majic-ansible-roles Changeset

Changeset - 3352797ee517

Parent rev.

Child rev.

[Not reviewed]

0 5 0

Branko Majic (branko) - 7 years ago 2016-11-22 22:25:09
branko@majic.rs

MAR-68: When enforcing TLS in web_server, wsgi_website, or php_website roles, send connecting clients proper HSTS policy via Strict-Transport-Security header.

5 files changed with 33 insertions and 3 deletions:

docs/rolereference.rst

docs/usage.rst

roles/php_website/templates/nginx_site.j2

roles/web_server/templates/nginx-default.j2

roles/wsgi_website/templates/nginx_site.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1134,7 +1134,9 @@ Parameters @@
 **default_enforce_https** (boolean, optional, ``True``)
   Specify if HTTPS should be enforced for the default virtual host or not. If
   enforced, clients connecting via plaintext will be redirected to HTTPS.
   enforced, clients connecting via plaintext will be redirected to HTTPS, and
   clients will be served with ``Strict-Transport-Security`` header with value of
   ``max-age=31536000; includeSubDomains``.
 **default_https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_https.pem') }}``)
   X.509 certificate used for TLS for HTTPS service. The file will be stored in
@@ @@ -1259,7 +1261,9 @@ Parameters @@
 **enforce_https** (boolean, optional, ``True``)
   Specify if HTTPS should be enforced for the website or not. If enforced,
   clients connecting via plaintext will be redirected to HTTPS.
   clients connecting via plaintext will be redirected to HTTPS, and clients will
   be served with ``Strict-Transport-Security`` header with value of
   ``max-age=31536000; includeSubDomains``.
 **fqdn** (string, mandatory)
   Fully-qualified domain name where the website is reachable. This value is used
@@ @@ -1452,7 +1456,9 @@ Parameters @@
 **enforce_https** (boolean, optional, ``True``)
   Specify if HTTPS should be enforced for the website or not. If enforced,
   clients connecting via plaintext will be redirected to HTTPS.
   clients connecting via plaintext will be redirected to HTTPS, and clients will
   be served with ``Strict-Transport-Security`` header with value of
   ``max-age=31536000; includeSubDomains``.
 **fqdn** (string, mandatory)
   Fully-qualified domain name where the website is reachable. This value is used

docs/usage.rst

➞

Show inline comments

 dependency for a custom role. They do come with decent amount of batteries
 included, and also play nice with the web server role.
 As mentioned before, all roles will enforce TLS by default. The web server roles
 will additionaly implement HSTS policy by sending connecting clients
 ``Strict-Transport-Security`` header with value set to ``max-age=31536000;
 includeSubDomains`` (if you disable enforcement of TLS, the header will not be
 sent).
 With all the above noted, let us finally move on to the next step.

roles/php_website/templates/nginx_site.j2

➞

Show inline comments

@@ @@ -26,6 +26,12 @@ server { @@
     ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
 {% if default_enforce_https -%}
     # Set-up HSTS header for preventing downgrades for users that visited the
     # site via HTTPS at least once.
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 {% endif -%}
     {% for config in additional_nginx_config -%}
     # {{ config.comment }}
     {{ config.value }}

roles/web_server/templates/nginx-default.j2

➞

Show inline comments

@@ @@ -28,6 +28,12 @@ server { @@
     ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}_https.pem;
 {% if default_enforce_https %}
     # Set-up HSTS header for preventing downgrades for users that visited the
     # site via HTTPS at least once.
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 {% endif %}
     # Set-up the serving of default page.
     root /var/www/default/;
     index index.html;

roles/wsgi_website/templates/nginx_site.j2

➞

Show inline comments

@@ @@ -25,6 +25,12 @@ server { @@
     ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
 {% if default_enforce_https -%}
     # Set-up HSTS header for preventing downgrades for users that visited the
     # site via HTTPS at least once.
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 {% endif -%}
     {% for config in additional_nginx_config -%}
     # {{ config.comment }}
     {{ config.value }}

0 comments (0 inline, 0 general)