updated nginx state

2021-11-07 23:37:17 +01:00 · 2021-11-07 23:37:17 +01:00 · 0063d09424
commit 0063d09424
parent bde50a789b
8 changed files with 105 additions and 94 deletions
--- a/states/nginx/install.sls
+++ b/states/nginx/install.sls
@ -3,3 +3,19 @@
 nginx-pkg:
  pkg.installed:
    - pkgs: {{ nginx.packages }}
+
+nginx-logs-user-acl:
+  acl.present:
+    - name: /var/log/nginx
+    - acl_type: user
+    - acl_name: www-data
+    - perms: rwx
+    - recurse: true
+
+nginx-logs-group-acl:
+  acl.present:
+    - name: /var/log/nginx
+    - acl_type: group
+    - acl_name: www-data
+    - perms: rwx
+    - recurse: true
--- a/states/nginx/templates/nginx.conf.j2
+++ b/states/nginx/templates/nginx.conf.j2
@ -27,7 +27,6 @@ http {
  sendfile            on;
  keepalive_timeout   60;
  server_tokens       off;
-  #more_set_headers  'Server: PaulBSD Fast Webserver';

  proxy_intercept_errors    on;
  fastcgi_intercept_errors  on;
--- a/states/nginx/templates/ssl_params.j2
+++ b/states/nginx/templates/ssl_params.j2
@ -1,23 +1,19 @@
 ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}

+add_header                  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header                  X-Content-Type-Options nosniff;
+add_header                  X-Frame-Options DENY;
+add_header                  X-XSS-Protection "1; mode=block";
+resolver_timeout            5s;
 ssl_certificate             /etc/acme/certs/paulbsd.com.cert;
 ssl_certificate_key         /etc/acme/keys/paulbsd.com.key;
-ssl_session_timeout 5m;
-#ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
-ssl_protocols TLSv1.3 TLSv1.2;
-#ssl_ciphers	HIGH:!aNULL:!MD5;
-#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
 ssl_ciphers                 EECDH+AESGCM:EECDH+CHACHA20;
-ssl_prefer_server_ciphers	on;
+ssl_dhparam                 /etc/acme/dh/dh.pem;
 ssl_ecdh_curve              secp384r1;
+ssl_prefer_server_ciphers   on;
+ssl_protocols               TLSv1.3 TLSv1.2;
 ssl_session_cache           shared:SSL:10m;
 ssl_session_tickets         off;
+ssl_session_timeout         5m;
 ssl_stapling                on;
 ssl_stapling_verify         on;
-ssl_dhparam /etc/acme/dh/dh.pem;
-#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
-resolver_timeout 5s; 
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-add_header X-Frame-Options DENY;
-add_header X-Content-Type-Options nosniff;
-add_header X-XSS-Protection "1; mode=block";