From 780a9382d0a1236e5421ee105cd6567f5e628524 Mon Sep 17 00:00:00 2001
From: Zolfa <zolfa@lilik.it>
Date: Mon, 27 Apr 2020 19:30:31 +0200
Subject: [PATCH] roles/nginx: security improvements

- Don't advertise NGINX version.

- Comply with last Mozilla TLS Guidelines, for modern configuration.

- More comments for better readability.
---
 roles/nginx/templates/base.j2 | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/roles/nginx/templates/base.j2 b/roles/nginx/templates/base.j2
index 0f89009..9c9af35 100644
--- a/roles/nginx/templates/base.j2
+++ b/roles/nginx/templates/base.j2
@@ -12,23 +12,30 @@ server {
     real_ip_header proxy_protocol;
 {% endif %}
 
+    # Do not advertise nginx version number
+    server_tokens off;
 
+    # Certificates location from CertBot
     ssl_certificate /etc/letsencrypt/live/{{ server_fqdn }}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/{{ server_fqdn }}/privkey.pem;
 
-    ssl_session_timeout 5m;
+    # TLS Mozilla Guideline v5.4,
+    # nginx 1.14.2, OpenSSL 1.1.1d, modern configuration
+    ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
-
+    # modern configuration
     ssl_protocols TLSv1.3;
     ssl_prefer_server_ciphers off;
-
+    # HSTS (2 years, no preloading)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    # OCSP stapling
     ssl_stapling on;
     ssl_stapling_verify on;
 
-    add_header Strict-Transport-Security "max-age=63072000" always;
-
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
     ssl_trusted_certificate /etc/letsencrypt/live/{{ server_fqdn }}/chain.pem;
 
+    # Include custom locations
     include     /etc/nginx/locations/{{ server_fqdn }}/*.conf;
 }