diff options
| author |  Robin Obůrka <robin.oburka@nic.cz>
| 2016-10-18 15:16:46 +0200 |
|---|---|---|
| committer |  Robin Obůrka <r.oburka@gmail.com>
| 2016-10-19 09:31:52 +0200 |
| commit | 3e570925f0c0dca8ad348cb5108ac65f2072a412 (patch) | |
| tree | ca0b13d31224150860233e8506fac48be4450afc | |
| parent | nginx: Provide new mechanism for default page manipulation (diff) | |
| download | ansible-roles-3e570925f0c0dca8ad348cb5108ac65f2072a412.tar.xz | |
nginx: Make DH params optional
This is for early production / development phase.
| -rw-r--r-- | roles/nginx/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/nginx/tasks/main.yml | 3 | ||||
| -rw-r--r-- | roles/nginx/templates/snippets/ssl-common.conf.j2 | 2 | ||||
| -rw-r--r-- | roles/nginx/templates/snippets/ssl-medium-common.conf.j2 | 2 |
4 files changed, 8 insertions, 1 deletions
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index d59cd9b..e323b04 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -2,6 +2,8 @@ nginx_well_known_path: "/home/acme/webroot/" ## First of all - make sure that HTTPS works well; then is possible to enable HSTS nginx_enable_hsts: no +## Generating DH params takes some time. It could be useful to handle them later. +nginx_skip_dhparams: False ## Control default config uploading nginx_deploy_default_config: True nginx_enable_autodetection: True diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 4d4b085..2e01d22 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -24,7 +24,7 @@ creates: /etc/ssl/dh4096.pem notify: - restart nginx - when: dhparams is not defined + when: dhparams is not defined and nginx_skip_dhparams == False - name: Fix dhparams privileges file: @@ -34,6 +34,7 @@ mode: 0644 notify: - restart nginx + when: nginx_skip_dhparams == False - name: Ensure about snippets directory file: diff --git a/roles/nginx/templates/snippets/ssl-common.conf.j2 b/roles/nginx/templates/snippets/ssl-common.conf.j2 index a7806ac..b9d6e78 100644 --- a/roles/nginx/templates/snippets/ssl-common.conf.j2 +++ b/roles/nginx/templates/snippets/ssl-common.conf.j2 @@ -1,5 +1,7 @@ ssl on; +{% if nginx_skip_dhparams == False %} ssl_dhparam /etc/ssl/dh4096.pem; +{% endif %} ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; diff --git a/roles/nginx/templates/snippets/ssl-medium-common.conf.j2 b/roles/nginx/templates/snippets/ssl-medium-common.conf.j2 index 581f55f..be2b57b 100644 --- a/roles/nginx/templates/snippets/ssl-medium-common.conf.j2 +++ b/roles/nginx/templates/snippets/ssl-medium-common.conf.j2 @@ -1,5 +1,7 @@ ssl on; +{% if nginx_skip_dhparams == False %} ssl_dhparam /etc/ssl/dh4096.pem; +{% endif %} ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |