roots · swalkinshaw · Nov 30, 2015 · Nov 29, 2015 · Nov 29, 2015 · Nov 29, 2015
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,5 @@
 ### HEAD
+* Nginx role improvements: use more h5bp configs ([#428](https://github.com/roots/trellis/pull/428))
 * Add global `deploy_before` and `deploy_after` hooks ([#427](https://github.com/roots/trellis/pull/427))
 * Fix HSTS headers ([#424](https://github.com/roots/trellis/pull/424))
 * Notify Windows users about SSH forwarding ([#423](https://github.com/roots/trellis/pull/423))

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+nginx_path: /etc/nginx
 nginx_logs_root: /var/log/nginx
 nginx_user: www-data
 strip_www: true

diff --git a/roles/nginx/files/ssl-stapling.conf b/roles/nginx/files/ssl-stapling.conf
diff --git a/roles/nginx/files/ssl.conf b/roles/nginx/files/ssl.conf
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
@@ -1,47 +1,63 @@
 ---
 - name: Add Nginx PPA
-  apt_repository: repo="ppa:nginx/stable" update_cache=yes
+  apt_repository:
+    repo: "ppa:nginx/stable"
+    update_cache: yes
 
 - name: Install Nginx
-  apt: name=nginx state=present force=yes
+  apt:
+    name: nginx
+    state: present
+    force: yes
 
 - name: Create SSL directory
-  file: dest=/etc/nginx/ssl state=directory
+  file:
+    dest: "{{ nginx_path }}/ssl"
+    state: directory
 
 - name: Generate strong unique Diffie-Hellman group.
   command: openssl dhparam -out dhparams.pem 2048
   args:
-    chdir: /etc/nginx/ssl/
-    creates: /etc/nginx/ssl/dhparams.pem
+    chdir: "{{ nginx_path }}/ssl"
+    creates: "{{ nginx_path }}/ssl/dhparams.pem"
   notify: reload nginx
 
 - name: Grab h5bp/server-configs-nginx
-  git: repo="https://github.com/h5bp/server-configs-nginx.git"
-       dest=/etc/nginx/h5bp-server-configs
-       version=94b3680c9d13f108d6d62c22cba251b84f795aa8
-       force=yes
+  git:
+    repo: "https://github.com/h5bp/server-configs-nginx.git"
+    dest: "{{ nginx_path }}/h5bp-server-configs"
+    version: 82181a672a7c26f9bc8744fead80318d8a2520b1
+    force: yes
 
 - name: Move h5bp configs
-  command: creates=/etc/nginx/h5bp/ cp -R /etc/nginx/h5bp-server-configs/h5bp /etc/nginx/h5bp
-
-- name: Copy conf files
-  copy: src="{{ item }}" dest=/etc/nginx/{{ item | basename }} mode=644
-  with_fileglob: '*'
+  command: cp -R {{ nginx_path }}/h5bp-server-configs/h5bp {{ nginx_path }}/h5bp
+  args:
+    creates: "{{ nginx_path }}/h5bp/"
 
 - name: Create nginx.conf
-  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
+  template:
+    src: nginx.conf.j2
+    dest: "{{ nginx_path }}/nginx.conf"
   notify: reload nginx
 
 - name: Disable default server
-  file: path=/etc/nginx/sites-enabled/default state=absent
+  file:
+    path: "{{ nginx_path }}/sites-enabled/default"
+    state: absent
   notify: reload nginx
 
 - name: Enable better default site to drop unknown requests
-  command: creates=/etc/nginx/sites-enabled/no-default.conf cp /etc/nginx/h5bp-server-configs/sites-available/no-default /etc/nginx/sites-enabled/no-default.conf
+  command: cp {{ nginx_path }}/h5bp-server-configs/sites-available/no-default {{ nginx_path }}/sites-enabled/no-default.conf
+  args:
+    creates: "{{ nginx_path }}/sites-enabled/no-default.conf"
   notify: reload nginx
 
 - name: Create base WordPress config
-  template: src=wordpress.conf.j2 dest=/etc/nginx/wordpress.conf
+  template:
+    src: wordpress.conf.j2
+    dest: "{{ nginx_path }}/wordpress.conf"
 
 - name: Create base WordPress subdirectory Multisite config
-  template: src=wordpress_multisite_subdirectories.conf.j2 dest=/etc/nginx/wordpress_multisite_subdirectories.conf
+  template:
+    src: wordpress_multisite_subdirectories.conf.j2
+    dest: "{{ nginx_path }}/wordpress_multisite_subdirectories.conf"
diff --git a/roles/nginx/templates/wordpress.conf.j2 b/roles/nginx/templates/wordpress.conf.j2
@@ -13,5 +13,6 @@ location / {
 client_max_body_size {{ php_post_max_size | default('25m') | lower }};
 
 include h5bp/directive-only/x-ua-compatible.conf;
+include h5bp/directive-only/extra-security.conf;
 include h5bp/location/cross-domain-fonts.conf;
 include h5bp/location/protect-system-files.conf;
diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2
@@ -31,13 +31,14 @@ server {
   {%- endif %}
 
   add_header Fastcgi-Cache $upstream_cache_status;
-  add_header X-Content-Type-Options "nosniff" always;
-  add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Xss-Protection "1; mode=block" always;
 
   {% if item.value.ssl is defined and item.value.ssl.enabled | default(false) %}
-    include ssl.conf;
-    include ssl-stapling.conf;
+    include h5bp/directive-only/spdy.conf;
+    include h5bp/directive-only/ssl.conf;
+    include h5bp/directive-only/ssl-stapling.conf;
+
+    ssl_dhparam /etc/nginx/ssl/dhparams.pem;
+    ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
 
     {% set hsts_max_age = item.value.ssl.hsts_max_age | default(nginx_hsts_max_age) %}
     {% set hsts_include_subdomains = item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubdomains', None) %}