So, for the past week I’ve been using Ansible in anger. Genuine, bare knuckled, actually trying to get shit done with it. Oh yes, I’ve tinkered over the years, nothing serious. You know, to kick the tires. But I never really saw the point. I was pretty happy with puppet. But recently the team I work in decided as a group to adopt Ansible for our provisioning and management tasks. I think that it’s a good choice – for a bunch of reasons – but I don’t really want to go into them here.
What I want to do, is document a little of my journey, and explain what I’ve learned after a week or so of trying to use this thing for reals.
So, there isn’t a good post for this right now. I’ve spent a little time on this server rebuild looking at the options. I have some base assumptions
listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS:!aNULL; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparam.pem; ssl_session_cache shared:SSL:40m; ssl_session_timeout 21h; ssl_session_tickets off; ssl_buffer_size 4k; ssl_stapling on; ssl_stapling_verify on; resolver 127.0.0.1; add_header Strict-Transport-Security "max-age=31536000; preload" always; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN;
This will give you an A+ with 100% in everything except Cipher Strength. The reason for this is HTTP/2. If you decide you can live without HTTP/2, then remove ECDHE-RSA-AES128-GCM-SHA256 and you will get 100% across everything, but you’ll also break Java8 clients. Which you may not care about.
Letsencrypt certificates should be generated with:
dhparam.pem should be generated with 4096 bits also.
I seem to go through these every year or so. I don’t know why. I think I just like rebuilding servers.
Apologies for the awful theme. I try to find something that speaks to me but often all I find is trash.
I’m not a designer.
I kind of feel that WordPress has jumped the shark, but haven’t found anything better. I’ve considered writing something in Go but that seems like a well invented wheel.
edit: Wow, I really like this theme.