diff --git a/webserver/nginx/tasks/main.yml b/webserver/nginx/tasks/main.yml index abe3edee78f4e5600d1b12215222e0ec9335443e..3cdd02f515c71e88c85f35388f849426b8ba5311 100644 --- a/webserver/nginx/tasks/main.yml +++ b/webserver/nginx/tasks/main.yml @@ -20,6 +20,16 @@ path: /etc/nginx/sites-enabled/default state: absent +# DH Parameter geneieriern + +- name: check if DH Params exists + stat: + path: /etc/nginx/dhparams.pem + register: dhparams + +- name: generate new DH Params + command: openssl dhparam -out /etc/nginx/dhparams.pem 2048 + when: dhparams.stat.exists == False # sinp_le installieren diff --git a/webserver/nginx/templates/nginx-site b/webserver/nginx/templates/nginx-site index c5b5c8089219b9f2db439d8e8b3b9e8b3cb60f9c..93f2ec97c894a3eb92e55533cb38a9ab1017b6e8 100644 --- a/webserver/nginx/templates/nginx-site +++ b/webserver/nginx/templates/nginx-site @@ -11,17 +11,25 @@ server { {% if sslcert.stat.exists == True %} + # ab nginx > 1.13 spdy durch http2 ersetzen listen 443 ssl spdy; listen [::]:443 ssl spdy; ssl_certificate /etc/ssl/fullchain.pem; ssl_certificate_key /etc/ssl/key.pem; + ssl_dhparam /etc/nginx/dhparams.pem; + + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_cache shared:SSL:5m; ssl_session_timeout 5m; - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS"; - ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;"; + + # ab nginx > 1.13 ist TLS1.3 möglich + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers on; {% endif %}