diff options
Diffstat (limited to 'roles/web/files/conf.d')
| -rw-r--r-- | roles/web/files/conf.d/security_headers.conf | 79 | ||||
| -rw-r--r-- | roles/web/files/conf.d/ssl.conf | 69 |
2 files changed, 0 insertions, 148 deletions
diff --git a/roles/web/files/conf.d/security_headers.conf b/roles/web/files/conf.d/security_headers.conf deleted file mode 100644 index f4a7135..0000000 --- a/roles/web/files/conf.d/security_headers.conf +++ /dev/null @@ -1,79 +0,0 @@ -# -# /usr/local/etc/nginx/security_headers -# -# Security headers for Nginx/HTTP(s) -# -# Aaron LI -# 2017-11-22 -# -# Credits -# ------- -# * Hardening your HTTP response headers -# https://scotthelme.co.uk/hardening-your-http-response-headers/ -# * Nginx add_header configuration pitfall -# https://blog.g3rt.nl/nginx-add_header-pitfall.html -# * Nginx - ngx_http_headers_module - add_header -# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header -# -# Tools -# ----- -# * Security Headers Analyzer -# https://securityheaders.io/ -# -# 2017-11-23: Be less paranoid, due to the reverse proxy services ... -# - -# -# NOTE: Use "always" for security headers. -# -# WARNING: The "add_header" directive (and some others) are inherited -# from the *previous* level *IF AND ONLY IF* there are NO -# "add_header" directives defined on the *current* level. -# Such behavior leads to the *pitfall* that the added headers -# may get *cleared*! In consequence, this common header -# configuration file *must* be included within every context -# that has "add_header" directives! -# - -# Instruct the client to force a HTTPS connection to the domain and all -# its subdomains for 2 year. -# See also: https://hstspreload.org/ -#add_header Strict-Transport-Security -# "max-age=63072000; includeSubdomains; preload" always; -add_header Strict-Transport-Security - "max-age=31536000; includeSubdomains" always; - -# The Content Security Policy (CSP) header allows to define a whitelist -# of approved sources of content for the site. By restricting the assets -# that a browser can load, CSP can act as an effective countermeasure to -# XSS attacks. -# -# Enforce TLS on all assets and prevent mixed content warnings. -add_header Content-Security-Policy - "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; -# Only allow to load assets from self! -#add_header Content-Security-Policy "default-src 'self'" always; - -# The X-Frame-Options (XFO) header protects the visitors against -# clickjacking attacks. -# Only allow yourselves to frame your own site. -add_header X-Frame-Options "SAMEORIGIN" always; -# Do not allow the site to be framed at all! -#add_header X-Frame-Options "DENY" always; - -# Enable the cross-site scripting filter built into most browsers, and -# tell the browser to block the response if it detects an attack rather -# than sanitizing the script. -add_header X-XSS-Protection "1; mode=block" always; - -# Prevent a browser from trying to MIME-sniff the content type and forces -# it to stick with the declared content-type. -add_header X-Content-Type-Options "nosniff" always; - -# Allow a site to control how much information the browser includes with -# navigations away from a document. -# -# The browser will send the full URL to requests to the same origin, but -# only send the origin when requests are cross-origin. No information -# allowed to be sent when a scheme downgrade happens. -add_header Referrer-Policy "strict-origin-when-cross-origin" always; diff --git a/roles/web/files/conf.d/ssl.conf b/roles/web/files/conf.d/ssl.conf deleted file mode 100644 index acda0eb..0000000 --- a/roles/web/files/conf.d/ssl.conf +++ /dev/null @@ -1,69 +0,0 @@ -# -# /usr/local/etc/nginx/conf.d/ssl.conf -# -# SSL/TLS settings for Nginx -# -# Aaron LI -# 2017-04-25 -# -# Credits -# ------- -# * Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd -# https://cipherli.st/ -# * Strong SSL Security on nginx -# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html -# * Mozilla - Security - Server Side TLS -# https://wiki.mozilla.org/Security/Server_Side_TLS -# https://mozilla.github.io/server-side-tls/ssl-config-generator/ -# * Let's Encrypt & Nginx -# https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/ -# * Nginx SSL and TLS Deployment Best Practice -# https://www.linode.com/docs/web-servers/nginx/nginx-ssl-and-tls-deployment-best-practices -# * Best nginx configuration for improved security (and performance) -# https://gist.github.com/plentz/6737338 -# * Hardening your HTTP response headers -# https://scotthelme.co.uk/hardening-your-http-response-headers/ -# -# Tools -# ----- -# * Qualys SSL Labs SSL Server Test -# https://www.ssllabs.com/ssltest/ -# * Security Headers Analyzer -# https://securityheaders.io/ -# - - -# Diffie-Hellman group: -# $ openssl dhparam -out /usr/local/etc/ssl/dhparam2048.pem 2048 -# or even go with 4096-bit DH pool: -# $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096 -# NOTE: This may take up to tens of minutes ... -#ssl_dhparam /usr/local/etc/ssl/dhparam2048.pem; -ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem; - -# Only use the latest TLS protocols -# TLSv1.3 requires nginx >= 1.13 -#ssl_protocols TLSv1.2 TLSv1.3; -ssl_protocols TLSv1.2; -ssl_prefer_server_ciphers on; -# Credit: https://mozilla.github.io/server-side-tls/ssl-config-generator/ -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; -# Credit: https://github.com/mozilla/server-side-tls/issues/135 -ssl_session_tickets off; - -# The Online Certificate Status Protocol (OCSP) was created to speed up -# the process that operating systems and browsers use to check for -# certificate revocation. -# Allow the server to send its cached OCSP record to the client during -# the TLS handshake, bypassing the OCSP responder and saving a roundtrip -# between the client and the OCSP responder. -# -# NOTE: If the "ssl_certificate" file does NOT contain intermediate -# certificates, the certificate of the server certificate issuer -# should be present in the "ssl_trusted_certificate" file. -# -ssl_stapling on; -ssl_stapling_verify on; |