diff --git a/roles/WebServer/files/conf.d/Core/aaa_default.conf b/roles/WebServer/files/conf.d/Core/aaa_default.conf index b60868d..0366743 100644 --- a/roles/WebServer/files/conf.d/Core/aaa_default.conf +++ b/roles/WebServer/files/conf.d/Core/aaa_default.conf @@ -1,21 +1,12 @@ server { listen 443 ssl http2; server_name default_server; - include sec.conf; - include letsencrypt.conf; - include default.csp.conf; - rewrite ^/(.*)$ https://aninix.net/$1 permanent; - -} - -server { - listen 443 ssl http2; - server_name aninix.net; include sec.conf; - include letsencrypt.conf; include default.csp.conf; + include letsencrypt.conf; + location / { rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html; @@ -54,3 +45,16 @@ server { } } + +server { + listen 443 ssl http2; + server_name foundation.aninix.net; + include sec.conf; + include letsencrypt.conf; + include default.csp.conf; + + location / { + rewrite ^/(.*)$ https://aninix.net/$1 permanent; + } + +} diff --git a/roles/WebServer/files/conf.d/Core/cyberbrain.conf b/roles/WebServer/files/conf.d/Core/cyberbrain.conf index 271828b..bee3392 100755 --- a/roles/WebServer/files/conf.d/Core/cyberbrain.conf +++ b/roles/WebServer/files/conf.d/Core/cyberbrain.conf @@ -4,7 +4,6 @@ server { include sec.conf; include default.csp.conf; - include letsencrypt.conf; location / { @@ -19,4 +18,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-PORT $remote_port; } + + include letsencrypt.conf; + } diff --git a/roles/WebServer/files/conf.d/Core/geth.conf b/roles/WebServer/files/conf.d/Core/geth.conf index fbb1b9e..d024669 100644 --- a/roles/WebServer/files/conf.d/Core/geth.conf +++ b/roles/WebServer/files/conf.d/Core/geth.conf @@ -15,15 +15,15 @@ server { location / { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://geth.msn0.aninix.net:8123; - proxy_redirect http:// https://; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_read_timeout 86400; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://geth.msn0.aninix.net:8123; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_read_timeout 86400; } } diff --git a/roles/WebServer/files/conf.d/Core/lykos-wiki.conf b/roles/WebServer/files/conf.d/Core/lykos-wiki.conf index de1855a..2c39edf 100644 --- a/roles/WebServer/files/conf.d/Core/lykos-wiki.conf +++ b/roles/WebServer/files/conf.d/Core/lykos-wiki.conf @@ -2,7 +2,7 @@ server { listen 443 ssl; server_name lykos.aninix.net; - include letsencrypt.conf; + # include local.conf; root /usr/share/webapps/; @@ -34,4 +34,6 @@ server { deny all; } + include letsencrypt.conf; + } diff --git a/roles/WebServer/files/conf.d/Core/password.conf b/roles/WebServer/files/conf.d/Core/password.conf index 0ec73e1..efcc548 100644 --- a/roles/WebServer/files/conf.d/Core/password.conf +++ b/roles/WebServer/files/conf.d/Core/password.conf @@ -6,28 +6,30 @@ server { include default.csp.conf; include letsencrypt.conf; - root /usr/share/webapps/self-service-password/htdocs/; + location / { + root /usr/share/webapps/self-service-password/htdocs/; - # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx - index index.php index.html index.htm; + # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx + index index.php index.html index.htm; - # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html - sendfile off; + # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html + sendfile off; - gzip on; - gzip_comp_level 6; - gzip_min_length 1000; - gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js; - gzip_vary on; - gzip_proxied any; - gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + gzip on; + gzip_comp_level 6; + gzip_min_length 1000; + gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js; + gzip_vary on; + gzip_proxied any; + gzip_disable "MSIE [1-6]\.(?!.*SV1)"; - # Add stdout logging + # Add stdout logging - #error_log /dev/stdout warn; - #access_log /dev/stdout info; + #error_log /dev/stdout warn; + #access_log /dev/stdout info; - include ../conf.d/fastcgi.config; + include ../conf.d/fastcgi.config; + } # deny access to . files, for security # diff --git a/roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf b/roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf new file mode 100644 index 0000000..c694bfe --- /dev/null +++ b/roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf @@ -0,0 +1,14 @@ +server { + listen 443 ssl; + server_name travelpawscvt.com; + + #include local.conf; + include letsencrypt.conf; + include ../conf.d/fastcgi.config; + + root /opt/travelpawscvt; + + client_max_body_size 5m; + client_body_timeout 60; + +} diff --git a/roles/WebServer/files/conf.d/Core/wolfpack.conf b/roles/WebServer/files/conf.d/Core/wolfpack.conf index eac55d5..b0beda4 100644 --- a/roles/WebServer/files/conf.d/Core/wolfpack.conf +++ b/roles/WebServer/files/conf.d/Core/wolfpack.conf @@ -4,7 +4,6 @@ server { include sec.conf; include default.csp.conf; - include letsencrypt.conf; location / { @@ -12,4 +11,6 @@ server { autoindex on; autoindex_format html; } + + include letsencrypt.conf; } diff --git a/roles/WebServer/files/conf/letsencrypt.conf b/roles/WebServer/files/conf/letsencrypt.conf index c195417..0eeee9a 100644 --- a/roles/WebServer/files/conf/letsencrypt.conf +++ b/roles/WebServer/files/conf/letsencrypt.conf @@ -1,5 +1,4 @@ -location ~ ^/.well-known/acme-challenge -{ +location /.well-known/acme-challenge { allow all; root /var/lib/letsencrypt/; default_type "text/plain"; diff --git a/roles/WebServer/tasks/main.yml b/roles/WebServer/tasks/main.yml index 898fd19..8cea8af 100644 --- a/roles/WebServer/tasks/main.yml +++ b/roles/WebServer/tasks/main.yml @@ -53,6 +53,17 @@ mode: 0660 register: conf + - name: Populate security config + become: yes + template: + src: sec.conf.j2 + dest: /opt/openresty/nginx/conf/sec.conf + owner: http + group: http + mode: 0660 + register: secconf + + - name: Ensure default openresty service file is off. become: yes service: @@ -62,7 +73,7 @@ - name: Ensure service is started become: yes - when: conf.changed or confd.changed + when: conf.changed or confd.changed or secconf.changed service: name: "{{ item }}" enabled: yes diff --git a/roles/WebServer/files/conf/sec.conf b/roles/WebServer/templates/conf/sec.conf.j2 similarity index 80% rename from roles/WebServer/files/conf/sec.conf rename to roles/WebServer/templates/conf/sec.conf.j2 index 85724fb..20541d8 100644 --- a/roles/WebServer/files/conf/sec.conf +++ b/roles/WebServer/templates/conf/sec.conf.j2 @@ -1,12 +1,12 @@ ssl_dhparam /etc/ssl/certs/dhparam.pem; -ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem; +ssl_certificate /etc/letsencrypt/live/{{ ssl.identity }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ ssl.identity }}/privkey.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; +ssl_ciphers "{{ ssl.ciphersuite }}"; ssl_prefer_server_ciphers on; add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";