Better dh management

pull/14/head
Emilien Mantel 2016-01-12 11:16:41 +01:00
parent ad9c0fa979
commit 883948f081
6 changed files with 20 additions and 13 deletions

View File

@ -13,7 +13,6 @@ nginx_resolver_hosts: ['8.8.8.8', '8.8.4.4']
nginx_resolver_valid: '300s' nginx_resolver_valid: '300s'
nginx_resolver_timeout: '5s' nginx_resolver_timeout: '5s'
nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log
nginx_dh_length: 2048
# #
# Nginx directories # Nginx directories
@ -97,3 +96,10 @@ nginx_htpasswd: []
# SSL pairs # SSL pairs
# #
nginx_ssl_pairs: [] nginx_ssl_pairs: []
#
# Diffie-Helman
#
nginx_dh: null
nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
nginx_dh_length: 2048

View File

@ -15,7 +15,7 @@
- name: INCLUDE | htpasswd configuration - name: INCLUDE | htpasswd configuration
include: htpasswd.yml include: htpasswd.yml
- name: INCLUDE | Vhosts configuration - name: INCLUDE | SSL configuration
include: ssl.yml include: ssl.yml
- name: INCLUDE | Vhosts configuration - name: INCLUDE | Vhosts configuration

View File

@ -1,9 +1,18 @@
--- ---
- name: COMMAND | Creates DH file - name: COMMAND | Generate DH file
command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }} command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
args: args:
creates: "{{ nginx_dh_path }}" creates: "{{ nginx_dh_path }}"
when: nginx_dh is not string
notify: reload nginx
- name: COPY | Deploy DH file from vars
copy: >
content="{{ nginx_dh }}"
dest="{{ nginx_dh_path }}"
when: nginx_dh is string
notify: reload nginx
- name: FILE | Create SSL directories - name: FILE | Create SSL directories
file: > file: >
@ -25,9 +34,3 @@
with_items: nginx_ssl_pairs with_items: nginx_ssl_pairs
notify: reload nginx notify: reload nginx
#- name: FAIL | Missmatch vhost SSL configuration
# fail: msg="FUCK {{ item.name }}"
#
#
#
# nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key'

View File

@ -13,6 +13,6 @@ ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }}; resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
resolver_timeout {{ nginx_resolver_timeout }}; resolver_timeout {{ nginx_resolver_timeout }};
ssl_dhparam {{ nginx_dh_path }};
# vim:filetype=nginx # vim:filetype=nginx

View File

@ -13,5 +13,6 @@ ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }}; resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
resolver_timeout {{ nginx_resolver_timeout }}; resolver_timeout {{ nginx_resolver_timeout }};
ssl_dhparam {{ nginx_dh_path }};
# vim:filetype=nginx # vim:filetype=nginx

View File

@ -1,5 +1,3 @@
nginx_dh_path: /etc/nginx/ssl/dhparams.pem
nginx_upstream_server_params: nginx_upstream_server_params:
- key: 'weight' - key: 'weight'
default: 1 default: 1
@ -29,4 +27,3 @@ nginx_dirs:
- "{{ nginx_ssl_dir }}" - "{{ nginx_ssl_dir }}"
- "{{ nginx_helper_dir }}" - "{{ nginx_helper_dir }}"