web-proxy: add common TLS configuration

Add TLS configuration snippet shared between all web-proxies.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

pillar/cluster/README.md

@@ -0,0 +1,2 @@
+This directory is intended to contain pillar data shared between cluster hosts.
+Create a subdirectory for the site the respective cluster is in, if one doesn't yet exist.

pillar/macros.jinja

@@ -24,3 +24,9 @@
 interfaces: {{ interfaces }}
 {%- endif -%}
 {%- endmacro -%}
+
+{%- macro nginx_crtkeypair(name, ssldir) -%}
+tls_{{ name }}:
+  - ssl_certificate: {{ sslbase }}/{{ ssldir }}/crt
+  - ssl_certificate_key: {{ sslbase }}/{{ ssldir }}/key
+{%- endmacro -%}

pillar/map.jinja

@@ -1,6 +1,9 @@
+{%- set sslbase = '/etc/ssl' -%}
+{%- from 'macros.jinja' import nginx_crtkeypair with context -%}
 {%- from 'macros.jinja' import firewall_interfaces, listeners -%}
 {%- set firewall_interfaces = firewall_interfaces -%}
 {%- set listeners = listeners -%}
+{%- set nginx_crtkeypair = nginx_crtkeypair -%}
 {%- set minion = grains['id'] -%}
 
 {#- START Listener detection logic -#}

pillar/role/web-proxy.sls

@@ -5,6 +5,16 @@ nginx:
     robots:
       - location /robots.txt:
         - root: /srv/www/htdocs
+    tls:
+      - ssl_session_timeout: 1d
+      - ssl_session_cache: shared:Lysergic:10m
+      - ssl_session_tickets: 'off'
+      - ssl_protocols: TLSv1.3
+      - ssl_prefer_server_ciphers: 'off'
+      - add_header: Strict-Transport-Security "max-age=63072000" always
+      - ssl_stapling: 'on'
+      - ssl_stapling_verify: 'on'
+      - ssl_trusted_certificate: /etc/ssl/ca-bundle.pem
     php-fastcgi:
       - 'location ~* \.php$':
         - fastcgi_index: index.php