summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/nginx/defaults/main.yml2
-rw-r--r--roles/nginx/tasks/main.yml3
-rw-r--r--roles/nginx/templates/snippets/ssl-common.conf.j22
-rw-r--r--roles/nginx/templates/snippets/ssl-medium-common.conf.j22
4 files changed, 8 insertions, 1 deletions
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index d59cd9b..e323b04 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -2,6 +2,8 @@
nginx_well_known_path: "/home/acme/webroot/"
## First of all - make sure that HTTPS works well; then is possible to enable HSTS
nginx_enable_hsts: no
+## Generating DH params takes some time. It could be useful to handle them later.
+nginx_skip_dhparams: False
## Control default config uploading
nginx_deploy_default_config: True
nginx_enable_autodetection: True
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 4d4b085..2e01d22 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -24,7 +24,7 @@
creates: /etc/ssl/dh4096.pem
notify:
- restart nginx
- when: dhparams is not defined
+ when: dhparams is not defined and nginx_skip_dhparams == False
- name: Fix dhparams privileges
file:
@@ -34,6 +34,7 @@
mode: 0644
notify:
- restart nginx
+ when: nginx_skip_dhparams == False
- name: Ensure about snippets directory
file:
diff --git a/roles/nginx/templates/snippets/ssl-common.conf.j2 b/roles/nginx/templates/snippets/ssl-common.conf.j2
index a7806ac..b9d6e78 100644
--- a/roles/nginx/templates/snippets/ssl-common.conf.j2
+++ b/roles/nginx/templates/snippets/ssl-common.conf.j2
@@ -1,5 +1,7 @@
ssl on;
+{% if nginx_skip_dhparams == False %}
ssl_dhparam /etc/ssl/dh4096.pem;
+{% endif %}
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
diff --git a/roles/nginx/templates/snippets/ssl-medium-common.conf.j2 b/roles/nginx/templates/snippets/ssl-medium-common.conf.j2
index 581f55f..be2b57b 100644
--- a/roles/nginx/templates/snippets/ssl-medium-common.conf.j2
+++ b/roles/nginx/templates/snippets/ssl-medium-common.conf.j2
@@ -1,5 +1,7 @@
ssl on;
+{% if nginx_skip_dhparams == False %}
ssl_dhparam /etc/ssl/dh4096.pem;
+{% endif %}
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-22 23:22:09 +0100