Skip to content

Commit

Permalink
Merge pull request #5 from dev-sec/dhparam
Browse files Browse the repository at this point in the history 
create dhparam file. fix #4
  • Loading branch information
@chris-rock
chris-rock committed Sep 23, 2016
2 parents 29c99df + 36df40f commit c5ca897
Show file tree
Hide file tree
Showing 6 changed files with 9 additions and 1 deletion.
1 change: 1 addition & 0 deletions defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,5 @@ nginx_add_header: [
nginx_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2"
nginx_ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx_ssl_prefer_server_ciphers: "on"
nginx_dh_param: "{{nginx_root_dir}}/dh{{nginx_dh_size}}.pem"
nginx_dh_size: "2048"
4 changes: 4 additions & 0 deletions tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,7 @@
file: path="{{nginx_default_conf}}" state=absent
when: nginx_remove_default_site
notify: reload nginx

- name: generate dh group
command: openssl dhparam -out {{nginx_dh_param}} {{nginx_dh_size}} creates={{nginx_dh_param}}
notify: reload nginx
2 changes: 1 addition & 1 deletion templates/hardening.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ limit_conn_zone {{nginx_limit_conn_zone}};
limit_conn {{nginx_limit_conn}};
ssl_protocols {{nginx_ssl_protocols}};
ssl_ciphers {{nginx_ssl_ciphers}};
ssl_dhparam {{nginx_dh_size}};
ssl_dhparam {{nginx_dh_param}};
ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}};
{% for header in nginx_add_header %}
add_header {{header}};
Expand Down
1 change: 1 addition & 0 deletions vars/Debian.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
nginx_root_dir: '/etc/nginx'
nginx_config_conf_dir: '/etc/nginx/conf.d'
nginx_default_conf: '/etc/nginx/sites-enabled/default'
nginx_service_name: 'nginx'
1 change: 1 addition & 0 deletions vars/Oracle Linux.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
nginx_root_dir: '/etc/nginx'
nginx_config_conf_dir: '/etc/nginx/conf.d'
nginx_default_conf: '/etc/nginx/conf.d/default.conf'
nginx_service_name: 'nginx'
1 change: 1 addition & 0 deletions vars/RedHat.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
nginx_root_dir: '/etc/nginx'
nginx_config_conf_dir: '/etc/nginx/conf.d'
nginx_default_conf: '/etc/nginx/conf.d/default.conf'
nginx_service_name: 'nginx'

0 comments on commit c5ca897

Please sign in to comment.