roles/nginx: Templatize SSL parameters using role defaults

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-04 23:28:31 +03:00 · 2015-06-04 23:28:31 +03:00 · 8b77fd7f94
parent bd4f2ae5b6
commit 8b77fd7f94
2 changed files with 21 additions and 8 deletions
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -7,8 +7,19 @@ nginx_confd_path: /etc/nginx/conf.d
 # parent directory of vhost roots
 nginx_root_prefix: /var/www

-# TLS protocol versions to support
-nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2
+# 1 hour timeout
+nginx_ssl_session_timeout: 1h
+# 10MB -> 40,000 sessions
+nginx_ssl_session_cache: shared:SSL:10m
+# 1400 bytes to fit in one MTU (default is 16k!)
+nginx_ssl_buffer_size: 1400
+nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
+nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
+nginx_spdy_headers_comp: 6
+
+# Enable HTTP Strict Transport Security?
+# True on production, False on development!
+nginx_enable_hsts: True

 # TLS key directory
 tls_key_dir: /etc/ssl/private
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -5,12 +5,12 @@
    ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
    ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;

-    ssl_session_timeout 24h;            # 24 hour timeout
-    ssl_session_cache shared:SSL:1m;    # 1MB -> 4,000 sessions
-    ssl_buffer_size 1400;               # 1400 bytes to fit in one MTU
+    ssl_session_timeout {{ nginx_ssl_session_timeout }};
+    ssl_session_cache {{ nginx_ssl_session_cache }};
+    ssl_buffer_size {{ nginx_ssl_buffer_size }};

-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
-    ssl_protocols {{ nginx_tls_protocols }};
+    ssl_dhparam {{ nginx_ssl_dhparam }};
+    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

@ -29,9 +29,11 @@
    ssl_session_tickets off;

    # enable SPDY header compression
-    spdy_headers_comp 6;
+    spdy_headers_comp {{ nginx_spdy_headers_comp }};

+    {% if nginx_enable_hsts == True %}
    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
    # See: https://hstspreload.appspot.com/
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    {% endif %}