From 4c62a7fcc29421debe04f6ce37e519233f5f2cc6 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <robert.kaussow@mail.schwarz>
Date: Mon, 22 Oct 2018 10:11:35 +0200
Subject: [PATCH] refactor tls from source/file handling

---
 defaults/main.yml                         | 21 +++++++++++++++----
 templates/etc/nginx/conf.d/header.conf.j2 | 25 +++++++++++++++++++----
 2 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 2f6ead4..1869e8f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -48,20 +48,33 @@ nginx_open_ports:
   - 443
 
 nginx_tls_enabled: False
-nginx_tls_cert_file: "mycert.pem"
-nginx_tls_key_file: "mykey.pem"
+# You can deploy your certificates from a file or from content.
+# If you enable nginx_tls_source_use_content you have to put the content of your cert files into
+# nginx_tls_cert_file and nginx_tls_cert_file.
 nginx_tls_source_use_content: False
+# If you enable nginx_tls_source_use_files theses variables have to contain the path to your
+# certificate files located on the ansible "master" host
 nginx_tls_source_use_files: True
-nginx_tls_cert_source: mycert.pem
-nginx_tls_key_source: mykey.pem
+nginx_tls_cert_file: mycert.pem
+nginx_tls_key_file: mykey.pem
 
 nginx_tls_ocsp_enabled: False
+# nginx_tls_ocsp_trusted_certificate: # defaults to not set
 
 nginx_tls_hsts_enabled: False
 nginx_hsts_options:
   - nginx_hsts_max_age=63072000
   - includeSubDomains
 
+nginx_xfo_enabled: True
+nginx_xfo_policy: deny
+
+nginx_xcto_enabled: True
+
+nginx_xxxsp_enabled: True
+nginx_xxxsp_parameters:
+  - mode=block
+
 nginx_vhosts_dir: /var/www/vhosts
 
 nginx_default_page_enabled: False
diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2
index d59f3fb..f797548 100644
--- a/templates/etc/nginx/conf.d/header.conf.j2
+++ b/templates/etc/nginx/conf.d/header.conf.j2
@@ -1,8 +1,25 @@
 # {{ ansible_managed }}
-# default header settings
-{% if nginx_tls_enabled and nginx_tls_hsts_enabled %}
+
+# protect against protocol downgrading and cookie hijacking
+# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
+{% if nginx_tls_hsts_enabled %}
 add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
 {% endif %}
-add_header X-Frame-Options DENY;
+
+# improve the protection against Clickjacking
+# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
+{% if nginx_xfo_enabled %}
+add_header X-Frame-Options {{ nginx_xfo_policy }};
+{% endif %}
+
+# prevent from interpreting files as something else than declared by the content type in HTTP headers
+# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
+{% if nginx_xcto_enabled %}
 add_header X-Content-Type-Options nosniff;
-add_header X-XSS-Protection "1; mode=block";
+{% endif %}
+
+# enables the cross-site scripting (XSS) filter of the browsers
+# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
+{% if nginx_xxxsp_enabled %}
+add_header X-XSS-Protection "1; {{ nginx_xxxsp_parameters | default([])|join(' ; ') }}";
+{% endif %}