majic-ansible-roles Changeset

Changeset - 6bc64e4e9c35

Parent rev.

Child rev.

[Not reviewed]

1 3 1

Branko Majic (branko) - 7 years ago 2017-02-11 21:31:03
branko@majic.rs

MAR-90: Added configuration options for the web_server role for specyfing TLS versions and ciphers to support on the server.

5 files changed with 18 insertions and 5 deletions:

docs/rolereference.rst

roles/web_server/defaults/main.yml

roles/web_server/files/tls.conf

roles/web_server/tasks/main.yml

roles/web_server/templates/tls.conf.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1167,7 +1167,7 @@ The role implements the following: @@
 * Installs and configures nginx with a single, default vhost with a small static
   index page.
 * Deploys the HTTPS TLS private key and certificate (for default vhost).
-* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers.
+* Configures TLS versions and ciphers supported by Nginx.
 * Configures firewall to allow incoming connections to the web server.
 * Installs and configures virtualenv and virtualenvwrapper as a common base for
   Python apps.
@@ @@ -1206,6 +1206,16 @@ Parameters @@
   Message for the default web page shown to users (if no other vhosts were
   matched).
 **web_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
   List of TLS protocols the web server should support. Each value specified
   should be compatible with Nginx configuration option ``ssl_protocols``.
 **web_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the web server. This should be an OpenSSL-compatible
   cipher specification. Value should be compatible with Nginx configuration
   option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS
   ciphers.
 Examples
 ~~~~~~~~

roles/web_server/defaults/main.yml

➞

Show inline comments

 default_https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_https.key') }}"
 web_default_title: "Welcome"
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
 web_server_tls_protocols:
   - "TLSv1.2"
 web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT"

roles/web_server/files/tls.conf

➞

Show inline comments

deleted file

roles/web_server/tasks/main.yml

➞

Show inline comments

@@ @@ -26,8 +26,8 @@ @@
     - Restart nginx
 - name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
   copy: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf"
         owner="root" group="root" mode=644
   template: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf.j2"
             owner="root" group="root" mode=644
   notify:
     - Restart nginx

roles/web_server/templates/tls.conf.j2

➞

Show inline comments

		new file 100644
		ssl_protocols {{ web_server_tls_protocols \| join(",") }};
		ssl_ciphers {{ web_server_tls_ciphers }};
		\ No newline at end of file

0 comments (0 inline, 0 general)