From f37bac37d08edacab06741803e2cf75c1a2c96b0 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Tue, 14 Aug 2018 22:02:35 +0200 Subject: [PATCH] make hsts static; make iptables optional; remove some vars --- defaults/main.yml | 6 +----- tasks/install.yml | 1 + tasks/tls.yml | 16 ---------------- templates/etc/nginx/conf.d/header.conf.j2 | 2 -- 4 files changed, 2 insertions(+), 23 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a76f93b..ddd2727 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -42,6 +42,7 @@ nginx_gzip_types: - text/css - application/xml +nginx_iptables_enabled: False nginx_open_ports: - 80 - 443 @@ -56,11 +57,6 @@ nginx_tls_source_use_files: True nginx_tls_cert_source: mycert.pem nginx_tls_key_source: mykey.pem -nginx_pfs_enabled: False -nginx_dhparam_size: 4069 -nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem" - -nginx_hsts_enabled: False nginx_hsts_options: - nginx_hsts_max_age=63072000 - includeSubDomains diff --git a/tasks/install.yml b/tasks/install.yml index 6edf22e..3b91b29 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -81,6 +81,7 @@ name: allow_nginx_ports state: present rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT' + when: nginx_iptables_enabled become: True become_user: root diff --git a/tasks/tls.yml b/tasks/tls.yml index 4240d04..372a0b8 100644 --- a/tasks/tls.yml +++ b/tasks/tls.yml @@ -35,19 +35,3 @@ when: nginx_tls_source_use_files become: True become_user: root - -- block: - - name: Register dhparam file - stat: - path: "{{ nginx_dhparam_file }}" - register: __nginx_dh_file - - - name: Generate Diffie-Hellman parameter file - shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}" - async: 3600 - poll: 60 - when: not __nginx_dh_file.stat.exists - notify: __nginx_reload - become: True - become_user: root - when: nginx_pfs_enabled diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2 index 88a06b6..bf19fbb 100644 --- a/templates/etc/nginx/conf.d/header.conf.j2 +++ b/templates/etc/nginx/conf.d/header.conf.j2 @@ -1,8 +1,6 @@ # {{ ansible_managed }} # default header settings -{% if nginx_tls_enabled and nginx_hsts_enabled %} add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %}; -{% endif %} add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";