From c2e93c2370de9a0948b07e5768c7ac572d299c63 Mon Sep 17 00:00:00 2001
From: Tharre <tharre3@gmail.com>
Date: Tue, 24 Apr 2018 20:44:16 +0200
Subject: Initial commit

---
 roles/nginx/templates/letsencrypt.conf |  5 +++++
 roles/nginx/templates/nginx.conf.j2    | 29 +++++++++++++++++++++++++++++
 roles/nginx/templates/sslsettings.conf | 18 ++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 roles/nginx/templates/letsencrypt.conf
 create mode 100644 roles/nginx/templates/nginx.conf.j2
 create mode 100644 roles/nginx/templates/sslsettings.conf

(limited to 'roles/nginx/templates')

diff --git a/roles/nginx/templates/letsencrypt.conf b/roles/nginx/templates/letsencrypt.conf
new file mode 100644
index 0000000..99dd6c6
--- /dev/null
+++ b/roles/nginx/templates/letsencrypt.conf
@@ -0,0 +1,5 @@
+location /.well-known/acme-challenge {
+    root {{ letsencrypt_validation_dir }};
+    default_type "text/plain";
+    try_files $uri =404;
+}
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
new file mode 100644
index 0000000..00b2789
--- /dev/null
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -0,0 +1,29 @@
+user http;
+worker_processes auto;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr $host $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for" $request_time';
+
+    sendfile        on;
+    keepalive_timeout  65;
+    client_max_body_size 16M;
+
+    gzip on;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+    index  index.php index.html index.htm;
+
+    include snippets/sslsettings.conf;
+
+    include nginx.d/*.conf;
+}
diff --git a/roles/nginx/templates/sslsettings.conf b/roles/nginx/templates/sslsettings.conf
new file mode 100644
index 0000000..761c554
--- /dev/null
+++ b/roles/nginx/templates/sslsettings.conf
@@ -0,0 +1,18 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security max-age=15768000;
+
+# OCSP Stapling ---
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
-- 
cgit v1.2.3-70-g09d2