refactor tls from source/file handling
This commit is contained in:
Robert Kaussow
parent
9134bed85b
commit
4c62a7fcc2
@ -48,20 +48,33 @@ nginx_open_ports:
|
||||
- 443
|
||||
|
||||
nginx_tls_enabled: False
|
||||
nginx_tls_cert_file: "mycert.pem"
|
||||
nginx_tls_key_file: "mykey.pem"
|
||||
# You can deploy your certificates from a file or from content.
|
||||
# If you enable nginx_tls_source_use_content you have to put the content of your cert files into
|
||||
# nginx_tls_cert_file and nginx_tls_cert_file.
|
||||
nginx_tls_source_use_content: False
|
||||
# If you enable nginx_tls_source_use_files theses variables have to contain the path to your
|
||||
# certificate files located on the ansible "master" host
|
||||
nginx_tls_source_use_files: True
|
||||
nginx_tls_cert_source: mycert.pem
|
||||
nginx_tls_key_source: mykey.pem
|
||||
nginx_tls_cert_file: mycert.pem
|
||||
nginx_tls_key_file: mykey.pem
|
||||
|
||||
nginx_tls_ocsp_enabled: False
|
||||
# nginx_tls_ocsp_trusted_certificate: # defaults to not set
|
||||
|
||||
nginx_tls_hsts_enabled: False
|
||||
nginx_hsts_options:
|
||||
- nginx_hsts_max_age=63072000
|
||||
- includeSubDomains
|
||||
|
||||
nginx_xfo_enabled: True
|
||||
nginx_xfo_policy: deny
|
||||
|
||||
nginx_xcto_enabled: True
|
||||
|
||||
nginx_xxxsp_enabled: True
|
||||
nginx_xxxsp_parameters:
|
||||
- mode=block
|
||||
|
||||
nginx_vhosts_dir: /var/www/vhosts
|
||||
|
||||
nginx_default_page_enabled: False
|
||||
|
||||
@ -1,8 +1,25 @@
|
||||
# {{ ansible_managed }}
|
||||
# default header settings
|
||||
{% if nginx_tls_enabled and nginx_tls_hsts_enabled %}
|
||||
|
||||
# protect against protocol downgrading and cookie hijacking
|
||||
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
|
||||
{% if nginx_tls_hsts_enabled %}
|
||||
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
|
||||
{% endif %}
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
# improve the protection against Clickjacking
|
||||
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
|
||||
{% if nginx_xfo_enabled %}
|
||||
add_header X-Frame-Options {{ nginx_xfo_policy }};
|
||||
{% endif %}
|
||||
|
||||
# prevent from interpreting files as something else than declared by the content type in HTTP headers
|
||||
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
|
||||
{% if nginx_xcto_enabled %}
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
{% endif %}
|
||||
|
||||
# enables the cross-site scripting (XSS) filter of the browsers
|
||||
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
|
||||
{% if nginx_xxxsp_enabled %}
|
||||
add_header X-XSS-Protection "1; {{ nginx_xxxsp_parameters | default([])|join(' ; ') }}";
|
||||
{% endif %}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user