alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/nginx: Move HTTP Strict Transport Security toggle to vhosts

Browse Source 
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth
2015-09-27 00:24:58 +03:00
parent f098b114d3
commit 48978407b8
2 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/nginx/defaults/main.yml
View File

@ -16,10 +16,6 @@ nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
# Enable HTTP Strict Transport Security?
# True on production, False on development!
nginx_enable_hsts: True
# TLS key directory
tls_key_dir: /etc/ssl/private