cypher einstellungen optimiert

webserver/nginx/tasks/main.yml

@@ -20,6 +20,16 @@
     path: /etc/nginx/sites-enabled/default 
     state: absent
 
+# DH Parameter geneieriern 
+
+- name: check if DH Params exists 
+  stat:
+    path: /etc/nginx/dhparams.pem
+  register: dhparams
+
+- name: generate new DH Params 
+  command: openssl dhparam -out /etc/nginx/dhparams.pem 2048
+  when: dhparams.stat.exists == False 
 
 # sinp_le installieren 
 

webserver/nginx/templates/nginx-site

@@ -11,17 +11,25 @@ server {
 
         {% if sslcert.stat.exists == True %}
 
+        # ab nginx > 1.13 spdy durch http2 ersetzen 
 	listen 443 ssl spdy;
     	listen [::]:443 ssl spdy;
 
 	ssl_certificate /etc/ssl/fullchain.pem;
 	ssl_certificate_key /etc/ssl/key.pem;
+	ssl_dhparam /etc/nginx/dhparams.pem;
+
+	ssl_session_tickets off; 
+	ssl_stapling on; 
+	ssl_stapling_verify on; 
+
 	ssl_session_cache shared:SSL:5m;
 	ssl_session_timeout 5m;
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
-	ssl_prefer_server_ciphers on;    
+	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
+
+	# ab nginx > 1.13 ist TLS1.3 möglich 
+	ssl_protocols TLSv1.2;
+	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;	ssl_prefer_server_ciphers on;    
 
         {% endif %}