From 4bb19541d3260b0ada1c44086d943c826fd907bf Mon Sep 17 00:00:00 2001
From: MichiK <michik@michik.net>
Date: Mon, 30 Sep 2019 00:30:52 +0200
Subject: [PATCH] More SSL stuff

---
 roles/nginx-https/defaults/main.yml     | 3 +++
 roles/nginx-https/templates/ssl.conf.j2 | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/roles/nginx-https/defaults/main.yml b/roles/nginx-https/defaults/main.yml
index 31b35db..ffdd004 100644
--- a/roles/nginx-https/defaults/main.yml
+++ b/roles/nginx-https/defaults/main.yml
@@ -2,6 +2,9 @@ nginx_ssl_protocols: "TLSv1.3 TLSv1.2"
 nginx_ssl_ciphers: "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256"
 nginx_ssl_dhparam: "/etc/ssl/certs/dh4096.pem"
 nginx_ssl_dhparam_bits: 4096
+nginx_ssl_ecdh_curve: "secp521r1:secp384r1"
+nginx_ssl_prefer_server_ciphers: true
+nginx_ssl_stapling: true
 
 nginx_https_default_headers: null
 
diff --git a/roles/nginx-https/templates/ssl.conf.j2 b/roles/nginx-https/templates/ssl.conf.j2
index 5c3fb54..05e4f80 100644
--- a/roles/nginx-https/templates/ssl.conf.j2
+++ b/roles/nginx-https/templates/ssl.conf.j2
@@ -6,8 +6,9 @@ listen [::]:443 ssl http2;
 ssl_dhparam {{ nginx_ssl_dhparam }};
 ssl_protocols {{ nginx_ssl_protocols }};
 ssl_ciphers {{ nginx_ssl_ciphers }};
-ssl_prefer_server_ciphers on;
-ssl_stapling on;
+ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
+ssl_prefer_server_ciphers {{ "on" if nginx_ssl_prefer_server_ciphers else "off" }};
+ssl_stapling {{ "on" if nginx_ssl_stapling else "off" }};
 
 {% if nginx_https_default_headers %}
 {% for header in nginx_https_default_headers %}
-- 
GitLab