Merge pull request #526 from dev-sec/nginx_debian_9_tls

schurzi · web-flow · commit 9be3a0520bdd · 2022-02-21T11:49:34.000+01:00
debian 9's nginx doesn't support tls1.3
diff --git a/roles/nginx_hardening/defaults/main.yml b/roles/nginx_hardening/defaults/main.yml
@@ -23,7 +23,6 @@ nginx_add_header:
 
 nginx_set_cookie_flag: "* HttpOnly secure"
 nginx_ssl_prefer_server_ciphers: "on"
-nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
 nginx_ssl_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
 nginx_ssl_session_tickets: "off"
 nginx_dh_size: "4096"
diff --git a/roles/nginx_hardening/tasks/main.yml b/roles/nginx_hardening/tasks/main.yml
@@ -1,4 +1,27 @@
 ---
+- name: Fetch OS dependent variables
+  include_vars:
+    file: '{{ item }}'
+    name: 'os_vars'
+  with_first_found:
+    - files:
+        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.distribution }}.yml'
+        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}.yml'
+      skip: true
+  tags: always
+
+# we only override variables with our default, if they have not been specified already
+# by default the lookup functions finds all varnames containing the string, therefore
+# we add ^ and $ to denote start and end of string, so this returns only exact matches
+- name: Set OS dependent variables, if not already defined by user  # noqa var-naming
+  set_fact:
+    '{{ item.key }}': '{{ item.value }}'
+  when: "not lookup('varnames', '^' + item.key + '$')"
+  with_dict: '{{ os_vars }}'
+  tags: always
+
 - name: Create additional configuration
   template:
     src: "hardening.conf.j2"
diff --git a/roles/nginx_hardening/vars/Amazon.yml b/roles/nginx_hardening/vars/Amazon.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/Archlinux.yml b/roles/nginx_hardening/vars/Archlinux.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/Debian.yml b/roles/nginx_hardening/vars/Debian.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/Debian_9.yml b/roles/nginx_hardening/vars/Debian_9.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2"
diff --git a/roles/nginx_hardening/vars/Fedora.yml b/roles/nginx_hardening/vars/Fedora.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/RedHat.yml b/roles/nginx_hardening/vars/RedHat.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/Suse.yml b/roles/nginx_hardening/vars/Suse.yml
@@ -0,0 +1,2 @@
+---
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
diff --git a/roles/nginx_hardening/vars/main.yml b/roles/nginx_hardening/vars/main.yml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+---`
	`2`	`+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+---`
	`2`	`+nginx_ssl_protocols: "TLSv1.2"`