1.8 KiB
1.8 KiB
SSL/TLS Management
You can put all this variables in a separated vault file.
Variables
nginx_dh
: DH contentnginx_dh_length
: DH key length (default is 2048)nginx_dh_path
: file localationnginx_ssl_dir
: directory where you install your SSL/TLS keysnginx_ssl_pairs
Cert/Key pairs
This list have 3 mandatory keys:
-
name
: MUST be unique -
key
: content of the private key -
cert
: content of the public key
OR
dest_cert
: remote path where certificate is locateddest_key
: remote path where key is located
Note: name
is used to deploy key/cert. With defaults values dans name
= "foo", key is -> /etc/nginx/ssl/foo/foo.key
Tips
- Deploying key/cert is not mandatory with this role. You can manage it in other place (letsencrypt? :)). You just need to set
dest_cert
anddest_key
! - In
nginx_vhosts
,ssl_name
is mandatory. This role will search innginx_ssl_pairs
with vhostname
(first in list if it's a list).
Diffie-Hellman
If you do not specify any dh param, this role auto generates it.
Example
nginx_vhosts;
- name: 'test-ssl.local'
proto: ['http', 'https']
template: '_base'
ssl_name: 'mysuperkey'
- name: 'test-ssl2.local'
proto: ['http', 'https']
template: '_base'
nginx_ssl_pairs:
- name: mysuperkey
key: |
-----BEGIN RSA PRIVATE KEY-----
....(snip)....
-----END RSA PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
....(snip)....
-----END CERTIFICATE-----
- name: test-ssl2.local
key: |
-----BEGIN RSA PRIVATE KEY-----
....(snip)....
-----END RSA PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
....(snip)....
-----END CERTIFICATE-----