diff --git a/ansible/roles/nginx/files/includes/proxy.conf b/ansible/roles/nginx/files/includes/proxy.conf new file mode 100644 index 0000000..cde9479 --- /dev/null +++ b/ansible/roles/nginx/files/includes/proxy.conf @@ -0,0 +1,34 @@ +# Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Proxy Connection Settings +proxy_buffers 32 4k; +proxy_connect_timeout 240; +proxy_headers_hash_bucket_size 128; +proxy_headers_hash_max_size 1024; +proxy_http_version 1.1; +proxy_read_timeout 240; +proxy_redirect http:// $scheme://; +proxy_send_timeout 240; + +# Proxy Cache and Cookie Settings +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; + +# Proxy Header Settings +proxy_set_header Connection $connection_upgrade; +proxy_set_header Early-Data $ssl_early_data; +proxy_set_header Host $host; +proxy_set_header Proxy ""; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Method $request_method; +proxy_set_header X-Forwarded-Port $server_port; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Server $host; +proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Original-Method $request_method; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; +proxy_set_header X-Real-IP $remote_addr; diff --git a/ansible/roles/nginx/files/includes/ssl.conf b/ansible/roles/nginx/files/includes/ssl.conf new file mode 100644 index 0000000..28fd6ac --- /dev/null +++ b/ansible/roles/nginx/files/includes/ssl.conf @@ -0,0 +1,16 @@ +ssl_session_timeout 1d; +ssl_session_cache shared:sslcache:10m; # about 40000 sessions +ssl_session_tickets off; + +ssl_dhparam dhparams.pem; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +#add_header Strict-Transport-Security "max-age=63072000" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; diff --git a/ansible/roles/nginx/files/nginx.conf b/ansible/roles/nginx/files/nginx.conf index f366195..08ad1ca 100644 --- a/ansible/roles/nginx/files/nginx.conf +++ b/ansible/roles/nginx/files/nginx.conf @@ -18,9 +18,13 @@ http { server_tokens off; more_clear_headers "Server"; + add_header Permissions-Policy "interest-cohort=()"; + types_hash_max_size 2048; types_hash_bucket_size 128; + include includes/proxy.conf; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index 571406e..a8f379e 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -34,6 +34,10 @@ when: ansible_os_family == 'Archlinux' become: true +- name: Generate Diffie-Hellman parameters + community.crypto.openssl_dhparam: + path: /etc/nginx/dhparams.pem + - name: Create config directories file: path: /etc/nginx/{{ item }} @@ -42,6 +46,7 @@ loop: - http.d - stream.d + - includes become: true - name: Install config @@ -53,6 +58,15 @@ become: true notify: reload nginx +- name: Copy config files + template: + src: "{{ item }}" + dest: "/etc/nginx/includes/{{ item | basename }}" + mode: "0644" + with_fileglob: 'files/includes/*.conf' + become: true + notify: reload nginx + - name: Install HTTPS redirect template: src: files/nginx-https-redirect.conf