diff --git a/defaults/main.yml b/defaults/main.yml index bfa39d7..1a674a9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,3 +5,6 @@ nginx_open_ports: ssl_priv_key: "" ssl_intermediate_cert: "" ssl_chained_cert: "" + +dhparam_size: '4069' +dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem' diff --git a/tasks/config.yml b/tasks/config.yml index b462a6b..87fdc9d 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -111,6 +111,17 @@ notify: - nginx_reload +- name: register dhparam file + stat: + path: "{{ dhparam_file }}" + register: dh_file + +- name: Generate Diffie-Hellman parameter file + shell: "/usr/bin/openssl dhparam -out '{{ dhparam_file }}' {{ dhparam_size }}" + async: 3600 + poll: 60 + when: dh_file.stat.isfile is not defined + - name: Open ports in iptables iptables_raw: name: allow_nginx_ports diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2 index 19cebc3..1bfecf1 100644 --- a/templates/etc/nginx/conf.d/tls.conf.j2 +++ b/templates/etc/nginx/conf.d/tls.conf.j2 @@ -13,4 +13,4 @@ ssl_stapling_verify on; ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt; ssl_prefer_server_ciphers on; -ssl_dhparam /etc/nginx/cert/dhparam.pem; +ssl_dhparam {{ dhparam_file }};