blob: 68b89d22e657072fb65311ca13e73cef5f01774f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
class nginx::ssl(
$session_timeout = '5m'
) {
include ssl
include ssl::snakeoil
class { 'certbot':
#pre_hook => '/usr/sbin/service nginx stop',
#post_hook => '/usr/sbin/service nginx start',
post_command => '/usr/sbin/service nginx restart',
}
#package { 'python-certbot-nginx':
# ensure: present,
#}
# See https://weakdh.org/
ssl::dhparams { 'nginx-2048':
notify => Service['nginx'],
}
nginx::config {
# SSL
'ssl_session_timeout': value => "ssl_session_timeout ${session_timeout};";
'ssl_protocols': value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
#'ssl_ciphers': value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;';
# See https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites
'ssl_ciphers': value => 'ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;';
'ssl_dhparam': value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;';
}
# Already in default config
nginx::config { 'ssl_prefer_server_ciphers':
value => 'ssl_prefer_server_ciphers on;',
ensure => absent,
}
}
|