class nginx::ssl( $session_timeout = '5m' ) { include ssl include ssl::snakeoil class { 'certbot': pre_hook => '/usr/sbin/service nginx stop', post_hook => '/usr/sbin/service nginx start', } # See https://weakdh.org/ ssl::dhparams { 'nginx-2048': notify => Service['nginx'], } nginx::config { # SSL 'ssl_session_timeout': value => "ssl_session_timeout ${session_timeout};"; 'ssl_protocols': value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;'; 'ssl_ciphers': value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;'; 'ssl_dhparam': value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;'; } # Already in default config nginx::config { 'ssl_prefer_server_ciphers': value => 'ssl_prefer_server_ciphers on;', ensure => absent, } }