paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nginx state

Browse Source
This commit is contained in:
Paul 2021-11-07 23:37:17 +01:00
parent bde50a789b
commit 0063d09424
8 changed files with 105 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
states/nginx/install.sls
View File

@ -3,3 +3,19 @@
nginx-pkg: nginx-pkg:
pkg.installed: pkg.installed:
- pkgs: {{ nginx.packages }} - pkgs: {{ nginx.packages }}
nginx-logs-user-acl:
acl.present:
- name: /var/log/nginx
- acl_type: user
- acl_name: www-data
- perms: rwx
- recurse: true
nginx-logs-group-acl:
acl.present:
- name: /var/log/nginx
- acl_type: group
- acl_name: www-data
- perms: rwx
- recurse: true

1
states/nginx/templates/nginx.conf.j2
View File

@ -27,7 +27,6 @@ http {
sendfile on; sendfile on;
keepalive_timeout 60; keepalive_timeout 60;
server_tokens off; server_tokens off;
#more_set_headers 'Server: PaulBSD Fast Webserver';
proxy_intercept_errors on; proxy_intercept_errors on;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;

22
states/nginx/templates/ssl_params.j2
View File

@ -1,23 +1,19 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
resolver_timeout 5s;
ssl_certificate /etc/acme/certs/paulbsd.com.cert; ssl_certificate /etc/acme/certs/paulbsd.com.cert;
ssl_certificate_key /etc/acme/keys/paulbsd.com.key; ssl_certificate_key /etc/acme/keys/paulbsd.com.key;
ssl_session_timeout 5m;
#ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.3 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20;
ssl_prefer_server_ciphers on; ssl_dhparam /etc/acme/dh/dh.pem;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_session_timeout 5m;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_dhparam /etc/acme/dh/dh.pem;
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";