class nginx::ssl( $session_timeout = '5m' ) { include ssl include ssl::snakeoil class { 'certbot': #pre_hook => '/usr/sbin/service nginx stop', #post_hook => '/usr/sbin/service nginx start', post_command => '/usr/sbin/service nginx restart', } #package { 'python-certbot-nginx': # ensure: present, #} # See https://weakdh.org/ ssl::dhparams { 'nginx-2048': notify => Service['nginx'], } nginx::config { # SSL 'ssl_session_timeout': value => "ssl_session_timeout ${session_timeout};"; 'ssl_protocols': value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;'; #'ssl_ciphers': value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;'; # See https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites 'ssl_ciphers': value => 'ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;'; 'ssl_dhparam': value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;'; } # Already in default config nginx::config { 'ssl_prefer_server_ciphers': value => 'ssl_prefer_server_ciphers on;', ensure => absent, } }