roles/nginx: Templatize SSL parameters using role defaults

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth 2015-06-04 23:28:31 +03:00
parent bd4f2ae5b6
commit 8b77fd7f94
2 changed files with 21 additions and 8 deletions

View File

@ -7,8 +7,19 @@ nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots
nginx_root_prefix: /var/www
# TLS protocol versions to support
nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2
# 1 hour timeout
nginx_ssl_session_timeout: 1h
# 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!)
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
nginx_spdy_headers_comp: 6
# Enable HTTP Strict Transport Security?
# True on production, False on development!
nginx_enable_hsts: True
# TLS key directory
tls_key_dir: /etc/ssl/private

View File

@ -5,12 +5,12 @@
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
ssl_session_timeout 24h; # 24 hour timeout
ssl_session_cache shared:SSL:1m; # 1MB -> 4,000 sessions
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }};
ssl_buffer_size {{ nginx_ssl_buffer_size }};
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols {{ nginx_tls_protocols }};
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
@ -29,9 +29,11 @@
ssl_session_tickets off;
# enable SPDY header compression
spdy_headers_comp 6;
spdy_headers_comp {{ nginx_spdy_headers_comp }};
{% if nginx_enable_hsts == True %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
{% endif %}