nginx: Add snippet with less paranoiac SSL settings

2 files changed, 14 insertions, 0 deletions

diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index e8ef09b..122c5b8 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -53,6 +53,7 @@
   with_items:
   - common.conf
   - ssl-common.conf
+  - ssl-medium-common.conf
   notify:
   - restart nginx
 
diff --git a/roles/nginx/templates/snippets/ssl-medium-common.conf.j2 b/roles/nginx/templates/snippets/ssl-medium-common.conf.j2
new file mode 100644
index 0000000..581f55f
--- /dev/null
+++ b/roles/nginx/templates/snippets/ssl-medium-common.conf.j2
@@ -0,0 +1,13 @@
+ssl on;
+ssl_dhparam /etc/ssl/dh4096.pem;
+
+ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 1h;
+
+{% if nginx_enable_hsts == True %}
+add_header Strict-Transport-Security max-age=15768000;
+{% endif %}