Update TLS settings in nginx proxy
This commit is contained in:
parent
4f4a341b05
commit
b9f9b0bf3c
@ -10,6 +10,11 @@
|
|||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
|
- name: Generate DH Parameters
|
||||||
|
openssl_dhparam:
|
||||||
|
path: /etc/ssl/dhparams.pem
|
||||||
|
size: 4096
|
||||||
|
|
||||||
- name: Install nginx base configuration
|
- name: Install nginx base configuration
|
||||||
template:
|
template:
|
||||||
src: nginx.conf.j2
|
src: nginx.conf.j2
|
||||||
|
@ -21,6 +21,14 @@ http {
|
|||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
server_names_hash_bucket_size 128;
|
server_names_hash_bucket_size 128;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
ssl_dhparam /etc/ssl/dhparams.pem;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
include /etc/nginx/sites-enabled/*;
|
include /etc/nginx/sites-enabled/*;
|
||||||
}
|
}
|
||||||
|
@ -1,12 +1,13 @@
|
|||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
server_name {{ item.domain }};
|
server_name {{ item.domain }};
|
||||||
return 301 https://{{ item.domain }}$request_uri;
|
return 301 https://{{ item.domain }}$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
server_name {{ item.domain }};
|
server_name {{ item.domain }};
|
||||||
access_log /var/log/nginx/{{ item.domain }}.log main;
|
access_log /var/log/nginx/{{ item.domain }}.log main;
|
||||||
{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
|
{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
|
||||||
@ -27,6 +28,9 @@ server {
|
|||||||
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
||||||
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if item.hsts is defined %}
|
||||||
|
add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
|
||||||
|
{% endif %}
|
||||||
{% if item.client_max_body_size is defined %}
|
{% if item.client_max_body_size is defined %}
|
||||||
client_max_body_size {{ item.client_max_body_size }};
|
client_max_body_size {{ item.client_max_body_size }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user