make hsts static; make iptables optional; remove some vars
This commit is contained in:
parent
34a7a16675
commit
f37bac37d0
@ -42,6 +42,7 @@ nginx_gzip_types:
|
|||||||
- text/css
|
- text/css
|
||||||
- application/xml
|
- application/xml
|
||||||
|
|
||||||
|
nginx_iptables_enabled: False
|
||||||
nginx_open_ports:
|
nginx_open_ports:
|
||||||
- 80
|
- 80
|
||||||
- 443
|
- 443
|
||||||
@ -56,11 +57,6 @@ nginx_tls_source_use_files: True
|
|||||||
nginx_tls_cert_source: mycert.pem
|
nginx_tls_cert_source: mycert.pem
|
||||||
nginx_tls_key_source: mykey.pem
|
nginx_tls_key_source: mykey.pem
|
||||||
|
|
||||||
nginx_pfs_enabled: False
|
|
||||||
nginx_dhparam_size: 4069
|
|
||||||
nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem"
|
|
||||||
|
|
||||||
nginx_hsts_enabled: False
|
|
||||||
nginx_hsts_options:
|
nginx_hsts_options:
|
||||||
- nginx_hsts_max_age=63072000
|
- nginx_hsts_max_age=63072000
|
||||||
- includeSubDomains
|
- includeSubDomains
|
||||||
|
@ -81,6 +81,7 @@
|
|||||||
name: allow_nginx_ports
|
name: allow_nginx_ports
|
||||||
state: present
|
state: present
|
||||||
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
|
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
|
||||||
|
when: nginx_iptables_enabled
|
||||||
become: True
|
become: True
|
||||||
become_user: root
|
become_user: root
|
||||||
|
|
||||||
|
@ -35,19 +35,3 @@
|
|||||||
when: nginx_tls_source_use_files
|
when: nginx_tls_source_use_files
|
||||||
become: True
|
become: True
|
||||||
become_user: root
|
become_user: root
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: Register dhparam file
|
|
||||||
stat:
|
|
||||||
path: "{{ nginx_dhparam_file }}"
|
|
||||||
register: __nginx_dh_file
|
|
||||||
|
|
||||||
- name: Generate Diffie-Hellman parameter file
|
|
||||||
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
|
|
||||||
async: 3600
|
|
||||||
poll: 60
|
|
||||||
when: not __nginx_dh_file.stat.exists
|
|
||||||
notify: __nginx_reload
|
|
||||||
become: True
|
|
||||||
become_user: root
|
|
||||||
when: nginx_pfs_enabled
|
|
||||||
|
@ -1,8 +1,6 @@
|
|||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
# default header settings
|
# default header settings
|
||||||
{% if nginx_tls_enabled and nginx_hsts_enabled %}
|
|
||||||
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
|
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
|
||||||
{% endif %}
|
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
Loading…
Reference in New Issue
Block a user