diff --git a/README.md b/README.md index 832a9e2..de937f2 100644 --- a/README.md +++ b/README.md @@ -328,6 +328,10 @@ nginx_http_template: ssl: cert: /etc/ssl/certs/default.crt key: /etc/ssl/private/default.key + protocols: TLSv1 TLSv1.1 TLSv1.2 + ciphers: HIGH:!aNULL:!MD5 + session_cache: none + session_timeout: 5m web_server: locations: default: @@ -362,6 +366,17 @@ nginx_http_template: backend: location: / proxy_pass: http://backend + proxy_ssl: + cert: /etc/ssl/certs/proxy_default.crt + key: /etc/ssl/private/proxy_default.key + trusted_cert: /etc/ssl/certs/proxy_ca.crt + server_name: false + name: server_name + protocols: TLSv1 TLSv1.1 TLSv1.2 + ciphers: HIGH:!aNULL:!MD5 + verify: false + verify_depth: 1 + session_reuse: true proxy_cache: frontend_proxy_cache proxy_temp_path: path: /var/cache/nginx/proxy/backend/temp @@ -434,6 +449,17 @@ nginx_stream_template: proxy_timeout: 3s proxy_connect_timeout: 1s proxy_protocol: false + proxy_ssl: + cert: /etc/ssl/certs/proxy_default.crt + key: /etc/ssl/private/proxy_default.key + trusted_cert: /etc/ssl/certs/proxy_ca.crt + server_name: false + name: server_name + protocols: TLSv1 TLSv1.1 TLSv1.2 + ciphers: HIGH:!aNULL:!MD5 + verify: false + verify_depth: 1 + session_reuse: true health_check_plus: false upstreams: upstream1: diff --git a/defaults/main.yml b/defaults/main.yml index c065fab..6cf5aa1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -170,6 +170,10 @@ nginx_http_template: ssl: cert: /etc/ssl/certs/default.crt key: /etc/ssl/private/default.key + protocols: TLSv1 TLSv1.1 TLSv1.2 + ciphers: HIGH:!aNULL:!MD5 + session_cache: none + session_timeout: 5m web_server: locations: default: @@ -204,6 +208,15 @@ nginx_http_template: backend: location: / proxy_pass: http://backend + proxy_ssl: + cert: /etc/ssl/certs/proxy_default.crt + key: /etc/ssl/private/proxy_default.key + trusted_cert: /etc/ssl/certs/proxy_ca.crt + protocols: TLSv1 TLSv1.1 TLSv1.2 + ciphers: HIGH:!aNULL:!MD5 + verify: false + verify_depth: 1 + session_reuse: true proxy_cache: frontend_proxy_cache proxy_temp_path: path: /var/cache/nginx/proxy/backend/temp @@ -275,6 +288,15 @@ nginx_stream_template: proxy_timeout: 3s proxy_connect_timeout: 1s proxy_protocol: false + proxy_ssl: + cert: /etc/ssl/certs/proxy_default.crt + key: /etc/ssl/private/proxy_default.key + trusted_cert: /etc/ssl/certs/proxy_ca.crt + protocols: TLSv1 TLSv1.1 TLSv1.2 + ciphers: HIGH:!aNULL:!MD5 + verify: false + verify_depth: 1 + session_reuse: true health_check_plus: false upstreams: upstream1: diff --git a/templates/http/default.conf.j2 b/templates/http/default.conf.j2 index 480efdd..7ec94a7 100644 --- a/templates/http/default.conf.j2 +++ b/templates/http/default.conf.j2 @@ -52,6 +52,18 @@ server { listen {{ item.value.port }} ssl; ssl_certificate {{ item.value.ssl.cert }}; ssl_certificate_key {{ item.value.ssl.key }}; +{% if item.value.ssl.protocols is defined %} + ssl_protocols {{ item.value.ssl.protocols }}; +{% endif %} +{% if item.value.ssl.ciphers is defined %} + ssl_ciphers {{ item.value.ssl.ciphers }}; +{% endif %} +{% if item.value.ssl.session_cache is defined %} + ssl_session_cache {{ item.value.ssl.session_cache }}; +{% endif %} +{% if item.value.ssl.session_timeout is defined %} + ssl_session_timeout {{ item.value.ssl.session_timeout }}; +{% endif %} {% else %} listen {{ item.value.port }}; {% endif %} @@ -75,6 +87,39 @@ server { auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }}; {% endif %} proxy_pass {{ item.value.reverse_proxy.locations[location].proxy_pass }}; +{% if item.value.reverse_proxy.locations[location].proxy_ssl is defined %} + +{% if item.value.reverse_proxy.locations[location].proxy_ssl.cert is defined %} + proxy_ssl_certificate {{ item.value.reverse_proxy.locations[location].proxy_ssl.cert }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.key is defined %} + proxy_ssl_certificate_key {{ item.value.reverse_proxy.locations[location].proxy_ssl.key }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.trusted_cert is defined %} + proxy_ssl_trusted_certificate {{ item.value.reverse_proxy.locations[location].proxy_ssl.trusted_cert }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.server_name is defined %} + proxy_ssl_server_name {{ item.value.reverse_proxy.locations[location].proxy_ssl.server_name | ternary("on", "off") }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.name is defined %} + proxy_ssl_name {{ item.value.reverse_proxy.locations[location].proxy_ssl.name }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.protocols is defined %} + proxy_ssl_protocols {{ item.value.reverse_proxy.locations[location].proxy_ssl.protocols }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.ciphers is defined %} + proxy_ssl_ciphers {{ item.value.reverse_proxy.locations[location].proxy_ssl.ciphers }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.verify is defined %} + proxy_ssl_verify {{ item.value.reverse_proxy.locations[location].proxy_ssl.verify | ternary("on", "off") }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.verify_depth is defined %} + proxy_ssl_verify_depth {{ item.value.reverse_proxy.locations[location].proxy_ssl.verify_depth }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_ssl.session_reuse is defined %} + proxy_ssl_session_reuse {{ item.value.reverse_proxy.locations[location].proxy_ssl.session_reuse | ternary("on", "off") }}; +{% endif %} +{% endif %} {% if item.value.reverse_proxy.locations[location].proxy_redirect is defined %} proxy_redirect {{ item.value.reverse_proxy.locations[location].proxy_redirect | ternary(item.value.reverse_proxy.locations[location].proxy_redirect, "off") }}; {% endif %} diff --git a/templates/stream/default.conf.j2 b/templates/stream/default.conf.j2 index 442485d..445bb69 100644 --- a/templates/stream/default.conf.j2 +++ b/templates/stream/default.conf.j2 @@ -42,6 +42,39 @@ server { {% else %} proxy_protocol off; {% endif %} +{% if item.value.network_streams[stream].proxy_ssl is defined %} + proxy_ssl on; +{% if item.value.network_streams[stream].proxy_ssl.cert is defined %} + proxy_ssl_certificate {{ item.value.network_streams[stream].proxy_ssl.cert }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.key is defined %} + proxy_ssl_certificate_key {{ item.value.network_streams[stream].proxy_ssl.key }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.server_name is defined %} + proxy_ssl_server_name {{ item.value.network_streams[stream].proxy_ssl.server_name | ternary("on", "off") }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.name is defined %} + proxy_ssl_name {{ item.value.network_streams[stream].proxy_ssl.name }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.protocols is defined %} + proxy_ssl_protocols {{ item.value.network_streams[stream].proxy_ssl.protocols }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.ciphers is defined %} + proxy_ssl_ciphers {{ item.value.network_streams[stream].proxy_ssl.ciphers }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.trusted_cert is defined %} + proxy_ssl_trusted_certificate {{ item.value.network_streams[stream].proxy_ssl.trusted_cert }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.verify is defined %} + proxy_ssl_verify {{ item.value.network_streams[stream].proxy_ssl.verify | ternary("on", "off") }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.verify_depth is defined %} + proxy_ssl_verify_depth {{ item.value.network_streams[stream].proxy_ssl.verify_depth }}; +{% endif %} +{% if item.value.network_streams[stream].proxy_ssl.session_reuse is defined %} + proxy_ssl_session_reuse {{ item.value.network_streams[stream].proxy_ssl.session_reuse | ternary("on", "off") }}; +{% endif %} +{% endif %} {% if item.value.network_streams[stream].health_check_plus %} health_check; {% endif %}