From 08a37c6dab7d442799d44448e12b2ba8d4d45c4f Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Thu, 28 May 2020 16:23:51 +0200 Subject: [PATCH] nginx/application: Configure dhparams for SSL --- roles/nginx/application/defaults/main.yml | 2 ++ roles/nginx/application/meta/main.yml | 1 + roles/nginx/application/templates/ssl.conf | 1 + 3 files changed, 4 insertions(+) diff --git a/roles/nginx/application/defaults/main.yml b/roles/nginx/application/defaults/main.yml index 6c890e9..283aa6e 100644 --- a/roles/nginx/application/defaults/main.yml +++ b/roles/nginx/application/defaults/main.yml @@ -12,6 +12,8 @@ nginx_global_log_directory: "/var/log/nginx" nginx_global_access_log: "{{ nginx_global_log_directory }}/access.log" nginx_global_error_log: "{{ nginx_global_log_directory }}/error.log" +# dhparams_remote_path from misc/dhparams + acme_validation_directory: ".well-known/acme-challenge" nginx_validation_root_directory: "/var/www/validation" nginx_validation_test_file: "{{ nginx_validation_root_directory }}/{{ acme_validation_directory }}/test" diff --git a/roles/nginx/application/meta/main.yml b/roles/nginx/application/meta/main.yml index cff3321..29447a6 100644 --- a/roles/nginx/application/meta/main.yml +++ b/roles/nginx/application/meta/main.yml @@ -3,4 +3,5 @@ allow_duplicates: no dependencies: + - role: misc/dhparams - role: acme/application diff --git a/roles/nginx/application/templates/ssl.conf b/roles/nginx/application/templates/ssl.conf index ae57f97..343d603 100644 --- a/roles/nginx/application/templates/ssl.conf +++ b/roles/nginx/application/templates/ssl.conf @@ -4,6 +4,7 @@ ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d; ssl_session_tickets off; +ssl_dhparam {{ dhparams_remote_path }}; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/certs/ISRG_Root_X1.pem;