Better dh management

2016-01-12 11:16:41 +01:00 · 2016-01-12 11:16:41 +01:00 · 883948f081
parent ad9c0fa979
commit 883948f081
6 changed files with 20 additions and 13 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -13,7 +13,6 @@ nginx_resolver_hosts: ['8.8.8.8', '8.8.4.4']
 nginx_resolver_valid: '300s'
 nginx_resolver_timeout: '5s'
 nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log
-nginx_dh_length: 2048

 #
 # Nginx directories
@ -97,3 +96,10 @@ nginx_htpasswd: []
 # SSL pairs
 #
 nginx_ssl_pairs: []
+
+#
+# Diffie-Helman
+#
+nginx_dh: null
+nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
+nginx_dh_length: 2048
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -15,7 +15,7 @@
 - name: INCLUDE | htpasswd configuration
  include: htpasswd.yml

- name: INCLUDE | Vhosts configuration
+- name: INCLUDE | SSL configuration
  include: ssl.yml

 - name: INCLUDE | Vhosts configuration
--- a/tasks/ssl.yml
+++ b/tasks/ssl.yml
@ -1,9 +1,18 @@
 ---

- name: COMMAND | Creates DH file
+- name: COMMAND | Generate DH file
  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
  args:
    creates: "{{ nginx_dh_path }}"
+  when: nginx_dh is not string
+  notify: reload nginx
+
+- name: COPY | Deploy DH file from vars
+  copy: >
+    content="{{ nginx_dh }}"
+    dest="{{ nginx_dh_path }}"
+  when: nginx_dh is string
+  notify: reload nginx

 - name: FILE | Create SSL directories
  file: >
@ -25,9 +34,3 @@
  with_items: nginx_ssl_pairs
  notify: reload nginx

-#- name: FAIL | Missmatch vhost SSL configuration
-#  fail: msg="FUCK {{ item.name }}"
-#
-#
-#
-#  nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key'
--- a/templates/etc/nginx/helper/ssl-legacy.j2
+++ b/templates/etc/nginx/helper/ssl-legacy.j2
@ -13,6 +13,6 @@ ssl_stapling on;
 ssl_stapling_verify on;
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
-
+ssl_dhparam {{ nginx_dh_path }};

 # vim:filetype=nginx
--- a/templates/etc/nginx/helper/ssl-strong.j2
+++ b/templates/etc/nginx/helper/ssl-strong.j2
@ -13,5 +13,6 @@ ssl_stapling on;
 ssl_stapling_verify on;
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
+ssl_dhparam {{ nginx_dh_path }};

 # vim:filetype=nginx
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,5 +1,3 @@
-nginx_dh_path: /etc/nginx/ssl/dhparams.pem
-
 nginx_upstream_server_params:
  - key: 'weight'
    default: 1
@ -29,4 +27,3 @@ nginx_dirs:
  - "{{ nginx_ssl_dir }}"
  - "{{ nginx_helper_dir }}"

-