test/salt/pillar/examples/nginx_passenger.sls

   1 ---
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: Apache-2.0
   5
   6 {%- if grains.os_family in ('RedHat',) %}
   7   {%- set passenger_pkg = 'nginx-mod-http-passenger' %}
   8   {%- set passenger_mod = '/usr/lib64/nginx/modules/ngx_http_passenger_module.so' %}
   9 {%- else %}
  10   {%- set passenger_pkg = 'libnginx-mod-http-passenger' %}
  11   {%- set passenger_mod = '/usr/lib/nginx/modules/ngx_http_passenger_module.so' %}
  12 {%- endif %}
  13
  14 ### NGINX
  15 nginx:
  16   install_from_phusionpassenger: true
  17   lookup:
  18     passenger_package: {{ passenger_pkg }}
  19   ### SERVER
  20   server:
  21     config:
  22       # This is required to get the passenger module loaded
  23       # In Debian it can be done with this
  24       # include: 'modules-enabled/*.conf'
  25       load_module: {{ passenger_mod }}
  26
  27       worker_processes: 4
  28
  29   ### SNIPPETS
  30   snippets:
  31     # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
  32     ssl_hardening_default.conf:
  33       - ssl_session_timeout: 1d
  34       - ssl_session_cache: 'shared:curiiSSL:10m'
  35       - ssl_session_tickets: 'off'
  36
  37       # intermediate configuration
  38       - ssl_protocols: TLSv1.2 TLSv1.3
  39       - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  40       - ssl_prefer_server_ciphers: 'off'
  41
  42       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  43       - add_header: 'Strict-Transport-Security "max-age=63072000" always'
  44
  45       # OCSP stapling
  46       # FIXME! Stapling does not work with self-signed certificates, so disabling for tests
  47       # - ssl_stapling: 'on'
  48       # - ssl_stapling_verify: 'on'
  49
  50       # verify chain of trust of OCSP response using Root CA and Intermediate certs
  51       # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
  52
  53       # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
  54       # - ssl_dhparam: /path/to/dhparam
  55
  56       # replace with the IP address of your resolver
  57       # - resolver: 127.0.0.1
  58
  59     ssl_snakeoil.conf:
  60       - ssl_certificate: /etc/ssl/certs/arvados-snakeoil-cert.pem
  61       - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
  62
  63   ### SITES
  64   servers:
  65     managed:
  66       # Remove default webserver
  67       default:
  68         enabled: false