From 28efaaafdc3b54c39cd0ddd035377aebbaccf001 Mon Sep 17 00:00:00 2001 From: Alexander Dietrich Date: Fri, 10 Feb 2017 20:38:12 +0100 Subject: [PATCH] Update nginx SSL settings, includes --- roles/nginx/defaults/main.yml | 1 + roles/nginx/files/etc/nginx/include/ssl_rewrite.conf | 4 ++++ roles/nginx/tasks/main.yml | 8 ++++---- .../etc/nginx/nginx.conf => templates/nginx.conf.j2} | 9 ++++++++- 4 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 roles/nginx/defaults/main.yml create mode 100644 roles/nginx/files/etc/nginx/include/ssl_rewrite.conf rename roles/nginx/{files/etc/nginx/nginx.conf => templates/nginx.conf.j2} (86%) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml new file mode 100644 index 0000000..fa9c519 --- /dev/null +++ b/roles/nginx/defaults/main.yml @@ -0,0 +1 @@ +nginx_resolver: 127.0.0.1 [::1] diff --git a/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf b/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf new file mode 100644 index 0000000..16b1e9a --- /dev/null +++ b/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf @@ -0,0 +1,4 @@ +# Generischer Rewrite von HTTP nach HTTPS +location / { + return 302 https://$server_name$request_uri; +} diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 7dbb2c7..1c0a29e 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -22,10 +22,10 @@ notify: restart nginx tags: nginx -- name: copy nginx.conf - copy: - src: etc/nginx/nginx.conf - dest: /etc/nginx +- name: template nginx.conf + template: + src: templates/nginx.conf.j2 + dest: /etc/nginx/nginx.conf mode: 0644 owner: root group: root diff --git a/roles/nginx/files/etc/nginx/nginx.conf b/roles/nginx/templates/nginx.conf.j2 similarity index 86% rename from roles/nginx/files/etc/nginx/nginx.conf rename to roles/nginx/templates/nginx.conf.j2 index b5a0174..4293b90 100644 --- a/roles/nginx/files/etc/nginx/nginx.conf +++ b/roles/nginx/templates/nginx.conf.j2 @@ -30,8 +30,15 @@ http { # SSL Settings ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:+SHA1; ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_stapling on; + ssl_stapling_verify on; + + resolver {{ nginx_resolver }}; ## # Logging Settings