From 029f70f27632c1cb15b05b1f4476d8678870be23 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sat, 11 Aug 2018 14:59:43 +0200 Subject: [PATCH] complete rework of the role structure --- defaults/main.yml | 59 ++++++++-- tasks/install.yml | 103 ++++-------------- tasks/tls.yml | 61 +++++++++++ templates/etc/nginx/conf.d/header.conf.j2 | 1 - templates/etc/nginx/conf.d/tls.conf.j2 | 18 +-- templates/etc/nginx/nginx.conf.j2 | 47 +++++--- .../etc/nginx/sites-available/default.j2 | 15 +++ 7 files changed, 183 insertions(+), 121 deletions(-) create mode 100644 tasks/tls.yml diff --git a/defaults/main.yml b/defaults/main.yml index 0531b30..4bb75ec 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,17 +4,60 @@ nginx_user: nginx nginx_group: nginx nginx_worker_processes: 1 nginx_worker_connections: 1024 +nginx_error_log: + enabled: True + file: /var/log/nginx/error.log + level: error +nginx_access_logfile: + enabled: True + file: /var/log/nginx/access.log + level: info + +## nginx buffer sizes +nginx_client_body_buffer_size: 10k +nginx_client_header_buffer_size: 1k +nginx_client_max_body_size: 8m + +## nginx timeout settings +nginx_client_body_timeout: 60 +nginx_client_header_timeout: 60 +nginx_keepalive_timeout: 65 +nginx_send_timeout: 60 +nginx_reset_timedout_connection: True + +## nginx compression +nginx_gzip_enabled: True +nginx_gzip_comp_level: 2 +nginx_gzip_min_length: 1000 +nginx_gzip_proxied: + - expired + - no-cache + - no-store + - private + - auth +nginx_gzip_types: + - text/plain + - application/x-javascript + - text/xml + - text/css + - application/xml + nginx_open_ports: - 80 - 443 + nginx_tls_enabled: False -# nginx_tls_cert: -# nginx_tls_private_key: -# nginx_tls_intermediate_ca: -nginx_vhosts_dir: /var/www/vhosts +nginx_tls_certs_dir: /etc/pki/tls/certs +nginx_tls_key_dir: /etc/pki/tls/private +nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem" +nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mycert.pem" + nginx_pfs_enabled: False nginx_dhparam_size: 4069 -nginx_dhparam_file: "/etc/pki/tls/certs/dhparam-{{ nginx_dhparam_size }}.pem" -nginx_tls_cert_file: "/etc/pki/tls/certs/my-chained.crt" -nginx_tls_intermediate_ca_file: "/etc/pki/tls/certs/my-intermediate.crt" -nginx_tls_private_key_file: "/etc/pki/tls/private/my-private.key" +nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem" + +nginx_vhosts_dir: /var/www/vhosts + +nginx_default_page_enabled: False + +nginx_server_names_hash_bucket_size: 32 diff --git a/tasks/install.yml b/tasks/install.yml index b136d30..5973182 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -62,25 +62,31 @@ notify: - nginx_reload - - name: Update conf.d files - template: - src: 'etc/nginx/conf.d/{{ item }}.j2' - dest: '/etc/nginx/conf.d/{{ item }}' - owner: root - group: root - mode: 0640 - validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"' - with_items: - - header.conf - - tls.conf - notify: - - nginx_reload - - name: Remove default.conf from conf.d file: path: /etc/nginx/conf.d/default.conf state: absent + - name: Update conf.d files + template: + src: etc/nginx/conf.d/header.conf.j2 + dest: /etc/nginx/conf.d/header.conf + owner: root + group: root + mode: 0640 + validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"' + notify: + - nginx_reload + + - name: Open ports in iptables + iptables_raw: + name: allow_nginx_ports + state: present + rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT' + become: True + become_user: root + +- block: - name: Add default page configuration file template: src: 