From e4e084ac4614b2d92f38a352b0f1d87cea8812a6 Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <elberfeld@web.de>
Date: Wed, 25 Oct 2017 00:03:29 +0200
Subject: [PATCH] cypher einstellungen optimiert
---
webserver/nginx/tasks/main.yml | 10 ++++++++++
webserver/nginx/templates/nginx-site | 16 ++++++++++++----
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/webserver/nginx/tasks/main.yml b/webserver/nginx/tasks/main.yml
index abe3edee..3cdd02f5 100644
--- a/webserver/nginx/tasks/main.yml
+++ b/webserver/nginx/tasks/main.yml
@@ -20,6 +20,16 @@
path: /etc/nginx/sites-enabled/default
state: absent
+# DH Parameter geneieriern
+
+- name: check if DH Params exists
+ stat:
+ path: /etc/nginx/dhparams.pem
+ register: dhparams
+
+- name: generate new DH Params
+ command: openssl dhparam -out /etc/nginx/dhparams.pem 2048
+ when: dhparams.stat.exists == False
# sinp_le installieren
diff --git a/webserver/nginx/templates/nginx-site b/webserver/nginx/templates/nginx-site
index c5b5c808..93f2ec97 100644
--- a/webserver/nginx/templates/nginx-site
+++ b/webserver/nginx/templates/nginx-site
@@ -11,17 +11,25 @@ server {
{% if sslcert.stat.exists == True %}
+ # ab nginx > 1.13 spdy durch http2 ersetzen
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
ssl_certificate /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/key.pem;
+ ssl_dhparam /etc/nginx/dhparams.pem;
+
+ ssl_session_tickets off;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
- add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
- ssl_prefer_server_ciphers on;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
+
+ # ab nginx > 1.13 ist TLS1.3 möglich
+ ssl_protocols TLSv1.2;
+ ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers on;
{% endif %}
--
GitLab