alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/nginx: Templatize SSL parameters using role defaults

Browse Source 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth 2015-06-04 23:28:31 +03:00
parent bd4f2ae5b6
commit 8b77fd7f94
2 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
roles/nginx/defaults/main.yml
View File

@ -7,8 +7,19 @@ nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots # parent directory of vhost roots
nginx_root_prefix: /var/www nginx_root_prefix: /var/www
# TLS protocol versions to support # 1 hour timeout
nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2 nginx_ssl_session_timeout: 1h
# 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!)
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
nginx_spdy_headers_comp: 6
# Enable HTTP Strict Transport Security?
# True on production, False on development!
nginx_enable_hsts: True
# TLS key directory # TLS key directory
tls_key_dir: /etc/ssl/private tls_key_dir: /etc/ssl/private

14
roles/nginx/templates/https.j2
View File

@ -5,12 +5,12 @@
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem; ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem; ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
ssl_session_timeout 24h; # 24 hour timeout ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache shared:SSL:1m; # 1MB -> 4,000 sessions ssl_session_cache {{ nginx_ssl_session_cache }};
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU ssl_buffer_size {{ nginx_ssl_buffer_size }};
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_tls_protocols }}; ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers "{{ tls_cipher_suite }}"; ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
@ -29,9 +29,11 @@
ssl_session_tickets off; ssl_session_tickets off;
# enable SPDY header compression # enable SPDY header compression
spdy_headers_comp 6; spdy_headers_comp {{ nginx_spdy_headers_comp }};
{% if nginx_enable_hsts == True %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
{% endif %}