From 883948f08164d524e79d963345d81408d9d4930b Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Tue, 12 Jan 2016 11:16:41 +0100 Subject: [PATCH] Better dh management --- defaults/main.yml | 8 +++++++- tasks/main.yml | 2 +- tasks/ssl.yml | 17 ++++++++++------- templates/etc/nginx/helper/ssl-legacy.j2 | 2 +- templates/etc/nginx/helper/ssl-strong.j2 | 1 + vars/main.yml | 3 --- 6 files changed, 20 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e16bb53..d36474f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,6 @@ nginx_resolver_hosts: ['8.8.8.8', '8.8.4.4'] nginx_resolver_valid: '300s' nginx_resolver_timeout: '5s' nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log -nginx_dh_length: 2048 # # Nginx directories @@ -97,3 +96,10 @@ nginx_htpasswd: [] # SSL pairs # nginx_ssl_pairs: [] + +# +# Diffie-Helman +# +nginx_dh: null +nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem' +nginx_dh_length: 2048 diff --git a/tasks/main.yml b/tasks/main.yml index 3ed4caf..9a9e96c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -15,7 +15,7 @@ - name: INCLUDE | htpasswd configuration include: htpasswd.yml -- name: INCLUDE | Vhosts configuration +- name: INCLUDE | SSL configuration include: ssl.yml - name: INCLUDE | Vhosts configuration diff --git a/tasks/ssl.yml b/tasks/ssl.yml index 63da276..6fc1a29 100644 --- a/tasks/ssl.yml +++ b/tasks/ssl.yml @@ -1,9 +1,18 @@ --- -- name: COMMAND | Creates DH file +- name: COMMAND | Generate DH file command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }} args: creates: "{{ nginx_dh_path }}" + when: nginx_dh is not string + notify: reload nginx + +- name: COPY | Deploy DH file from vars + copy: > + content="{{ nginx_dh }}" + dest="{{ nginx_dh_path }}" + when: nginx_dh is string + notify: reload nginx - name: FILE | Create SSL directories file: > @@ -25,9 +34,3 @@ with_items: nginx_ssl_pairs notify: reload nginx -#- name: FAIL | Missmatch vhost SSL configuration -# fail: msg="FUCK {{ item.name }}" -# -# -# -# nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' diff --git a/templates/etc/nginx/helper/ssl-legacy.j2 b/templates/etc/nginx/helper/ssl-legacy.j2 index fc36bf8..e132e28 100644 --- a/templates/etc/nginx/helper/ssl-legacy.j2 +++ b/templates/etc/nginx/helper/ssl-legacy.j2 @@ -13,6 +13,6 @@ ssl_stapling on; ssl_stapling_verify on; resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }}; resolver_timeout {{ nginx_resolver_timeout }}; - +ssl_dhparam {{ nginx_dh_path }}; # vim:filetype=nginx diff --git a/templates/etc/nginx/helper/ssl-strong.j2 b/templates/etc/nginx/helper/ssl-strong.j2 index f0ac0fc..1c3a8fe 100644 --- a/templates/etc/nginx/helper/ssl-strong.j2 +++ b/templates/etc/nginx/helper/ssl-strong.j2 @@ -13,5 +13,6 @@ ssl_stapling on; ssl_stapling_verify on; resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }}; resolver_timeout {{ nginx_resolver_timeout }}; +ssl_dhparam {{ nginx_dh_path }}; # vim:filetype=nginx diff --git a/vars/main.yml b/vars/main.yml index 662bafe..2b0f475 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,3 @@ -nginx_dh_path: /etc/nginx/ssl/dhparams.pem - nginx_upstream_server_params: - key: 'weight' default: 1 @@ -29,4 +27,3 @@ nginx_dirs: - "{{ nginx_ssl_dir }}" - "{{ nginx_helper_dir }}" -