kris/homelab
kris/homelab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update TLS settings in nginx proxy

Browse Source
This commit is contained in:
Kris Lamoureux 2022-08-27 18:56:12 -04:00
parent 4f4a341b05
commit b9f9b0bf3c
Signed by: kris
GPG Key ID: 3EDA9C3441EDA925
3 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
roles/proxy/tasks/main.yml
View File

@ -10,6 +10,11 @@
state: started
enabled: true
- name: Generate DH Parameters
openssl_dhparam:
path: /etc/ssl/dhparams.pem
size: 4096
- name: Install nginx base configuration
template:
src: nginx.conf.j2

8
roles/proxy/templates/nginx.conf.j2
View File

@ -21,6 +21,14 @@ http {
keepalive_timeout 65;
server_names_hash_bucket_size 128;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

14
roles/proxy/templates/server-nginx.conf.j2
View File

@ -1,12 +1,13 @@
server {
listen 80;
server_name {{ item.domain }};
return 301 https://{{ item.domain }}$request_uri;
listen 80;
listen [::]:80;
server_name {{ item.domain }};
return 301 https://{{ item.domain }}$request_uri;
}
server {
listen 443 ssl;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ item.domain }};
access_log /var/log/nginx/{{ item.domain }}.log main;
{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
@ -27,6 +28,9 @@ server {
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
{% endif %}
{% if item.hsts is defined %}
add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
{% endif %}
{% if item.client_max_body_size is defined %}
client_max_body_size {{ item.client_max_body_size }};
{% endif %}