Changeset - 9767536963e6
Parent rev.
Child rev.
[Not reviewed]
0 2 1
Branko Majic (branko) - 8 years ago 2016-01-24 13:49:20
branko@majic.rs
MAR-49: Implemented TLS hardening for web server role.
3 files changed with 15 insertions and 0 deletions:
docs/rolereference.rst
2
roles/web_server/files/tls.conf
2
roles/web_server/tasks/main.yml
11
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -1010,6 +1010,8 @@ The role implements the following:
 
* Installs and configures nginx with a single, default vhost with a small static
 
  index page.
 
* Deploys the HTTPS TLS private key and certificate (for default vhost).
 
* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
 
  older web browsers may have problems connecting.
 
* Configures firewall to allow incoming connections to the web server.
 
* Installs and configures virtualenv and virtualenvwrapper as a common base for
 
  Python apps.
roles/web_server/files/tls.conf
Show inline comments
 
new file 100644
 
ssl_protocols TLSv1.2;
 
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;
 
\ No newline at end of file
roles/web_server/tasks/main.yml
Show inline comments
 
@@ -20,6 +20,17 @@
 
  notify:
 
    - Restart nginx
 

			




	
	
	
		
 
- name: Remove TLS protocol configuration from the main configuration file

			




	
	
	
		
 
  lineinfile: dest="/etc/nginx/nginx.conf" backrefs=yes regexp="^ssl_protocols" state=absent

			




	
	
	
		
 
  notify:

			




	
	
	
		
 
    - Restart nginx

			




	
	
	
		
 

			




	
	
	
		
 
- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers

			




	
	
	
		
 
  copy: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf"

			




	
	
	
		
 
        owner="root" group="root" mode=644

			




	
	
	
		
 
  notify:

			




	
	
	
		
 
    - Restart nginx

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy script for verification of nginx vhost configurations

			




	
	
	
		
 
  copy: src="nginx_verify_site.sh" dest="/usr/local/bin/nginx_verify_site.sh"

			




	
	
	
		
 
        owner=root group=root mode=755

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.