2 # Copyright (C) The Arvados Authors. All rights reserved.
4 # SPDX-License-Identifier: AGPL-3.0
6 {%- set passenger_pkg = 'nginx-mod-http-passenger'
7 if grains.osfinger in ('CentOS Linux-7') else
8 'libnginx-mod-http-passenger' %}
9 {%- set passenger_mod = '/usr/lib64/nginx/modules/ngx_http_passenger_module.so'
10 if grains.osfinger in ('CentOS Linux-7',) else
11 '/usr/lib/nginx/modules/ngx_http_passenger_module.so' %}
12 {%- set passenger_ruby = '/usr/local/rvm/rubies/ruby-2.7.2/bin/ruby'
13 if grains.osfinger in ('CentOS Linux-7', 'Ubuntu-18.04',) else
18 install_from_phusionpassenger: true
20 passenger_package: {{ passenger_pkg }}
23 passenger_ruby: {{ passenger_ruby }}
28 # This is required to get the passenger module loaded
29 # In Debian it can be done with this
30 # include: 'modules-enabled/*.conf'
31 load_module: {{ passenger_mod }}
37 # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
38 ssl_hardening_default.conf:
39 - ssl_session_timeout: 1d
40 - ssl_session_cache: 'shared:arvadosSSL:10m'
41 - ssl_session_tickets: 'off'
43 # intermediate configuration
44 - ssl_protocols: TLSv1.2 TLSv1.3
45 - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
46 - ssl_prefer_server_ciphers: 'off'
48 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
49 - add_header: 'Strict-Transport-Security "max-age=63072000" always'
52 # FIXME! Stapling does not work with self-signed certificates, so disabling for tests
53 # - ssl_stapling: 'on'
54 # - ssl_stapling_verify: 'on'
56 # verify chain of trust of OCSP response using Root CA and Intermediate certs
57 # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
59 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
60 # - ssl_dhparam: /path/to/dhparam
62 # replace with the IP address of your resolver
63 # - resolver: 127.0.0.1
65 arvados-snakeoil.conf:
66 - ssl_certificate: /etc/ssl/private/arvados-snakeoil-cert.pem
67 - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
72 # Update default config to redirect to https
81 - location /.well-known:
84 - return: '301 https://$host$request_uri'