'etc/nginx/sites-available/default.j2' @@ -100,77 +106,10 @@ state: link notify: - nginx_reload - - - name: Open ports in iptables - iptables_raw: - name: allow_nginx_ports - state: present - rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT' + when: nginx_default_page_enabled become: True become_user: root -- block: - - name: Copy tls certificate - copy: - content: "{{ nginx_tls_cert }}" - dest: "{{ nginx_tls_cert_file }}" - owner: root - group: root - mode: 0644 - notify: - - nginx_reload - - - name: Copy ssl intermediate cert - copy: - content: "{{ nginx_tls_intermediate_ca }}" - dest: "{{ nginx_tls_intermediate_ca_file }}" - owner: root - group: root - mode: 0644 - notify: - - nginx_reload - - - name: Copy tls private key - copy: - content: "{{ nginx_tls_private_key }}" - dest: "{{ nginx_tls_private_key_file }}" - owner: root - group: root - mode: 0600 - notify: - - nginx_reload - become: True - become_user: root - when: nginx_tls_enabled - -- block: - - name: Register dhparam file - stat: - path: "{{ nginx_dhparam_file }}" - register: dh_file - - - name: Generate Diffie-Hellman parameter file - shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}" - async: 3600 - poll: 60 - when: not dh_file.stat.exists - notify: - - nginx_reload - become: True - become_user: root - when: nginx_pfs_enabled - -- block: - - name: Add default page - template: - src: 'var/www/vhosts/default/index.html.j2' - dest: '/var/www/vhosts/default/index.html' - owner: nginx - group: nginx - mode: 0750 - become: True - become_user: nginx - - name: Enable nginx service systemd: state: started diff --git a/tasks/tls.yml b/tasks/tls.yml new file mode 100644 index 0000000..5e445fb --- /dev/null +++ b/tasks/tls.yml @@ -0,0 +1,61 @@ +- block: + - name: Copy tls certificate + copy: + content: "{{ nginx_tls_cert }}" + dest: "{{ nginx_tls_cert_file }}" + owner: root + group: root + mode: 0644 + notify: + - nginx_reload + + - name: Copy ssl intermediate cert + copy: + content: "{{ nginx_tls_intermediate_ca }}" + dest: "{{ nginx_tls_intermediate_ca_file }}" + owner: root + group: root + mode: 0644 + notify: + - nginx_reload + + - name: Copy tls private key + copy: + content: "{{ nginx_tls_private_key }}" + dest: "{{ nginx_tls_private_key_file }}" + owner: root + group: root + mode: 0600 + notify: + - nginx_reload + become: True + become_user: root + when: nginx_tls_enabled + +- block: + - name: Register dhparam file + stat: + path: "{{ nginx_dhparam_file }}" + register: dh_file + + - name: Generate Diffie-Hellman parameter file + shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}" + async: 3600 + poll: 60 + when: not dh_file.stat.exists + notify: + - nginx_reload + become: True + become_user: root + when: nginx_pfs_enabled + +- block: + - name: Add default page + template: + src: 'var/www/vhosts/default/index.html.j2' + dest: '/var/www/vhosts/default/index.html' + owner: nginx + group: nginx + mode: 0750 + become: True + become_user: nginx diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2 index 8b22154..4c5ee1f 100644 --- a/templates/etc/nginx/conf.d/header.conf.j2 +++ b/templates/etc/nginx/conf.d/header.conf.j2 @@ -1,6 +1,5 @@ # {{ ansible_managed }} # default header settings -add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2 index 19fb3ec..7ee826a 100644 --- a/templates/etc/nginx/conf.d/tls.conf.j2 +++ b/templates/etc/nginx/conf.d/tls.conf.j2 @@ -1,16 +1,10 @@ # {{ ansible_managed }} # certificate settings -ssl_certificate_key /etc/pki/tls/private/my-private.key; -ssl_certificate /etc/pki/tls/certs/my-chained.crt; - -ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL'; - -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_session_cache shared:SSL:10m; - -ssl_stapling on; -ssl_stapling_verify on; -ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt; - +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA'; ssl_prefer_server_ciphers on; + +ssl_protocols TLSv1.2; +ssl_session_cache shared:SSL:10m; +{% if nginx_pfs_enabled and nginx_dhparam_file is defined %} ssl_dhparam {{ nginx_dhparam_file }}; +{% endif %} diff --git a/templates/etc/nginx/nginx.conf.j2 b/templates/etc/nginx/nginx.conf.j2 index 6a32fed..a1720a6 100644 --- a/templates/etc/nginx/nginx.conf.j2 +++ b/templates/etc/nginx/nginx.conf.j2 @@ -2,7 +2,6 @@ user {{ nginx_user }} {{ nginx_group }}; worker_processes {{ nginx_worker_processes }}; -error_log /var/log/nginx/error.log; pid /run/nginx.pid; events { @@ -17,7 +16,16 @@ http { '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + {% if nginx_error_log.enabled %} + error_log {{ nginx_error_log.file }} {{ nginx_error_log.level }}; + {% else %} + error_log off; + {% endif %} + {% if nginx_access_log.enabled %} + access_log {{ nginx_access_log.file }} {{ nginx_access_log.level }}; + {% else %} + access_log off; + {% endif %} sendfile on; tcp_nopush on; @@ -26,29 +34,32 @@ http { server_tokens off; ## Buffers - client_body_buffer_size 10K; - client_header_buffer_size 1k; - client_max_body_size 8m; + client_body_buffer_size {{ nginx_client_body_buffer_size }}; + client_header_buffer_size {{ nginx_client_header_buffer_size }}; + client_max_body_size {{ nginx_client_max_body_size }}; ## Timeouts - client_body_timeout 12; - client_header_timeout 12; - keepalive_timeout 15; - send_timeout 10; + client_body_timeout {{ nginx_client_body_timeout }}; + client_header_timeout {{ nginx_client_header_timeout }}; + keepalive_timeout {{ nginx_keepalive_timeout }}; + send_timeout {{ nginx_send_timeout }}; + {% if nginx_reset_timedout_connection %} + reset_timedout_connection on; + {% endif %} ## Gzip Settings - gzip on; - gzip_comp_level 2; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain application/x-javascript text/xml text/css application/xml; + {% if nginx_gzip_enabled %} + gzip on; + gzip_comp_level {{ nginx_gzip_comp_level }}; + gzip_min_length {{ nginx_gzip_min_length }}; + gzip_proxied {{ nginx_gzip_proxied | join(" ") }}; + gzip_types {{ nginx_gzip_types | join(" ") }}; + {% endif %} - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. + # Load modular configuration files from the /etc/nginx/conf.d directory include /etc/nginx/conf.d/*.conf; ## Virtual Host Configs include /etc/nginx/sites-enabled/*; - server_names_hash_bucket_size 64; + server_names_hash_bucket_size {{ nginx_server_names_hash_bucket_size }}; } diff --git a/templates/etc/nginx/sites-available/default.j2 b/templates/etc/nginx/sites-available/default.j2 index 5fd766b..78a6017 100644 --- a/templates/etc/nginx/sites-available/default.j2 +++ b/templates/etc/nginx/sites-available/default.j2 @@ -3,9 +3,23 @@ server { listen 80; server_name {{ ansible_fqdn }}; + {% if nginx_tls_enabled %} return 301 https://$server_name$request_uri; + {% else %} + location / { + root /var/www/vhosts/default; + index index.html index.htm; + } + + # redirect server error pages to the static page /50x.html + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + {% end if %} } +{% if nginx_tls_enabled %} server { listen 443 ssl; server_name {{ ansible_fqdn }}; @@ -21,3 +35,4 @@ server { root /usr/share/nginx/html; } } +{% endif %}