clients/servers trying to connect to the SMTP/IMAP server.

  * Updated default set of TLS ciphers used by IMAP/SMTP servers

    (``mail_server_tls_ciphers`` parameter). All CBC ciphers have been

    dropped. This could introduce incompatibility with older clients

    trying to connect to the IMAP/SMTP server.

* ``preseed`` role

  * Parameter ``ansible_key`` is now mandatory.

  * Parameter ``preseed_directory`` is now mandatory.

* ``web_server`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older clients

    trying to connect to the web server.

  * Updated default set of TLS ciphers used by the server

    (``web_server_tls_ciphers`` parameter). All CBC ciphers have been

    dropped. This could introduce incompatibility with older clients

    trying to connect to the server.

* ``wsgi_website`` role

  * Parameters ``gunicorn_version`` and ``futures_version`` have been

    deprecated and removed. Existing roles should be updated to

    utilise the ``wsgi_requirements`` parameter instead.

  * Added parameter ``wsgi_requirements_in`` for listing top-level

    packages for performing pip requirements upgrade checks for

    Gunicorn requirements (listed via existing ``wsgi_requirements``

    parameter).

* ``xmpp_server`` role

  * Parameter ``xmpp_domains`` is now mandatory.

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older

    clients/servers trying to connect to the XMPP server.

  * TLS hardening is now applied to the *c2s* (client) connections on

    both the standard (``5222``) and legacy (``5223``) ports. Protocol

    version and ciphers are configurable via new

    ``xmpp_server_tls_protocol`` and ``xmpp_server_tls_ciphers``

    parameters with defaults enforcing TLSv1.2+ and PFS (perfect

Web Server

----------

The ``web_server`` role can be used for setting-up a web server on destination

machine.

The role is supposed to be very lightweight, providing a basis for deployment of

web applications.

The role implements the following:

* Installs and configures nginx with a single, default vhost with a small static

  index page.

* Deploys the HTTPS TLS private key and certificate (for default vhost).

* Configures TLS versions and ciphers supported by Nginx.

* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for

  incoming connections.

* Configures firewall to allow incoming connections to the web server.

* Installs and configures virtualenv and virtualenvwrapper as a common base for

  Python apps.

* Installs and configures PHP FPM as a common base for PHP apps.

Role dependencies

~~~~~~~~~~~~~~~~~

Depends on the following roles:

* **common**

Parameters

~~~~~~~~~~

**default_https_tls_certificate** (string, mandatory)

  X.509 certificate used for TLS for HTTPS service. The file will be stored in

  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_https.pem``.

**default_https_tls_key** (string, mandatory)

  Private key used for TLS for HTTPS service. The file will be stored in

  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_https.key``.

**web_default_title** (string, optional, ``Welcome``)

  Title for the default web page shown to users (if no other vhosts were matched).

**web_default_message** (string, optional, ``You are attempting to access the web server using a wrong name or an IP address. Please check your URL.``)

  Message for the default web page shown to users (if no other vhosts were

  matched).

**web_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)

  List of TLS protocols the web server should support. Each value specified

  should be compatible with Nginx configuration option ``ssl_protocols``.

**web_server_tls_ciphers** (string, optional, ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)

  TLS ciphers to enable on the web server. This should be an OpenSSL-compatible

  cipher specification. Value should be compatible with Nginx configuration

  option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS

  ciphers with RSA private keys.

---

web_default_title: "Welcome"

web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."

web_server_tls_protocols:

  - "TLSv1.2"

web_server_tls_ciphers: "\

DHE-RSA-AES128-GCM-SHA256:\

DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-CHACHA20-POLY1305:\

ECDHE-RSA-AES128-GCM-SHA256:\

ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-CHACHA20-POLY1305:\

!aNULL:!MD5:!EXPORT"

# Internal parameters

php_fpm_package_name: "php-fpm"

php_fpm_service_name: "php7.0-fpm"

php_base_config_dir: "/etc/php/7.0"

---

default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_https.cert.pem') }}"

default_https_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_https.key.pem') }}"

web_default_title: "Optional Welcome"

web_default_message: "Welcome to parameters-optional, default virtual host."

web_server_tls_protocols:

  - TLSv1.1

  - TLSv1.2

web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

    Tests if certificate validity check configuration file has been deployed

    correctly.

    """

    hostname = host.run('hostname').stdout.strip()

    config = host.file('/etc/check_certificate/%s_https.conf' % hostname)

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    assert config.content_string == "/etc/ssl/certs/%s_https.pem" % hostname

def test_tls_enabled(host):

    """

    Tests if TLS has been enabled.

    """

    hostname = host.run('hostname').stdout.strip()

    fqdn = hostname[:hostname.rfind('-')]

    tls = host.run('wget -q -O - https://%s/', fqdn)

    assert tls.rc == 0

    # Run the nmap scanner against the LDAP server, and fetch the

    # results.

    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 443 localhost -oX /tmp/report.xml")

    assert nmap.rc == 0

    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []

    tls_ciphers = set()

    for child in report_root.findall("./host/ports/port/script/table"):

        tls_versions.append(child.attrib['key'])

    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):

        tls_ciphers.add(child.text)

    tls_versions.sort()

    tls_ciphers = sorted(list(tls_ciphers))

    assert tls_versions == expected_tls_versions

    assert tls_ciphers == expected_tls_ciphers

def test_default_vhost_index_page(host):

    """

    Tests content of default vhost index page.

    """

    page = host.run('curl https://parameters-mandatory/')

    assert page.rc == 0

    assert "<title>Welcome</title>" in page.stdout

    assert "<h1>Welcome</h1>" in page.stdout

    assert "<p>You are attempting to access the web server using a wrong name or an IP address. Please check your URL.</p>" in page.stdout

    # Run the nmap scanner against the LDAP server, and fetch the

    # results.

    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 443 localhost -oX /tmp/report.xml")

    assert nmap.rc == 0

    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []

    tls_ciphers = set()

    for child in report_root.findall("./host/ports/port/script/table"):

        tls_versions.append(child.attrib['key'])

    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):

        tls_ciphers.add(child.text)

    tls_versions.sort()

    tls_ciphers = sorted(list(tls_ciphers))

    assert tls_versions == expected_tls_versions

    assert tls_ciphers == expected_tls_ciphers

def test_default_vhost_index_page(host):

    """

    Tests content of default vhost index page.

    """

    page = host.run('curl https://parameters-optional/')

    assert page.rc == 0

    assert "<title>Optional Welcome</title>" in page.stdout

    assert "<h1>Optional Welcome</h1>" in page.stdout

    assert "<p>Welcome to parameters-optional, default virtual host.</p>" in page.stdout

#

# Default server (vhost) configuration.

#

server {

    # HTTP (plaintext) configuration.

    listen 80 default_server;

    listen [::]:80 default_server;

    # Set server_name to something that won't be matched (for default server).

    server_name _;

    # Redirect plaintext connections to HTTPS

    return 301 https://$host$request_uri;

}

server {

    # HTTPS (TLS) configuration.

    listen 443 ssl default_server;

    listen [::]:443 ssl default_server;

    ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}_https.key;

    ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}_https.pem;

    # Set-up HSTS header for preventing downgrades for users that visited the

    # site via HTTPS at least once.

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # Set-up the serving of default page.

    root /var/www/default/;

    index index.html;

    # Set server_name to something that won't be matched (for default server).

    server_name _;

    location / {

        # Always point user to the same index page.

        try_files $uri /index.html;

    }

}