Getting started
Security defaults
Following Mozilla intermediate level recommendations, this role
configures nginx with only TLSv1.2 and TLSv1.3 enabled. All modern
browsers are supported with the default cipher suite. If you need
support for older clients, see nginx_default_ssl_ciphers
and
nginx_default_tls_protocols
. To follow modern level
recommendation, enable only TLSv1.3 in
nginx_default_tls_protocols
. Note that there is still limited
client support for TLSv1.3.
Only one curve (ECC) is enabled by default: secp256r1
. While the
NCSC-NL TLS Guidelines recommend three other curves, these are not supported
by openssl (in Debian Buster, as checked on 2020-08-06).
If TLSv1.3 is the only protocol in use, clients are allowed to choose ciphers, because they know best if they have support for hardware-accelerated AES. If TLSv1.2 or lower is used, server ciphers are preferred, because those protocols allow downgrade attacks.
No dhparam is set if the only protocol is TLSv1.3, because that protocol uses Ephemeral Diffie-Hellman key exchange, which employs one-time keys for the current network session. Omitting the option is purely cosmetic, resulting in a cleaner configuration file.
If HTTP Strict Transport Security (see also: HSTS Cheat Sheet) is enabled, the default age is 2 years.
Example inventory
To manage Nginx on a given host or set of hosts, they need to be added
to the [debops_service_nginx]
Ansible group in the inventory:
[debops_service_nginx]
hostname
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.nginx
role:
---
- name: Manage nginx webserver
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_nginx' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
keyring__dependent_apt_keys:
- '{{ nginx__keyring__dependent_apt_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ nginx__apt_preferences__dependent_list }}'
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ nginx__ferm__dependent_rules }}'
- role: python
tags: [ 'role::python', 'skip::python' ]
python__dependent_packages3:
- '{{ nginx__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ nginx__python__dependent_packages2 }}'
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]