Nginx¶
States to install and configure the fast and light webserver Nginx.
Available states¶
certs¶
Installs include-files for ssl-certificates as defined in nginx:certs pillar. An example looks like this:
nginx:
certs:
<cert-name>:
crt: /etc/ssl/certs/site.chained.crt
key: /etc/ssl/private/site.key
ocsp: /etc/ssl/certs/site.ocsp.resp
The certificate must be chained with intermediary certificats of the CA, but without the root certificate:
cat site.crt sub.crt > site.chained.crt
Starting with nginx 1.3.7+, OCSP-stapling is available. To enable it, you have to create the stapling file as such:
ISSUER_CER=<root.crt>
SERVER_CER=<cert-name.crt>
URL=$(openssl x509 -in $SERVER_CER -text | grep "OCSP - URI:" | cut -d: -f2,3)
openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer $ISSUER_CER -cert $SERVER_CER -url $URL
dhparams¶
Adds the ssl_dhparam parameter to the includes/ssl
hash_size¶
Adds the file /etc/nginx/conf.d/hash_size.conf
to increase the server names hash size:
1 2 | # this file is managed by salt
server_names_hash_bucket_size 64;
|
init¶
The init.sls includes server, so base nginx installation is done
php¶
Includes the nginx server as well as the php5 fpm states.
server¶
Installs the nginx package and manages the service with the same name. An e-mail alias from www-data to root is added.
Additional files¶
includes/ssl¶
The file /etc/nginx/includes/ssl
is created and provides sane defaults for ssl including PFS:
1 2 3 4 5 6 7 8 9 10 11 12 | # this file is managed by salt
listen [::]:443 ssl;
ssl_session_cache shared:SSLCache:10m;
ssl_session_timeout 5m;
# no SSLv3 because of POODLE
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# no anon ciphers, no weak ones, no RC4, prefer ones that provide forward-secrecy
ssl_ciphers ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES128-SHA:MEDIUM:EXP:HIGH:!aNULL:!EXPORT56:!EXPORT40:!RC4;
ssl_prefer_server_ciphers on;
{% for line in accumulator['nginx-ssl-include'] %}
{{ line }}
{% endfor %}
|
Use it as such in an nginx server-block:
include ssl;