Add more nginx configuration, specifically with regard to TLS

This commit is contained in:
Salt 2021-09-18 07:43:45 -05:00
parent 6382a81f47
commit 7cc869be5b
2 changed files with 10 additions and 0 deletions

View File

@ -22,10 +22,14 @@ ingress_container_certbot_email: rehashedsalt@cock.li
# General Nginx configuration
ingress_listen_args: "443 ssl"
ingress_resolver: 8.8.8.8
# This non-obvious setting controls whether directives for certificates will be added to hosts
# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
# a custom container that *doesn't* automatically-provision LE certs
ingress_listen_tls: yes
ingress_tls_protocols: TLSv1.2 TLSv1.3
ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ingress_tls_prefer_server_ciphers: "off"
# Vhost configuration
# ingress_servers:

View File

@ -13,6 +13,11 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{ ingress_servers[0].name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols {{ ingress_tls_protocols }};
ssl_ciphers {{ ingress_tls_ciphers }};
ssl_prefer_server_ciphers {{ ingress_tls_prefer_server_ciphers }};
{% endif %}
{% if server.directives is defined %}
@ -49,5 +54,6 @@ server {
{% endfor %}
{% endif %}
resolver {{ ingress_resolver }};
}
{% endfor %}