From 8b87dc1945079c191b349b75c79b09eb9d766ff7 Mon Sep 17 00:00:00 2001
From: MichiK <michik@michik.net>
Date: Sat, 21 Sep 2019 23:30:04 +0200
Subject: [PATCH] Improve Nginx HTTPS configuration with better ciphers and TLS
 1.3

---
 roles/nginx-https/defaults/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/nginx-https/defaults/main.yml b/roles/nginx-https/defaults/main.yml
index c4f49c2..8f038c5 100644
--- a/roles/nginx-https/defaults/main.yml
+++ b/roles/nginx-https/defaults/main.yml
@@ -1,5 +1,5 @@
-nginx_ssl_protocols: "TLSv1.2"
-nginx_ssl_ciphers: "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256"
+nginx_ssl_protocols: "TLSv1.3 TLSv1.2"
+nginx_ssl_ciphers: "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256"
 nginx_ssl_dhparam: "/etc/ssl/certs/dh4096.pem"
 nginx_ssl_dhparam_bits: 4096
 
-- 
GitLab