Better dh management
parent
ad9c0fa979
commit
883948f081
|
@ -13,7 +13,6 @@ nginx_resolver_hosts: ['8.8.8.8', '8.8.4.4']
|
||||||
nginx_resolver_valid: '300s'
|
nginx_resolver_valid: '300s'
|
||||||
nginx_resolver_timeout: '5s'
|
nginx_resolver_timeout: '5s'
|
||||||
nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log
|
nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log
|
||||||
nginx_dh_length: 2048
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Nginx directories
|
# Nginx directories
|
||||||
|
@ -97,3 +96,10 @@ nginx_htpasswd: []
|
||||||
# SSL pairs
|
# SSL pairs
|
||||||
#
|
#
|
||||||
nginx_ssl_pairs: []
|
nginx_ssl_pairs: []
|
||||||
|
|
||||||
|
#
|
||||||
|
# Diffie-Helman
|
||||||
|
#
|
||||||
|
nginx_dh: null
|
||||||
|
nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
|
||||||
|
nginx_dh_length: 2048
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
- name: INCLUDE | htpasswd configuration
|
- name: INCLUDE | htpasswd configuration
|
||||||
include: htpasswd.yml
|
include: htpasswd.yml
|
||||||
|
|
||||||
- name: INCLUDE | Vhosts configuration
|
- name: INCLUDE | SSL configuration
|
||||||
include: ssl.yml
|
include: ssl.yml
|
||||||
|
|
||||||
- name: INCLUDE | Vhosts configuration
|
- name: INCLUDE | Vhosts configuration
|
||||||
|
|
|
@ -1,9 +1,18 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: COMMAND | Creates DH file
|
- name: COMMAND | Generate DH file
|
||||||
command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
|
command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
|
||||||
args:
|
args:
|
||||||
creates: "{{ nginx_dh_path }}"
|
creates: "{{ nginx_dh_path }}"
|
||||||
|
when: nginx_dh is not string
|
||||||
|
notify: reload nginx
|
||||||
|
|
||||||
|
- name: COPY | Deploy DH file from vars
|
||||||
|
copy: >
|
||||||
|
content="{{ nginx_dh }}"
|
||||||
|
dest="{{ nginx_dh_path }}"
|
||||||
|
when: nginx_dh is string
|
||||||
|
notify: reload nginx
|
||||||
|
|
||||||
- name: FILE | Create SSL directories
|
- name: FILE | Create SSL directories
|
||||||
file: >
|
file: >
|
||||||
|
@ -25,9 +34,3 @@
|
||||||
with_items: nginx_ssl_pairs
|
with_items: nginx_ssl_pairs
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
||||||
#- name: FAIL | Missmatch vhost SSL configuration
|
|
||||||
# fail: msg="FUCK {{ item.name }}"
|
|
||||||
#
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key'
|
|
||||||
|
|
|
@ -13,6 +13,6 @@ ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
||||||
resolver_timeout {{ nginx_resolver_timeout }};
|
resolver_timeout {{ nginx_resolver_timeout }};
|
||||||
|
ssl_dhparam {{ nginx_dh_path }};
|
||||||
|
|
||||||
# vim:filetype=nginx
|
# vim:filetype=nginx
|
||||||
|
|
|
@ -13,5 +13,6 @@ ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
||||||
resolver_timeout {{ nginx_resolver_timeout }};
|
resolver_timeout {{ nginx_resolver_timeout }};
|
||||||
|
ssl_dhparam {{ nginx_dh_path }};
|
||||||
|
|
||||||
# vim:filetype=nginx
|
# vim:filetype=nginx
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
nginx_dh_path: /etc/nginx/ssl/dhparams.pem
|
|
||||||
|
|
||||||
nginx_upstream_server_params:
|
nginx_upstream_server_params:
|
||||||
- key: 'weight'
|
- key: 'weight'
|
||||||
default: 1
|
default: 1
|
||||||
|
@ -29,4 +27,3 @@ nginx_dirs:
|
||||||
- "{{ nginx_ssl_dir }}"
|
- "{{ nginx_ssl_dir }}"
|
||||||
- "{{ nginx_helper_dir }}"
|
- "{{ nginx_helper_dir }}"
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue