ansible/xoxys.nginx
1
0
Fork 0
Code Issues Pull Requests Releases Activity

re-add option for hsts; add option for ocsp stapling

Browse Source
This commit is contained in:
Robert Kaussow 2018-08-14 22:35:00 +02:00
parent f37bac37d0
commit 0770f128ec
3 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
defaults/main.yml
View File

@ -57,6 +57,9 @@ nginx_tls_source_use_files: True
nginx_tls_cert_source: mycert.pem nginx_tls_cert_source: mycert.pem
nginx_tls_key_source: mykey.pem nginx_tls_key_source: mykey.pem
nginx_tls_ocsp_enabled: False
nginx_tls_hsts_enabled: False
nginx_hsts_options: nginx_hsts_options:
- nginx_hsts_max_age=63072000 - nginx_hsts_max_age=63072000
- includeSubDomains - includeSubDomains

2
templates/etc/nginx/conf.d/header.conf.j2
View File

@ -1,6 +1,8 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# default header settings # default header settings
{% if nginx_tls_enabled and nginx_tls_hsts_enabled %}
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %}; add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
{% endif %}
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";

7
templates/etc/nginx/conf.d/tls.conf.j2
View File

@ -5,6 +5,9 @@ ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
{% if nginx_pfs_enabled and nginx_dhparam_file is defined %}
ssl_dhparam {{ nginx_dhparam_file }}; {% if nginx_tls_enabled and nginx_tls_ocsp_enabled %}
ssl_stapling on;
ssl_trusted_certificate /pfad/bundle.ca.pem;
ssl_stapling_verify on;
{% endif %} {% endif %}