refactor tls from source/file handling
This commit is contained in:
Robert Kaussow
parent
9134bed85b
commit
4c62a7fcc2
@ -48,20 +48,33 @@ nginx_open_ports:
|
|||||||
- 443
|
- 443
|
||||||
|
|
||||||
nginx_tls_enabled: False
|
nginx_tls_enabled: False
|
||||||
nginx_tls_cert_file: "mycert.pem"
|
# You can deploy your certificates from a file or from content.
|
||||||
nginx_tls_key_file: "mykey.pem"
|
# If you enable nginx_tls_source_use_content you have to put the content of your cert files into
|
||||||
|
# nginx_tls_cert_file and nginx_tls_cert_file.
|
||||||
nginx_tls_source_use_content: False
|
nginx_tls_source_use_content: False
|
||||||
|
# If you enable nginx_tls_source_use_files theses variables have to contain the path to your
|
||||||
|
# certificate files located on the ansible "master" host
|
||||||
nginx_tls_source_use_files: True
|
nginx_tls_source_use_files: True
|
||||||
nginx_tls_cert_source: mycert.pem
|
nginx_tls_cert_file: mycert.pem
|
||||||
nginx_tls_key_source: mykey.pem
|
nginx_tls_key_file: mykey.pem
|
||||||
|
|
||||||
nginx_tls_ocsp_enabled: False
|
nginx_tls_ocsp_enabled: False
|
||||||
|
# nginx_tls_ocsp_trusted_certificate: # defaults to not set
|
||||||
|
|
||||||
nginx_tls_hsts_enabled: False
|
nginx_tls_hsts_enabled: False
|
||||||
nginx_hsts_options:
|
nginx_hsts_options:
|
||||||
- nginx_hsts_max_age=63072000
|
- nginx_hsts_max_age=63072000
|
||||||
- includeSubDomains
|
- includeSubDomains
|
||||||
|
|
||||||
|
nginx_xfo_enabled: True
|
||||||
|
nginx_xfo_policy: deny
|
||||||
|
|
||||||
|
nginx_xcto_enabled: True
|
||||||
|
|
||||||
|
nginx_xxxsp_enabled: True
|
||||||
|
nginx_xxxsp_parameters:
|
||||||
|
- mode=block
|
||||||
|
|
||||||
nginx_vhosts_dir: /var/www/vhosts
|
nginx_vhosts_dir: /var/www/vhosts
|
||||||
|
|
||||||
nginx_default_page_enabled: False
|
nginx_default_page_enabled: False
|
||||||
|
|||||||
@ -1,8 +1,25 @@
|
|||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
# default header settings
|
|
||||||
{% if nginx_tls_enabled and nginx_tls_hsts_enabled %}
|
# protect against protocol downgrading and cookie hijacking
|
||||||
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
|
||||||
|
{% if nginx_tls_hsts_enabled %}
|
||||||
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
|
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
|
# improve the protection against Clickjacking
|
||||||
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
|
||||||
|
{% if nginx_xfo_enabled %}
|
||||||
|
add_header X-Frame-Options {{ nginx_xfo_policy }};
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# prevent from interpreting files as something else than declared by the content type in HTTP headers
|
||||||
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
|
||||||
|
{% if nginx_xcto_enabled %}
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
{% endif %}
|
||||||
|
|
||||||
|
# enables the cross-site scripting (XSS) filter of the browsers
|
||||||
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
|
||||||
|
{% if nginx_xxxsp_enabled %}
|
||||||
|
add_header X-XSS-Protection "1; {{ nginx_xxxsp_parameters | default([])|join(' ; ') }}";
|
||||||
|
{% endif %}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user