From 6bc64e4e9c354775b0fb24b109620e5a5e72e5ad 2017-02-11 21:31:03 From: Branko Majic Date: 2017-02-11 21:31:03 Subject: [PATCH] MAR-90: Added configuration options for the web_server role for specyfing TLS versions and ciphers to support on the server. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 331a8057ab6e325457065ddec285319467be0bda..849428221239c2ec198c043236eabfb2a4e9048a 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1167,7 +1167,7 @@ The role implements the following: * Installs and configures nginx with a single, default vhost with a small static index page. * Deploys the HTTPS TLS private key and certificate (for default vhost). -* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. +* Configures TLS versions and ciphers supported by Nginx. * Configures firewall to allow incoming connections to the web server. * Installs and configures virtualenv and virtualenvwrapper as a common base for Python apps. @@ -1206,6 +1206,16 @@ Parameters Message for the default web page shown to users (if no other vhosts were matched). +**web_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``) + List of TLS protocols the web server should support. Each value specified + should be compatible with Nginx configuration option ``ssl_protocols``. + +**web_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT``) + TLS ciphers to enable on the web server. This should be an OpenSSL-compatible + cipher specification. Value should be compatible with Nginx configuration + option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS + ciphers. + Examples ~~~~~~~~ diff --git a/roles/web_server/defaults/main.yml b/roles/web_server/defaults/main.yml index 88ca28d2bc354b97d9c4e2e322cf9f37fafb8ca4..d843b16c4dee4753301218ea70c4cbce7f51419b 100644 --- a/roles/web_server/defaults/main.yml +++ b/roles/web_server/defaults/main.yml @@ -5,3 +5,6 @@ default_https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + an default_https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_https.key') }}" web_default_title: "Welcome" web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL." +web_server_tls_protocols: + - "TLSv1.2" +web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT" diff --git a/roles/web_server/files/tls.conf b/roles/web_server/files/tls.conf deleted file mode 100644 index 1612fdbd247cdcc027f6ad4831ef629b68239f06..0000000000000000000000000000000000000000 --- a/roles/web_server/files/tls.conf +++ /dev/null @@ -1,2 +0,0 @@ -ssl_protocols TLSv1.2; -ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT; \ No newline at end of file diff --git a/roles/web_server/tasks/main.yml b/roles/web_server/tasks/main.yml index b20141e2e77fc331af3243d1f8d3b9f60c2d8e39..d2b9a617373b7e7289079bf2e7b2cc4ff0b57357 100644 --- a/roles/web_server/tasks/main.yml +++ b/roles/web_server/tasks/main.yml @@ -26,8 +26,8 @@ - Restart nginx - name: Harden TLS by allowing only TLSv1.2 and PFS ciphers - copy: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf" - owner="root" group="root" mode=644 + template: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf.j2" + owner="root" group="root" mode=644 notify: - Restart nginx diff --git a/roles/web_server/templates/tls.conf.j2 b/roles/web_server/templates/tls.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..d92b7cb79a962c951818f27746deae2d6b1fea17 --- /dev/null +++ b/roles/web_server/templates/tls.conf.j2 @@ -0,0 +1,2 @@ +ssl_protocols {{ web_server_tls_protocols | join(",") }}; +ssl_ciphers {{ web_server_tls_ciphers }}; \ No newline at end of file