make hsts static; make iptables optional; remove some vars
This commit is contained in:
parent
34a7a16675
commit
f37bac37d0
@ -42,6 +42,7 @@ nginx_gzip_types:
|
||||
- text/css
|
||||
- application/xml
|
||||
|
||||
nginx_iptables_enabled: False
|
||||
nginx_open_ports:
|
||||
- 80
|
||||
- 443
|
||||
@ -56,11 +57,6 @@ nginx_tls_source_use_files: True
|
||||
nginx_tls_cert_source: mycert.pem
|
||||
nginx_tls_key_source: mykey.pem
|
||||
|
||||
nginx_pfs_enabled: False
|
||||
nginx_dhparam_size: 4069
|
||||
nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem"
|
||||
|
||||
nginx_hsts_enabled: False
|
||||
nginx_hsts_options:
|
||||
- nginx_hsts_max_age=63072000
|
||||
- includeSubDomains
|
||||
|
@ -81,6 +81,7 @@
|
||||
name: allow_nginx_ports
|
||||
state: present
|
||||
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
|
||||
when: nginx_iptables_enabled
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
|
@ -35,19 +35,3 @@
|
||||
when: nginx_tls_source_use_files
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- block:
|
||||
- name: Register dhparam file
|
||||
stat:
|
||||
path: "{{ nginx_dhparam_file }}"
|
||||
register: __nginx_dh_file
|
||||
|
||||
- name: Generate Diffie-Hellman parameter file
|
||||
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
|
||||
async: 3600
|
||||
poll: 60
|
||||
when: not __nginx_dh_file.stat.exists
|
||||
notify: __nginx_reload
|
||||
become: True
|
||||
become_user: root
|
||||
when: nginx_pfs_enabled
|
||||
|
@ -1,8 +1,6 @@
|
||||
# {{ ansible_managed }}
|
||||
# default header settings
|
||||
{% if nginx_tls_enabled and nginx_hsts_enabled %}
|
||||
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
|
||||
{% endif %}
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
Loading…
Reference in New Issue
Block a user