Merge pull request dev-sec#526 from dev-sec/nginx_debian_9_tls

debian 9's nginx doesn't support tls1.3
divialth · Feb 21, 2022 · 41688cd · 41688cd
2 parents ec69f68 + 4dbe84e
commit 41688cd
Show file tree

Hide file tree

Showing 10 changed files with 37 additions and 2 deletions.
diff --git a/roles/nginx_hardening/defaults/main.yml b/roles/nginx_hardening/defaults/main.yml
@@ -23,7 +23,6 @@ nginx_add_header:
 
 nginx_set_cookie_flag: "* HttpOnly secure"
 nginx_ssl_prefer_server_ciphers: "on"
-nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
 nginx_ssl_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
 nginx_ssl_session_tickets: "off"
 nginx_dh_size: "4096"
diff --git a/roles/nginx_hardening/tasks/main.yml b/roles/nginx_hardening/tasks/main.yml
@@ -1,4 +1,27 @@
 ---
+- name: Fetch OS dependent variables
+  include_vars:
+    file: '{{ item }}'
+    name: 'os_vars'
+  with_first_found:
+    - files:
+        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.distribution }}.yml'
+        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}.yml'
+      skip: true
+  tags: always
+
+# we only override variables with our default, if they have not been specified already
+# by default the lookup functions finds all varnames containing the string, therefore
+# we add ^ and $ to denote start and end of string, so this returns only exact matches
+- name: Set OS dependent variables, if not already defined by user  # noqa var-naming
+  set_fact:
+    '{{ item.key }}': '{{ item.value }}'
+  when: "not lookup('varnames', '^' + item.key + '$')"
+  with_dict: '{{ os_vars }}'
+  tags: always
+
 - name: Create additional configuration
   template:
     src: "hardening.conf.j2"

diff --git a/roles/nginx_hardening/vars/Amazon.yml b/roles/nginx_hardening/vars/Amazon.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/Archlinux.yml b/roles/nginx_hardening/vars/Archlinux.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/Debian.yml b/roles/nginx_hardening/vars/Debian.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/Debian_9.yml b/roles/nginx_hardening/vars/Debian_9.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2"
diff --git a/roles/nginx_hardening/vars/Fedora.yml b/roles/nginx_hardening/vars/Fedora.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/RedHat.yml b/roles/nginx_hardening/vars/RedHat.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/Suse.yml b/roles/nginx_hardening/vars/Suse.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/main.yml b/roles/nginx_hardening/vars/main.yml