13:5304db8ea096
Anton Shestakov <av6@dwimlabs.net>, Fri, 30 Jun 2017 10:10:40 +0800
nginx: newer versions support "always" in add_header
previous change 12:51e3d9714c57

roles/nginx/templates/etc/nginx/sites-available/munin

Permissions: -rw-r--r--

File Latest Revisions Annotate Diff Comparison
Other formats:
JSON Raw
Feeds:
Atom RSS 
server {
    server_name munin.{{ hostname }};
    listen 80;
    listen [::]:80;
    access_log /var/log/nginx/munin.{{ hostname }}.access.log;
    error_log /var/log/nginx/munin.{{ hostname }}.error.log;
    return 301 https://$host$request_uri;
}
server {
    server_name munin.{{ hostname }};
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.crt;
    ssl_certificate_key /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.key;
    ssl_trusted_certificate /etc/nginx/easy-rsa/keys/ca.crt;
    ssl_client_certificate /etc/nginx/easy-rsa/keys/ca.crt; # XXX: should work without this?
    ssl_verify_client on;
    ssl_dhparam /etc/nginx/dh-2048.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    # Various security headers not related to HTTPS
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection '1; mode=block' always;
    # HPKP: 5184000 = 60 days
    add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000' always;
    # HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
    add_header Strict-Transport-Security 'max-age=31536000' always;
    add_header Cache-Control private;
    access_log /var/log/nginx/munin.{{ hostname }}.access.log;
    error_log /var/log/nginx/munin.{{ hostname }}.error.log;
    root /var/cache/munin/www;
    location ~* \.png$ {
        access_log off;
    }
}