ansible, nginx, certbot

group_vars__all.yml

#  geerlingguy.certbot

certbot_create_if_missing: true
certbot_certs:
  - email: "certbot@{{ app_domain }}"
    domains: ["{{ app_domain }}", "www.{{ app_domain }}"]

nginx__app.conf.j2

# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}

# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}

gzip_types text/plain text/css application/javascript
           application/json application/x-javascript
           text/xml application/xml application/xml+rss text/javascript;

log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';

# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";

server_tokens off;
access_log off;

upstream app {
  server unix:{{ app_base_path }}/shared/tmp/sockets/puma.sock;
}

server {
  server_name _;

  return 501;
}

server {
  server_name www.{{ app_domain }} {{ app_domain }};
  listen 80;

  return 301 https://$host$request_uri;
}

server {
  server_name {{ app_domain }};
  listen [::]:443 ssl http2 ipv6only=on;
  listen 443 ssl http2;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/{{ app_domain }}/chain.pem;

  access_log /var/log/nginx/{{ app_domain }}-access.log vhost;
  access_log /var/log/nginx/{{ app_domain }}-access.log vhost;

  client_max_body_size 30M;

  root {{ app_base_path }}/current/public;

  try_files $uri @app;

  location @app {
    proxy_pass http://app;
  }

  location ~ ^/(assets|uploads)/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }
}

nginx__conf.d__options-ssl.conf

# See https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8#stronger-settings-for-a

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1d;
ssl_session_tickets off;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";