1.8 KiB
1.8 KiB
SSL/TLS Management
You can put all this variables in a separated vault file.
Variables
nginx_dh: DH contentnginx_dh_length: DH key length (default is 2048)nginx_dh_path: file localationnginx_ssl_dir: directory where you install your SSL/TLS keysnginx_ssl_pairs
Cert/Key pairs
This list have 3 mandatory keys:
-
name: MUST be unique -
key: content of the private key -
cert: content of the public key
OR
dest_cert: remote path where certificate is locateddest_key: remote path where key is located
Note: name is used to deploy key/cert. With defaults values dans name = "foo", key is -> /etc/nginx/ssl/foo/foo.key
Tips
- Deploying key/cert is not mandatory with this role. You can manage it in other place (letsencrypt? :)). You just need to set
dest_certanddest_key! - In
nginx_vhosts,ssl_nameis mandatory. This role will search innginx_ssl_pairswith vhostname(first in list if it's a list).
Diffie-Hellman
If you do not specify any dh param, this role auto generates it.
Example
nginx_vhosts;
- name: 'test-ssl.local'
proto: ['http', 'https']
template: '_base'
ssl_name: 'mysuperkey'
- name: 'test-ssl2.local'
proto: ['http', 'https']
template: '_base'
nginx_ssl_pairs:
- name: mysuperkey
key: |
-----BEGIN RSA PRIVATE KEY-----
....(snip)....
-----END RSA PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
....(snip)....
-----END CERTIFICATE-----
- name: test-ssl2.local
key: |
-----BEGIN RSA PRIVATE KEY-----
....(snip)....
-----END RSA PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
....(snip)....
-----END CERTIFICATE-----