From 342d8ef5e1d988877efbd1bc5d333640d7523570 Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Sun, 17 Apr 2022 10:45:53 +0200
Subject: Initial commit

---
 playbooks.d/webserver/share/snippets.d/certbot.conf |  5 +++++
 playbooks.d/webserver/share/snippets.d/headers.conf |  4 ++++
 playbooks.d/webserver/share/snippets.d/ssl.conf     | 16 ++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 playbooks.d/webserver/share/snippets.d/certbot.conf
 create mode 100644 playbooks.d/webserver/share/snippets.d/headers.conf
 create mode 100644 playbooks.d/webserver/share/snippets.d/ssl.conf

(limited to 'playbooks.d/webserver/share/snippets.d')

diff --git a/playbooks.d/webserver/share/snippets.d/certbot.conf b/playbooks.d/webserver/share/snippets.d/certbot.conf
new file mode 100644
index 0000000..64c9195
--- /dev/null
+++ b/playbooks.d/webserver/share/snippets.d/certbot.conf
@@ -0,0 +1,5 @@
+# Certbot endpoint
+location /.well-known/acme-challenge {
+	root /var/www/.acme;
+	try_files $uri $uri/ =404;
+}
diff --git a/playbooks.d/webserver/share/snippets.d/headers.conf b/playbooks.d/webserver/share/snippets.d/headers.conf
new file mode 100644
index 0000000..c277e3d
--- /dev/null
+++ b/playbooks.d/webserver/share/snippets.d/headers.conf
@@ -0,0 +1,4 @@
+add_header Content-Security-Policy "default-src 'self'" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
diff --git a/playbooks.d/webserver/share/snippets.d/ssl.conf b/playbooks.d/webserver/share/snippets.d/ssl.conf
new file mode 100644
index 0000000..68bcdf0
--- /dev/null
+++ b/playbooks.d/webserver/share/snippets.d/ssl.conf
@@ -0,0 +1,16 @@
+# SSL settings
+ssl_protocols TLSv1.3 TLSv1.2;
+
+ssl_buffer_size 4K;
+ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_ecdh_curve secp521r1:secp384r1;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:le_nginx_SSL:2m;
+ssl_session_tickets off;
+ssl_session_timeout 1440m;
+
+# Ciphers
+ssl_ciphers 'EECDH+AESGCM:EECDH+AES256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA';
+
+# Additional headers
+add_header Strict-Transport-Security "max-age=63072000" always;
-- 
cgit v1.1