mans/as205079-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
as205079-automation/ansible/roles/nginx/defaults/main.yaml
Mans Ziesel eb1cd60697 configure SSL certs
2025-12-02 15:55:19 +01:00

63 lines
2.4 KiB
YAML
Raw Permalink Blame History

nginx_package_name: "nginx-full"
nginx_service_state: started
nginx_service_enabled: true
nginx_keep_default_site: false
nginx_extra_config_path: "/etc/nginx/include-config"
nginx_user: "www-data"
nginx_worker_processes: "auto"
nginx_worker_cpu_affinity: "auto"
nginx_pid_file: "/run/nginx.pid"
nginx_worker_connections: 1024
nginx_multi_accept: "off"
# Basic settings
nginx_sendfile: "on"
nginx_tcp_nopush: "on"
nginx_tcp_nodelay: "on"
nginx_keepalive_timeout: "75"
nginx_types_hash_max_size: 2048
nginx_server_tokens: "off"
# generated 2025-12-01, Mozilla Guideline v5.7, nginx 1.27.3, OpenSSL 3.4.0, intermediate config, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.27.3&config=intermediate&openssl=3.4.0&ocsp=false&guideline=5.7
nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
nginx_ssl_ecdh_curve: "X25519:prime256v1:secp384r1"
nginx_ssl_ciphers: >-
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
nginx_ssl_prefer_server_ciphers: "off"
nginx_ssl_session_timeout: "1d"
nginx_ssl_session_cache: "shared:MozSSL:10m" # about 40000 sessions
# https://ssl-config.mozilla.org/ffdhe2048.txt
nginx_ssl_dhparam_path: /etc/nginx/dhparam
nginx_ssl_dhparam: |
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
nginx_hsts: true
nginx_hsts_max_age: 63072000
nginx_error_log: "/var/log/nginx/error.log warn"
nginx_access_log: "/var/log/nginx/access.log"
nginx_gzip: "on"
### Vhost defaults
nginx_vh_enabled: true
nginx_vh_listen_v4: true
nginx_vh_listen_v4_host: "0.0.0.0"
nginx_vh_listen_v6: true
nginx_vh_listen_v6_host: "::"
# nginx_vh_ssl_certificate: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
# nginx_vh_ssl_certificate_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
nginx_vh_ssl_certificate: "/etc/ssl/certificates/as205079.net.crt"
nginx_vh_ssl_certificate_key: "/etc/ssl/certificates/as205079.net.key"
Reference in New Issue View Git Blame Copy Permalink