diff options
| author | Tharre <tharre3@gmail.com> | 2018-04-24 20:44:16 +0200 |
|---|---|---|
| committer | Tharre <tharre3@gmail.com> | 2018-05-09 03:21:51 +0200 |
| commit | c2e93c2370de9a0948b07e5768c7ac572d299c63 (patch) | |
| tree | 9c30e6b01b293651cc7d5ce316c844cc0b3e520a /roles/nginx/templates | |
| download | infrastructure-c2e93c2370de9a0948b07e5768c7ac572d299c63.tar.gz infrastructure-c2e93c2370de9a0948b07e5768c7ac572d299c63.tar.xz infrastructure-c2e93c2370de9a0948b07e5768c7ac572d299c63.zip | |
Initial commit
Diffstat (limited to 'roles/nginx/templates')
| -rw-r--r-- | roles/nginx/templates/letsencrypt.conf | 5 | ||||
| -rw-r--r-- | roles/nginx/templates/nginx.conf.j2 | 29 | ||||
| -rw-r--r-- | roles/nginx/templates/sslsettings.conf | 18 |
3 files changed, 52 insertions, 0 deletions
diff --git a/roles/nginx/templates/letsencrypt.conf b/roles/nginx/templates/letsencrypt.conf new file mode 100644 index 0000000..99dd6c6 --- /dev/null +++ b/roles/nginx/templates/letsencrypt.conf @@ -0,0 +1,5 @@ +location /.well-known/acme-challenge { + root {{ letsencrypt_validation_dir }}; + default_type "text/plain"; + try_files $uri =404; +} diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..00b2789 --- /dev/null +++ b/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,29 @@ +user http; +worker_processes auto; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr $host $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" $request_time'; + + sendfile on; + keepalive_timeout 65; + client_max_body_size 16M; + + gzip on; + gzip_comp_level 6; + gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + index index.php index.html index.htm; + + include snippets/sslsettings.conf; + + include nginx.d/*.conf; +} diff --git a/roles/nginx/templates/sslsettings.conf b/roles/nginx/templates/sslsettings.conf new file mode 100644 index 0000000..761c554 --- /dev/null +++ b/roles/nginx/templates/sslsettings.conf @@ -0,0 +1,18 @@ +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_prefer_server_ciphers on; + +# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) +add_header Strict-Transport-Security max-age=15768000; + +# OCSP Stapling --- +# fetch OCSP records from URL in ssl_certificate and cache them +ssl_stapling on; +ssl_stapling_verify on; + +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; |