setup default nginx ssl/security configuration for vagrant
This commit is contained in:
parent
da472f9009
commit
f111fcc090
6 changed files with 103 additions and 7 deletions
|
@ -26,13 +26,6 @@ http {
|
|||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
|
|
@ -19,3 +19,20 @@ nginx-common:
|
|||
- pkg: nginx-common
|
||||
- watch_in:
|
||||
- service: nginx
|
||||
|
||||
{% set nginx_ssl_keydir = salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') %}
|
||||
{% set nginx_ssl_certdir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
|
||||
|
||||
{{ nginx_ssl_certdir }}:
|
||||
file.directory:
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0755
|
||||
- makedirs: True
|
||||
|
||||
{{ nginx_ssl_keydir }}:
|
||||
file.directory:
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0750
|
||||
- makedirs: True
|
||||
|
|
|
@ -1,2 +1,50 @@
|
|||
include:
|
||||
- base.nginx
|
||||
|
||||
/etc/nginx/conf.d/logformat.conf:
|
||||
file.managed:
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0644
|
||||
- source: salt://webserver/nginx-logformat.conf
|
||||
- require:
|
||||
- pkg: nginx
|
||||
- watch_in:
|
||||
- service: nginx
|
||||
|
||||
{% set ssldir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
|
||||
|
||||
generate-dhparam-nginx:
|
||||
cmd.run:
|
||||
- name: openssl dhparam -out {{ ssldir }}/dhparams.pem 2048
|
||||
- umask: 022
|
||||
- user: root
|
||||
- group: root
|
||||
- creates: {{ ssldir }}/dhparams.pem
|
||||
- require_in:
|
||||
- file: /etc/nginx/conf.d/ssl.conf
|
||||
- watch_in:
|
||||
- service: nginx
|
||||
|
||||
/etc/nginx/conf.d/ssl.conf:
|
||||
file.managed:
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0644
|
||||
- source: salt://webserver/nginx-ssl.conf
|
||||
- template: jinja
|
||||
- require:
|
||||
- pkg: nginx
|
||||
- watch_in:
|
||||
- service: nginx
|
||||
|
||||
/etc/nginx/snippets/security.conf:
|
||||
file.managed:
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0644
|
||||
- source: salt://webserver/nginx-security.conf
|
||||
- require:
|
||||
- pkg: nginx
|
||||
- watch_in:
|
||||
- service: nginx
|
||||
|
|
4
roots/webserver/nginx-logformat.conf
Normal file
4
roots/webserver/nginx-logformat.conf
Normal file
|
@ -0,0 +1,4 @@
|
|||
log_format main '$remote_addr - $remote_user [$time_local] '
|
||||
'$server_name '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
19
roots/webserver/nginx-security.conf
Normal file
19
roots/webserver/nginx-security.conf
Normal file
|
@ -0,0 +1,19 @@
|
|||
# Security - Basic configuration
|
||||
location = /favicon.ico {
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
expires max;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Deny access to hidden files
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
15
roots/webserver/nginx-ssl.conf
Normal file
15
roots/webserver/nginx-ssl.conf
Normal file
|
@ -0,0 +1,15 @@
|
|||
# Default TLS settings
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers kEECDH+AESGCM:kEECDH+AES:kEECDH:EDH+AESGCM:kEDH+AES:kEDH:AESGCM:ALL:!LOW:!EXP:!MD5:!aNULL:!eNULL:!RC4:!DSS;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
ssl_dhparam {{ salt['pillar.get']('nginx:sslcertdir') }}/dhparams.pem;
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
# use Google's DNS
|
||||
resolver 8.8.8.8;
|
||||
resolver_timeout 5s;
|
Loading…
Reference in a new issue