Page MenuHomeDevCentral
Files F3767334

No OneTemporary
Actions

View Options

diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
index 733f947..64ab7dd 100644
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -1,118 +1,119 @@
# -------------------------------------------------------------
# Salt — Webserver core units for all webservers roles
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% from "roles/webserver-core/map.jinja" import options, certbot_dir with context %}
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
# -------------------------------------------------------------
# Accounts - web group
#
# A group shared between nginx, back-end and content directories
# to allow ACL giving access to the nginx process.
#
# This group will so be used by:
# - nginx process (configured in nginx.conf)
# - back-end UNIX sockets like php-fpm sockets can be 660
# - more private folders can use 007 as umask
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_group:
group.present:
- name: web
- gid: 9003
- system: True
# -------------------------------------------------------------
# Base configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/nginx.conf:
file.managed:
- source: salt://roles/webserver-core/nginx/files/nginx.conf
- template: jinja
- context:
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
# -------------------------------------------------------------
# includes folder
#
# :: general configuration
# :: application-specific code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_includes:
file.recurse:
- name: {{ dirs.etc }}/nginx/includes
- source: salt://roles/webserver-core/nginx/files/includes
- dir_mode: 755
- file_mode: 644
- template: jinja
- context:
+ nginx_version: {{ salt["nginx.version"]() }}
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
certbot_dir: {{ certbot_dir }}
# -------------------------------------------------------------
# Parameters for Diffie-Hellman
#
# Some ciphers still require DH exchange. They contain "DHE" in
# the name, e.g. DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_dh:
cmd.run:
- name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 4096
- creates: {{ dirs.etc }}/nginx/dhparams.pem
# -------------------------------------------------------------
# OCSP - Online Certificate Status Protocol
#
# To allow nginx to verify TLS certificate presented by CA
# when it makes requests to the CRL, a bundle of CA certificates
# should be available.
#
# To generate the bundle file on this repository, use `make`.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/share/certs/ocsp-ca-certs.pem:
file.managed:
- source: salt://roles/webserver-core/nginx/files/ocsp-ca-certs.pem
- makedirs: True
- mode: 644
# -------------------------------------------------------------
# Logs
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/var/log/www:
file.directory:
- user: {{ options["www_user"] }}
- group: web
- dir_mode: 711
{% if has_selinux %}
selinux_context_nginx_logs:
selinux.fcontext_policy_present:
- name: /var/log/www
- sel_type: httpd_log_t
selinux_context_nginx_logs_applied:
selinux.fcontext_policy_applied:
- name: /var/log/www
{% endif %}
# -------------------------------------------------------------
# vhost folder
#
# To be filled by the specific web role or unit
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/vhosts:
file.directory
diff --git a/roles/webserver-core/nginx/files/includes/tls b/roles/webserver-core/nginx/files/includes/tls
index 006dd9d..75b906c 100644
--- a/roles/webserver-core/nginx/files/includes/tls
+++ b/roles/webserver-core/nginx/files/includes/tls
@@ -1,66 +1,72 @@
# -------------------------------------------------------------
# nginx :: configuration :: TLS
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: Compatible TLS configuration for most clients
# Strategy: nginx 1.22.1, intermediate config, OpenSSL 1.1.1o
# See also: https://ssl-config.mozilla.org/
# License: Trivial work, not eligible for copyright.
# Source file: roles/webserver-core/nginx/files/includes/tls
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
+{% if salt["pkg.version_cmp"](nginx_version, "1.25.1") >= 0 -%}
+listen 443 ssl;
+listen [::]:443 ssl;
+http2 on;
+{%- else -%}
listen 443 ssl http2;
listen [::]:443 ssl http2;
+{%- endif %}
keepalive_timeout 70;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_dhparam {{ nginx_dir }}/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# -------------------------------------------------------------
# HSTS - HTTP Strict Transport Security
#
# As we provide a Let's Encrypt certificate for all our services,
# browser should be instructed to connect directly to HTTPS.
#
# This is low risk, as the browser only honour this request
# as soon as it successfully connected to HTTPS without any
# certificate issue.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
add_header Strict-Transport-Security "max-age=63072000" always;
# -------------------------------------------------------------
# OCSP - Online Certificate Status Protocol
#
# To improve TLS handshake speed, and to help protecting the
# privacy of the users connecting here, as there isn't any need
# for them to connect to the CRL anymore, OSCP is enabled.
#
# The parameter `ssl_trusted_certificate` points to a bundle
# of CA certificates, currently containing Let's Encrypt
# intermediate and root certificates. If *any* certificate
# is issued by another CA, their certificates must be added
# to the bundle too.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem;
resolver 127.0.0.1;
diff --git a/roles/webserver-core/nginx/files/includes/tls-modern-only b/roles/webserver-core/nginx/files/includes/tls-modern-only
index 0f6d0f3..3d3f2e4 100644
--- a/roles/webserver-core/nginx/files/includes/tls-modern-only
+++ b/roles/webserver-core/nginx/files/includes/tls-modern-only
@@ -1,63 +1,69 @@
# -------------------------------------------------------------
# nginx :: configuration :: TLS
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: Modern services with only TLS 1.3 support
# Strategy: nginx 1.17.7, modern config, OpenSSL 1.1.1k
# See also: https://ssl-config.mozilla.org/
# License: Trivial work, not eligible for copyright.
# Source file: roles/webserver-core/nginx/files/includes/tls-modern-only
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
+{% if salt["pkg.version_cmp"](nginx_version, "1.25.1") >= 0 -%}
+listen 443 ssl;
+listen [::]:443 ssl;
+http2 on;
+{%- else -%}
listen 443 ssl http2;
listen [::]:443 ssl http2;
+{%- endif %}
keepalive_timeout 70;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# -------------------------------------------------------------
# HSTS - HTTP Strict Transport Security
#
# As we provide a Let's Encrypt certificate for all our services,
# browser should be instructed to connect directly to HTTPS.
#
# This is low risk, as the browser only honour this request
# as soon as it successfully connected to HTTPS without any
# certificate issue.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
add_header Strict-Transport-Security "max-age=63072000" always;
# -------------------------------------------------------------
# OCSP - Online Certificate Status Protocol
#
# To improve TLS handshake speed, and to help protecting the
# privacy of the users connecting here, as there isn't any need
# for them to connect to the CRL anymore, OSCP is enabled.
#
# The parameter `ssl_trusted_certificate` points to a bundle
# of CA certificates, currently containing Let's Encrypt
# intermediate and root certificates. If *any* certificate
# is issued by another CA, their certificates must be added
# to the bundle too.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem;
resolver 127.0.0.1;

File Metadata

Mime Type
text/x-diff
Expires
Sun, Nov 24, 23:37 (13 h, 56 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259184
Default Alt Text
(9 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator