refactor tls from source/file handling

This commit is contained in:
Robert Kaussow 2018-10-22 10:11:35 +02:00
parent 9134bed85b
commit 4c62a7fcc2
2 changed files with 38 additions and 8 deletions

View File

@ -48,20 +48,33 @@ nginx_open_ports:
- 443 - 443
nginx_tls_enabled: False nginx_tls_enabled: False
nginx_tls_cert_file: "mycert.pem" # You can deploy your certificates from a file or from content.
nginx_tls_key_file: "mykey.pem" # If you enable nginx_tls_source_use_content you have to put the content of your cert files into
# nginx_tls_cert_file and nginx_tls_cert_file.
nginx_tls_source_use_content: False nginx_tls_source_use_content: False
# If you enable nginx_tls_source_use_files theses variables have to contain the path to your
# certificate files located on the ansible "master" host
nginx_tls_source_use_files: True nginx_tls_source_use_files: True
nginx_tls_cert_source: mycert.pem nginx_tls_cert_file: mycert.pem
nginx_tls_key_source: mykey.pem nginx_tls_key_file: mykey.pem
nginx_tls_ocsp_enabled: False nginx_tls_ocsp_enabled: False
# nginx_tls_ocsp_trusted_certificate: # defaults to not set
nginx_tls_hsts_enabled: False nginx_tls_hsts_enabled: False
nginx_hsts_options: nginx_hsts_options:
- nginx_hsts_max_age=63072000 - nginx_hsts_max_age=63072000
- includeSubDomains - includeSubDomains
nginx_xfo_enabled: True
nginx_xfo_policy: deny
nginx_xcto_enabled: True
nginx_xxxsp_enabled: True
nginx_xxxsp_parameters:
- mode=block
nginx_vhosts_dir: /var/www/vhosts nginx_vhosts_dir: /var/www/vhosts
nginx_default_page_enabled: False nginx_default_page_enabled: False

View File

@ -1,8 +1,25 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# default header settings
{% if nginx_tls_enabled and nginx_tls_hsts_enabled %} # protect against protocol downgrading and cookie hijacking
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
{% if nginx_tls_hsts_enabled %}
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %}; add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
{% endif %} {% endif %}
add_header X-Frame-Options DENY;
# improve the protection against Clickjacking
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
{% if nginx_xfo_enabled %}
add_header X-Frame-Options {{ nginx_xfo_policy }};
{% endif %}
# prevent from interpreting files as something else than declared by the content type in HTTP headers
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
{% if nginx_xcto_enabled %}
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; {% endif %}
# enables the cross-site scripting (XSS) filter of the browsers
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
{% if nginx_xxxsp_enabled %}
add_header X-XSS-Protection "1; {{ nginx_xxxsp_parameters | default([])|join(' ; ') }}";
{% endif %}