Skip to content
Snippets Groups Projects
Commit a2cbc492 authored by Lars Beckers's avatar Lars Beckers
Browse files

webserver: move tls version config inside server to allow overwriting

parent 5ec05799
No related branches found
No related tags found
1 merge request!4WIP: add acmebot role
This commit is part of merge request !4. Comments created here will be created in the context of that merge request.
Show whitespace changes
Inline Side-by-side
webserver/templates/nginx-proxy.conf
+ 0
7
View file @ a2cbc492
...@@ -47,13 +47,6 @@ http { ...@@ -47,13 +47,6 @@ http {
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_protocols {{protocols[cipher_strength]}};
{% if ciphers[cipher_strength] is not none %}
ssl_ciphers '{{ciphers[cipher_strength]}}';
{% endif %}
ssl_prefer_server_ciphers on;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
......
webserver/templates/nginx.conf
+ 0
6
View file @ a2cbc492
...@@ -40,12 +40,6 @@ http { ...@@ -40,12 +40,6 @@ http {
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_protocols {{protocols[cipher_strength]}};
{% if ciphers[cipher_strength] is not none %}
ssl_ciphers '{{ciphers[cipher_strength]}}';
{% endif %}
ssl_prefer_server_ciphers on;
#add_header Strict-Transport-Security max-age=15768000; # Only in proxy #add_header Strict-Transport-Security max-age=15768000; # Only in proxy
ssl_stapling on; ssl_stapling on;
......
webserver/templates/sites/tlsproxy.conf
+ 0
6
View file @ a2cbc492
...@@ -16,12 +16,6 @@ server { ...@@ -16,12 +16,6 @@ server {
{% include "ssl-certificate" %} {% include "ssl-certificate" %}
{% endif %} {% endif %}
{% if server.cipher_strength is defined %}
ssl_protocols {{protocols[server.cipher_strength]}};
{% if ciphers[server.cipher_strength] is not none %}
ssl_ciphers '{{ciphers[server.cipher_strength]}}';
{% endif %}
{% endif %}
{% if server.use_sso is defined and server.use_sso %} {% if server.use_sso is defined and server.use_sso %}
set $sso_group "{{server.sso_group}}"; set $sso_group "{{server.sso_group}}";
......
webserver/templates/ssl-certificate
+ 7
0
View file @ a2cbc492
ssl_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}}; ssl_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}};
ssl_trusted_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}}; ssl_trusted_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}};
ssl_certificate_key {{server.private_key|default("/var/lib/acme/live/" + server.server_name + "/privkey")}}; ssl_certificate_key {{server.private_key|default("/var/lib/acme/live/" + server.server_name + "/privkey")}};
{% set strength = server.cipher_strength|default(cipher_strength) %}
ssl_protocols {{protocols[strength]}};
ssl_prefer_server_ciphers {{'on' if prefer_server_ciphers[strength] else 'off'}};
{% if ciphers[strength] is not none %}
ssl_ciphers '{{ciphers[strength]}}';
{% endif %}
webserver/vars/buster.yml
+ 3
0
View file @ a2cbc492
...@@ -7,3 +7,6 @@ protocols: ...@@ -7,3 +7,6 @@ protocols:
ciphers: ciphers:
modern: null modern: null
intermediate: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' intermediate: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
prefer_server_ciphers:
modern: false
intermediate: false
webserver/vars/fallback.yml
+ 3
0
View file @ a2cbc492
...@@ -7,3 +7,6 @@ protocols: ...@@ -7,3 +7,6 @@ protocols:
ciphers: ciphers:
modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
prefer_server_ciphers:
modern: false
intermediate: true
webserver/vars/stretch.yml
+ 3
0
View file @ a2cbc492
...@@ -7,3 +7,6 @@ protocols: ...@@ -7,3 +7,6 @@ protocols:
ciphers: ciphers:
modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
prefer_server_ciphers:
modern: false
intermediate: true
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment