bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4 from bdebyl/CU-cwkb6h

Browse Source 
CU-cwkb6h Updates from Mozilla Observatory scan
This commit is contained in:
bdebyl
2020-10-02 22:25:36 -04:00
committed by GitHub
parent 1e395b150c 40c28e8e8e
commit 55617d4c67
4 changed files with 21 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ansible/roles/http/files/nginx/nginx.conf
View File

@@ -34,11 +34,6 @@ http {
# client_max_body_size 2k; # client_max_body_size 2k;
# large_client_header_buffers 2 1k; # large_client_header_buffers 2 1k;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; object-src 'none'";
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
include /etc/nginx/sites-enabled/*.conf; include /etc/nginx/sites-enabled/*.conf;

2
ansible/roles/http/tasks/https.yml
View File

@@ -7,6 +7,7 @@
mode: 0644 mode: 0644
with_items: with_items:
- "{{ ci_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf"
notify: restart_nginx
tags: https tags: https
- name: enable desired nginx https sites - name: enable desired nginx https sites
@@ -18,5 +19,4 @@
with_items: with_items:
- "{{ ci_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf"
notify: restart_nginx notify: restart_nginx
when: stat_result.stat.exists
tags: https tags: https

36
ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
View File

@@ -7,38 +7,42 @@ server {
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name {{ ci_server_name }}; server_name {{ ci_server_name }};
add_header Strict-Transport-Security max-age=6307200;
add_header Allow "GET, POST, HEAD" always;
#limit_except GET POST { deny all; }
ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
location / { location / {
modsecurity on; modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
add_header Allow "GET, POST, HEAD" always;
add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://*.githubusercontent.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
add_header Referrer-Policy "same-origin" always;
add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
# Sent from upstream:
# add_header X-Frame-Options "SAMEORIGIN";
# add_header X-XSS-Protection "1; mode=block";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://drone; proxy_pass http://drone;
proxy_redirect off; proxy_redirect off;
proxy_http_version 1.1;
proxy_buffering off;
chunked_transfer_encoding off; chunked_transfer_encoding off;
} }

7
ansible/roles/ssl/tasks/certbot.yml
View File

@@ -16,10 +16,3 @@
args: args:
creates: "/etc/letsencrypt/live/{{ ci_server_name }}" creates: "/etc/letsencrypt/live/{{ ci_server_name }}"
tags: ssl tags: ssl
- name: check if certbot certificate was created
become: true
stat:
path: "/etc/letsencrypt/live/{{ ci_server_name }}"
register: stat_result
tags: ssl