make hsts static; make iptables optional; remove some vars

This commit is contained in:
Robert Kaussow 2018-08-14 22:02:35 +02:00
parent 34a7a16675
commit f37bac37d0
4 changed files with 2 additions and 23 deletions

View File

@ -42,6 +42,7 @@ nginx_gzip_types:
- text/css
- application/xml
nginx_iptables_enabled: False
nginx_open_ports:
- 80
- 443
@ -56,11 +57,6 @@ nginx_tls_source_use_files: True
nginx_tls_cert_source: mycert.pem
nginx_tls_key_source: mykey.pem
nginx_pfs_enabled: False
nginx_dhparam_size: 4069
nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem"
nginx_hsts_enabled: False
nginx_hsts_options:
- nginx_hsts_max_age=63072000
- includeSubDomains

View File

@ -81,6 +81,7 @@
name: allow_nginx_ports
state: present
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
when: nginx_iptables_enabled
become: True
become_user: root

View File

@ -35,19 +35,3 @@
when: nginx_tls_source_use_files
become: True
become_user: root
- block:
- name: Register dhparam file
stat:
path: "{{ nginx_dhparam_file }}"
register: __nginx_dh_file
- name: Generate Diffie-Hellman parameter file
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
async: 3600
poll: 60
when: not __nginx_dh_file.stat.exists
notify: __nginx_reload
become: True
become_user: root
when: nginx_pfs_enabled

View File

@ -1,8 +1,6 @@
# {{ ansible_managed }}
# default header settings
{% if nginx_tls_enabled and nginx_hsts_enabled %}
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
{% endif %}
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";