Robustify TLS nginx settings.

- Prevent POODLE attacks by dropping SSL3. - Prevent attacks against weak Diffie-Hellman keys by disabling export ciphers and using a 2048-bit Diffie-Hellman group. See https://weakdh.org.

Robustify TLS nginx settings.
- Prevent POODLE attacks by dropping SSL3. - Prevent attacks against weak Diffie-Hellman keys by disabling export ciphers and using a 2048-bit Diffie-Hellman group. See https://weakdh.org.
e3c1be16 · Morgan Robertson · bb64152a · e3c1be16 · e3c1be16 · e3c1be16
Commit e3c1be16 authored Jun 17, 2016 by Morgan Robertson
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 0 deletions

playbooks/roles/nginx/defaults/main.yml
+3 -0

playbooks/roles/nginx/tasks/main.yml
+20 -0

playbooks/roles/nginx/templates/etc/nginx/nginx.conf.j2
+10 -0

No files found.
--- a/playbooks/roles/nginx/defaults/main.yml
+++ b/playbooks/roles/nginx/defaults/main.yml
@@ -33,6 +33,9 @@ NGINX_HTTPS_REDIRECT_STRATEGY: "scheme"

 NGINX_SSL_CERTIFICATE: 'ssl-cert-snakeoil.pem'
 NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'
+NGINX_SSL_CIPHERS: "'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'"
+NGINX_SSL_PROTOCOLS: "TLSv1 TLSv1.1 TLSv1.2"
+NGINX_DH_PARAMS_PATH: "/etc/ssl/private/dhparams.pem"

 NGINX_LOG_FORMAT_NAME: 'p_combined'
 # When set to False, nginx will pass X-Forwarded-For, X-Forwarded-Port,

--- a/playbooks/roles/nginx/tasks/main.yml
+++ b/playbooks/roles/nginx/tasks/main.yml
 # requires:
 #   - common/tasks/main.yml
 ---
+
+- name: Create Diffie-Hellman parameters to prevent weak key exchange
+  command: openssl dhparam -out "{{ NGINX_DH_PARAMS_PATH | basename }}" 2048
+  args:
+    chdir: "{{ NGINX_DH_PARAMS_PATH | dirname }}"
+    creates: "{{ NGINX_DH_PARAMS_PATH }}"
+  tags:
+    - install
+    - install:configuration
+
+- name: Restrict permissions of DH parameters file
+  file:
+    path: "{{ NGINX_DH_PARAMS_PATH }}"
+    owner: "root"
+    group: "root"
+    mode: 0600
+  tags:
+    - install
+    - install:configuration
+
 - name: Create nginx app and data dirs
  file:
    path: "{{ item.path }}"

--- a/playbooks/roles/nginx/templates/etc/nginx/nginx.conf.j2
+++ b/playbooks/roles/nginx/templates/etc/nginx/nginx.conf.j2
@@ -45,6 +45,16 @@ http {
        error_log {{ nginx_log_dir }}/error.log;

        ##
+        # SSL/TLS settings
+        ##
+
+        ssl_protocols {{ NGINX_SSL_PROTOCOLS }};
+        ssl_ciphers {{ NGINX_SSL_CIPHERS }};
+        ssl_prefer_server_ciphers on;
+        ssl_dhparam {{ NGINX_DH_PARAMS_PATH }};
+
+
+        ##
        # Gzip Settings
        ##