salt/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: salt:6382a81f477c12fe28169bdf90d85e36ca085668
Branches Tags
salt:master
salt:kopia
salt:cleanup
salt:rewrite
...
compare: salt:542d779be2bf074cddb4ee55050f7b023acc8582
Branches Tags
salt:master
salt:kopia
salt:cleanup
salt:rewrite

3 Commits
6382a81f47 ... 542d779be2

Author SHA1 Message Date
Salt
542d779be2 Add http2 to default listen args 2021-09-18 07:47:10 -05:00
Salt
a55ea64d4a Remove erroneous ssl in listen_args 2021-09-18 07:46:00 -05:00
Salt
7cc869be5b Add more nginx configuration, specifically with regard to TLS 2021-09-18 07:43:45 -05:00
2 changed files with 12 additions and 2 deletions
Show Stats Expand all files Collapse all files

6
roles/ingress/defaults/main.yml
View File

@ -21,11 +21,15 @@ ingress_container_networks:
ingress_container_certbot_email: rehashedsalt@cock.li ingress_container_certbot_email: rehashedsalt@cock.li
# General Nginx configuration # General Nginx configuration
ingress_listen_args: "443 ssl" ingress_listen_args: "443 http2 ssl"
ingress_resolver: 8.8.8.8
# This non-obvious setting controls whether directives for certificates will be added to hosts # This non-obvious setting controls whether directives for certificates will be added to hosts
# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using # Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
# a custom container that *doesn't* automatically-provision LE certs # a custom container that *doesn't* automatically-provision LE certs
ingress_listen_tls: yes ingress_listen_tls: yes
ingress_tls_protocols: TLSv1.2 TLSv1.3
ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ingress_tls_prefer_server_ciphers: "off"
# Vhost configuration # Vhost configuration
# ingress_servers: # ingress_servers:

8
roles/ingress/templates/vhosts.conf.j2
View File

@ -3,7 +3,7 @@ server {
{% if loop.index == 1 %} {% if loop.index == 1 %}
listen {{ ingress_listen_args }} default_server; listen {{ ingress_listen_args }} default_server;
{% else %} {% else %}
listen {{ ingress_listen_args }} ssl; listen {{ ingress_listen_args }};
{% endif %} {% endif %}
server_name {{ server.name }}; server_name {{ server.name }};
@ -13,6 +13,11 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{ ingress_servers[0].name }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ ingress_servers[0].name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/chain.pem; ssl_trusted_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols {{ ingress_tls_protocols }};
ssl_ciphers {{ ingress_tls_ciphers }};
ssl_prefer_server_ciphers {{ ingress_tls_prefer_server_ciphers }};
{% endif %} {% endif %}
{% if server.directives is defined %} {% if server.directives is defined %}
@ -49,5 +54,6 @@ server {
{% endfor %} {% endfor %}
{% endif %} {% endif %}
resolver {{ ingress_resolver }};
} }
{% endfor %} {% endfor %}