roles/nginx: generate snakeoil cert manually

The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
This commit is contained in:
Alan Orth 2021-09-27 10:48:24 +03:00
parent a4acc85704
commit 79b29f0c51
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
3 changed files with 10 additions and 12 deletions

View File

@ -16,15 +16,8 @@
add_nginx_apt_key is changed or add_nginx_apt_key is changed or
add_nginx_apt_repository is changed add_nginx_apt_repository is changed
- name: Set nginx packages - name: Install nginx
set_fact: apt: pkg=nginx cache_valid_time=3600 state=present
nginx_packages:
- nginx
- ssl-cert # for ssl-cert-snakeoil.pem in nginx
tags: nginx, packages
- name: Install nginx packages
apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
tags: nginx, packages tags: nginx, packages
- name: Copy nginx.conf - name: Copy nginx.conf

View File

@ -7,6 +7,11 @@
notify: notify:
- reload nginx - reload nginx
- name: Generate self-signed TLS cert
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- reload nginx
- name: Download 4096-bit RFC 7919 dhparams - name: Download 4096-bit RFC 7919 dhparams
get_url: get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem

View File

@ -16,9 +16,9 @@ server {
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;
server_name _; server_name _;
# self-signed "snakeoil" certificate from ssl-cert package # self-signed "snakeoil" certificate
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
ssl_session_timeout {{ nginx_ssl_session_timeout }}; ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }}; ssl_session_cache {{ nginx_ssl_session_cache }};