/nginx.sls index 89f149a..21afb3a 100644 --- a/roots/base/nginx.sls +++ b/roots/base/nginx.sls @@ -19,3 +19,20 @@ nginx-common: - pkg: nginx-common - watch_in: - service: nginx + +{% set nginx_ssl_keydir = salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') %} +{% set nginx_ssl_certdir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %} + +{{ nginx_ssl_certdir }}: + file.directory: + - user: root + - group: root + - mode: 0755 + - makedirs: True + +{{ nginx_ssl_keydir }}: + file.directory: + - user: root + - group: root + - mode: 0750 + - makedirs: True diff --git a/roots/webserver/init.sls b/roots/webserver/init.sls index 22fa765..0fc0155 100644 --- a/roots/webserver/init.sls +++ b/roots/webserver/init.sls @@ -1,2 +1,50 @@ include: - base.nginx + +/etc/nginx/conf.d/logformat.conf: + file.managed: + - user: root + - group: root + - mode: 0644 + - source: salt://webserver/nginx-logformat.conf + - require: + - pkg: nginx + - watch_in: + - service: nginx + +{% set ssldir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %} + +generate-dhparam-nginx: + cmd.run: + - name: openssl dhparam -out {{ ssldir }}/dhparams.pem 2048 + - umask: 022 + - user: root + - group: root + - creates: {{ ssldir }}/dhparams.pem + - require_in: + - file: /etc/nginx/conf.d/ssl.conf + - watch_in: + - service: nginx + +/etc/nginx/conf.d/ssl.conf: + file.managed: + - user: root + - group: root + - mode: 0644 + - source: salt://webserver/nginx-ssl.conf + - template: jinja + - require: + - pkg: nginx + - watch_in: + - service: nginx + +/etc/nginx/snippets/security.conf: + file.managed: + - user: root + - group: root + - mode: 0644 + - source: salt://webserver/nginx-security.conf + - require: + - pkg: nginx + - watch_in: + - service: nginx diff --git a/roots/webserver/nginx-logformat.conf b/roots/webserver/nginx-logformat.conf new file mode 100644 index 0000000..bb26d9e --- /dev/null +++ b/roots/webserver/nginx-logformat.conf @@ -0,0 +1,4 @@ +log_format main '$remote_addr - $remote_user [$time_local] ' + '$server_name ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; diff --git a/roots/webserver/nginx-security.conf b/roots/webserver/nginx-security.conf new file mode 100644 index 0000000..5585189 --- /dev/null +++ b/roots/webserver/nginx-security.conf @@ -0,0 +1,19 @@ +# Security - Basic configuration + location = /favicon.ico { + log_not_found off; + access_log off; + expires max; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny access to hidden files + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } diff --git a/roots/webserver/nginx-ssl.conf b/roots/webserver/nginx-ssl.conf new file mode 100644 index 0000000..e0cb1ef --- /dev/null +++ b/roots/webserver/nginx-ssl.conf @@ -0,0 +1,15 @@ +# Default TLS settings +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers kEECDH+AESGCM:kEECDH+AES:kEECDH:EDH+AESGCM:kEDH+AES:kEDH:AESGCM:ALL:!LOW:!EXP:!MD5:!aNULL:!eNULL:!RC4:!DSS; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; + +ssl_dhparam {{ salt['pillar.get']('nginx:sslcertdir') }}/dhparams.pem; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + +# use Google's DNS +resolver 8.8.8.8; +resolver_timeout 5s;