Files @ 7e21feb6e4ee
Branch filter:

Location: majic-ansible-roles/roles/web_server/defaults/main.yml

7e21feb6e4ee 1.0 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-230: Add support for TLSv1.3 to the web_server role and drop TLSv1.1 from tests:

- Update the role defaults, make sure to include additional ciphers
for TLSv1.3.
- Document the specifics of TLSv1.3 cipher configuration.
- Update tests, dropping the hack/workaround that allows use of weaker
TLS protocols.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
---

environment_indicator: null

web_default_title: "Welcome"
web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
web_server_tls_protocols:
  - "TLSv1.2"
  - "TLSv1.3"

# TLS_* ciphers are mandated by the TLSv1.3-related standards and
# cannot be disabled when TLSv1.3 is enabled on the server.
web_server_tls_ciphers: "\
DHE-RSA-AES128-GCM-SHA256:\
DHE-RSA-AES256-GCM-SHA384:\
DHE-RSA-CHACHA20-POLY1305:\
ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-RSA-CHACHA20-POLY1305:\
TLS_AES_128_GCM_SHA256:\
TLS_AES_256_GCM_SHA384:\
TLS_CHACHA20_POLY1305_SHA256:\
!aNULL:!MD5:!EXPORT"

# Internal parameters
php_fpm_service_name_per_release:
  bookworm: "php8.2-fpm"

php_base_config_dir_per_release:
  bookworm: "/etc/php/8.2"

php_fpm_package_name: "php-fpm"
php_fpm_service_name: "{{ php_fpm_service_name_per_release[ansible_distribution_release] }}"
php_base_config_dir: "{{ php_base_config_dir_per_release[ansible_distribution_release] }}"
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.