nginx: add a bunch of confs for better proxying and security

Signed-off-by: Mattia Rizzolo <mattia@debian.org>

roles/nginx/tasks/setup.yml

@@ -17,6 +17,7 @@
     mode: 0644
 
   with_items:
+    - misc.conf
     - optimize.conf
 
   notify:

roles/nginx/templates/conf.d/misc.conf

+# proxy settings
+include proxy_params; # directly coming from the nginx package, they are sane
+proxy_set_header X-Forwarded-Server $hostname;
+
+# security/privacy settings
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Xss-Protection "1; mode=block";
+add_header X-Content-Type-Options "nosniff";
+add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+# shared ssl settings
+ssl_session_cache shared:SSL:5m;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5;
+ssl_prefer_server_ciphers on;
+#ssl_dhparam dhparams.pem;

roles/nginx/templates/sites/proxied.conf

@@ -18,11 +18,12 @@ server {
     listen 443 ssl http2;
     server_name {{ item.key }};
 
-    ssl_certificate /etc/ssl/localcerts/{{ item.key }}/fullchain.pem;
-    ssl_certificate_key /etc/ssl/localcerts/{{ item.key }}/privkey.pem;
+    ssl_certificate {{ ssl_home }}/localcerts/{{ item.key }}/fullchain.pem;
+    ssl_certificate_key {{ ssl_home }}/localcerts/{{ item.key }}/privkey.pem;
 
     location / {
-        proxy_set_header Host {{ item.key }};
         proxy_pass http://{{ item.value }}/;
     }
+
+    include /etc/nginx/snippets/dehydrated.conf;
 }