Skip to content

Commit 468e467

Browse files
author
rndmh3ro
committed
debian 9's nginx doesnt support tls1.3
while this could be better solved by checking what nginx version is used, debian9 is eol'd in 4 months. if there will be again a need to check for nginx versions, we'll add it then Signed-off-by: rndmh3ro <github@gumpri.ch>
1 parent e0e76fa commit 468e467

File tree

10 files changed

+37
-2
lines changed

10 files changed

+37
-2
lines changed

roles/nginx_hardening/defaults/main.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,6 @@ nginx_add_header:
2323

2424
nginx_set_cookie_flag: "* HttpOnly secure"
2525
nginx_ssl_prefer_server_ciphers: "on"
26-
nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
2726
nginx_ssl_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
2827
nginx_ssl_session_tickets: "off"
2928
nginx_dh_size: "4096"

roles/nginx_hardening/tasks/main.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,27 @@
11
---
2+
- name: Fetch OS dependent variables
3+
include_vars:
4+
file: '{{ item }}'
5+
name: 'os_vars'
6+
with_first_found:
7+
- files:
8+
- '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
9+
- '{{ ansible_facts.distribution }}.yml'
10+
- '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
11+
- '{{ ansible_facts.os_family }}.yml'
12+
skip: true
13+
tags: always
14+
15+
# we only override variables with our default, if they have not been specified already
16+
# by default the lookup functions finds all varnames containing the string, therefore
17+
# we add ^ and $ to denote start and end of string, so this returns only exact matches
18+
- name: Set OS dependent variables, if not already defined by user # noqa var-naming
19+
set_fact:
20+
'{{ item.key }}': '{{ item.value }}'
21+
when: "not lookup('varnames', '^' + item.key + '$')"
22+
with_dict: '{{ os_vars }}'
23+
tags: always
24+
225
- name: Create additional configuration
326
template:
427
src: "hardening.conf.j2"

roles/nginx_hardening/vars/Amazon.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
nginx_ssl_protocols: "TLSv1.2 TLSv1.3"

roles/nginx_hardening/vars/Archlinux.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
nginx_ssl_protocols: "TLSv1.2 TLSv1.3"

roles/nginx_hardening/vars/Debian.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
nginx_ssl_protocols: "TLSv1.2 TLSv1.3"

roles/nginx_hardening/vars/Debian_9.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
nginx_ssl_protocols: "TLSv1.2"

roles/nginx_hardening/vars/Fedora.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
nginx_ssl_protocols: "TLSv1.2 TLSv1.3"

roles/nginx_hardening/vars/RedHat.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
nginx_ssl_protocols: "TLSv1.2 TLSv1.3"

roles/nginx_hardening/vars/Suse.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
nginx_ssl_protocols: "TLSv1.2 TLSv1.3"

roles/nginx_hardening/vars/main.yml

Lines changed: 0 additions & 1 deletion
This file was deleted.

0 commit comments

Comments
 (0)