setup default nginx ssl/security configuration for vagrant

This commit is contained in:
Jan Dittberner 2015-10-04 19:32:42 +02:00
parent da472f9009
commit f111fcc090
6 changed files with 103 additions and 7 deletions

View file

@ -26,13 +26,6 @@ http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
## ##
# Logging Settings # Logging Settings
## ##

View file

@ -19,3 +19,20 @@ nginx-common:
- pkg: nginx-common - pkg: nginx-common
- watch_in: - watch_in:
- service: nginx - service: nginx
{% set nginx_ssl_keydir = salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') %}
{% set nginx_ssl_certdir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
{{ nginx_ssl_certdir }}:
file.directory:
- user: root
- group: root
- mode: 0755
- makedirs: True
{{ nginx_ssl_keydir }}:
file.directory:
- user: root
- group: root
- mode: 0750
- makedirs: True

View file

@ -1,2 +1,50 @@
include: include:
- base.nginx - base.nginx
/etc/nginx/conf.d/logformat.conf:
file.managed:
- user: root
- group: root
- mode: 0644
- source: salt://webserver/nginx-logformat.conf
- require:
- pkg: nginx
- watch_in:
- service: nginx
{% set ssldir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
generate-dhparam-nginx:
cmd.run:
- name: openssl dhparam -out {{ ssldir }}/dhparams.pem 2048
- umask: 022
- user: root
- group: root
- creates: {{ ssldir }}/dhparams.pem
- require_in:
- file: /etc/nginx/conf.d/ssl.conf
- watch_in:
- service: nginx
/etc/nginx/conf.d/ssl.conf:
file.managed:
- user: root
- group: root
- mode: 0644
- source: salt://webserver/nginx-ssl.conf
- template: jinja
- require:
- pkg: nginx
- watch_in:
- service: nginx
/etc/nginx/snippets/security.conf:
file.managed:
- user: root
- group: root
- mode: 0644
- source: salt://webserver/nginx-security.conf
- require:
- pkg: nginx
- watch_in:
- service: nginx

View file

@ -0,0 +1,4 @@
log_format main '$remote_addr - $remote_user [$time_local] '
'$server_name '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';

View file

@ -0,0 +1,19 @@
# Security - Basic configuration
location = /favicon.ico {
log_not_found off;
access_log off;
expires max;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny access to hidden files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}

View file

@ -0,0 +1,15 @@
# Default TLS settings
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers kEECDH+AESGCM:kEECDH+AES:kEECDH:EDH+AESGCM:kEDH+AES:kEDH:AESGCM:ALL:!LOW:!EXP:!MD5:!aNULL:!eNULL:!RC4:!DSS;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam {{ salt['pillar.get']('nginx:sslcertdir') }}/dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# use Google's DNS
resolver 8.8.8.8;
resolver_timeout 5s;