crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

SSL snippet and drop TLS 1.0 and 1.1

certbot_on_virtu
Alexandre Iooss 2020-05-03 12:51:16 +02:00
parent ef1c4f6fbf
commit 7d1ecd19a4
No known key found for this signature in database
GPG Key ID: 6C79278F3FCDCC02
6 changed files with 51 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
roles/nginx-reverseproxy/tasks/main.yml
View File

@ -9,15 +9,19 @@
retries: 3
until: apt_result is succeeded
- name: Copy certbot SSL snippet
copy:
remote_src: true
src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf
dest: /etc/letsencrypt/options-ssl-nginx.conf
- name: Copy snippets
template:
src: nginx/snippets/options-ssl.conf.j2
dest: /etc/nginx/snippets/options-ssl.conf
- name: Copy dhparam
template:
src: letsencrypt/dhparam.j2
dest: /etc/letsencrypt/dhparam
- name: Copy reverse proxy sites
template:
src: "nginx/{{ item }}.j2"
src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
loop:
- reverseproxy

8
roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 100644
View File

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

34
roles/nginx-reverseproxy/templates/nginx/redirect.j2 → roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2
View File

@ -15,22 +15,13 @@ server {
# Redirect https://{{ site.from }} to https://{{ site.to }}
server {
listen 443;
listen [::]:443;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.from }};
ssl on;
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
# SSL ciphers updated by Debian
include "/etc/letsencrypt/options-ssl-nginx.conf";
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
@ -58,22 +49,13 @@ server {
# Redirect https://{{ from }} to https://{{ site.to }}
server {
listen 443;
listen [::]:443;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ from }};
ssl on;
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
# SSL ciphers updated by Debian
include "/etc/letsencrypt/options-ssl-nginx.conf";
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;

17
roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 → roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
View File

@ -15,22 +15,13 @@ server {
# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
server {
listen 443;
listen [::]:443;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.from }};
ssl on;
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
# SSL ciphers updated by Debian
include "/etc/letsencrypt/options-ssl-nginx.conf";
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
# Log into separate log files
access_log /var/log/nginx/{{ site.from }}.log;

17
roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 → roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
View File

@ -19,22 +19,13 @@ server {
# Redirect https://{{ from }} to https://{{ to }}
server {
listen 443;
listen [::]:443;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ from }};
ssl on;
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
# SSL ciphers updated by Debian
include "/etc/letsencrypt/options-ssl-nginx.conf";
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ to }}$request_uri;

17
roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 100644
View File

@ -0,0 +1,17 @@
{{ ansible_header | comment }}
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};