More SSL stuff

4bb19541 · MichiK · 62d0c037 · 4bb19541 · 4bb19541
Commit 4bb19541 authored 5 years ago by MichiK
--- a/roles/nginx-https/defaults/main.yml
+++ b/roles/nginx-https/defaults/main.yml
@@ -2,6 +2,9 @@ nginx_ssl_protocols: "TLSv1.3 TLSv1.2"
 nginx_ssl_ciphers: "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256"
 nginx_ssl_dhparam: "/etc/ssl/certs/dh4096.pem"
 nginx_ssl_dhparam_bits: 4096
+nginx_ssl_ecdh_curve: "secp521r1:secp384r1"
+nginx_ssl_prefer_server_ciphers: true
+nginx_ssl_stapling: true

 nginx_https_default_headers: null


--- a/roles/nginx-https/templates/ssl.conf.j2
+++ b/roles/nginx-https/templates/ssl.conf.j2
@@ -6,8 +6,9 @@ listen [::]:443 ssl http2;
 ssl_dhparam {{ nginx_ssl_dhparam }};
 ssl_protocols {{ nginx_ssl_protocols }};
 ssl_ciphers {{ nginx_ssl_ciphers }};
-ssl_prefer_server_ciphers on;
-ssl_stapling on;
+ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
+ssl_prefer_server_ciphers {{ "on" if nginx_ssl_prefer_server_ciphers else "off" }};
+ssl_stapling {{ "on" if nginx_ssl_stapling else "off" }};

 {% if nginx_https_default_headers %}
 {% for header in nginx_https_default_headers %}