Add bastion and certificate jails.

2024-07-01 22:01:07 -04:00
parent 566b7dfd0b
commit 9e107d4a75
38 changed files with 523 additions and 5 deletions
--- a/ansible/roles/jail_bastion/files/headers.include
+++ b/ansible/roles/jail_bastion/files/headers.include
@@ -0,0 +1,12 @@
+# Enable HTTP Strict Transport Security (HSTS) to force clients to
+# always connect via HTTPS (do not use if only testing)
+add_header Strict-Transport-Security "max-age=31536000;" always;
+# Enable cross-site filter (XSS) and tell browser to block detected
+# attacks
+add_header X-XSS-Protection "1; mode=block" always;
+# Prevent some browsers from MIME-sniffing a response away from the
+# declared Content-Type
+add_header X-Content-Type-Options "nosniff" always;
+# Disallow the site to be rendered within a frame (clickjacking
+# protection)
+add_header X-Frame-Options "DENY" always;
--- a/ansible/roles/jail_bastion/files/htpasswd
+++ b/ansible/roles/jail_bastion/files/htpasswd
--- a/ansible/roles/jail_bastion/files/newsyslog.conf
+++ b/ansible/roles/jail_bastion/files/newsyslog.conf
@@ -0,0 +1,2 @@
+# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
+/var/log/nginx/*.log			640  5	   1000	@T00 GYC /var/run/nginx.pid SIGUSR1
--- a/ansible/roles/jail_bastion/files/nginx.conf
+++ b/ansible/roles/jail_bastion/files/nginx.conf
@@ -0,0 +1,52 @@
+worker_processes  auto;
+user  www www;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    types {
+        text/plain log;
+    }
+
+    sendfile        on;
+    tcp_nopush     on;
+    tcp_nodelay    on;
+    gzip  on;
+
+    include conf.d/headers.include;
+
+    upstream inner {
+        server 10.215.2.2:8081;
+        keepalive 4;
+    }
+
+    server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2  on;
+
+        server_name stuff.fizz.buzz;
+
+        include conf.d/tls_settings.include;
+        # RSA
+        ssl_certificate /stuff.fizz.buzz/fullchain1.pem;
+        ssl_certificate_key /stuff.fizz.buzz/privkey1.pem;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        client_max_body_size 50M;
+
+        location / {
+            auth_basic           "Stuff";
+            auth_basic_user_file conf.d/htpasswd;
+
+
+            proxy_pass http://inner;
+            include conf.d/proxy.include;
+        }
+    }
+}
--- a/ansible/roles/jail_bastion/files/nginx_rc.conf
+++ b/ansible/roles/jail_bastion/files/nginx_rc.conf
@@ -0,0 +1 @@
+nginx_enable="YES"
--- a/ansible/roles/jail_bastion/files/proxy.include
+++ b/ansible/roles/jail_bastion/files/proxy.include
@@ -0,0 +1,7 @@
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+# Settings for keepalive module for upstreams
+proxy_http_version 1.1;
+proxy_set_header Connection "";
--- a/ansible/roles/jail_bastion/files/tls_settings.include
+++ b/ansible/roles/jail_bastion/files/tls_settings.include
@@ -0,0 +1,3 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;