Commit Graph

7 Commits

Author SHA1 Message Date
8b77fd7f94 roles/nginx: Templatize SSL parameters using role defaults
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
3746e798b6
roles/nginx: Use template for nginx repo
A template is better than ansible's `apt_repository` module because
we can idempotently control the contents of the file based on vari-
ables.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 00:15:49 +03:00
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...

https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
ad8a704470
Update TLS configuration to Mozilla's "modern" spec
Details, see:

- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00
e6ffdf8652
roles/nginx: Update nginx https stuff
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
162197ad25
roles/nginx: Re-work vhost template to support HTTPS
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00
75a705ac87
roles/nginx: Add defaults for nginx role
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:02:29 +03:00