sebclem/ansible-role-nginx
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Advance SSL and proxy SSL settings (#100)

Browse Source 
* Added stream template variables
* Added logic in Stream template
* Add udp variable
* Add ssl protocols and ciphers
* Add advance ssl to template
* Add SSL variables
This commit is contained in:
Timothy Allen 2019-02-22 12:28:19 -05:00 committed by Grzegorz Dzien
parent b7913c6c4d
commit 328318bc19
4 changed files with 126 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
README.md
View File

@ -328,6 +328,10 @@ nginx_http_template:
ssl: ssl:
cert: /etc/ssl/certs/default.crt cert: /etc/ssl/certs/default.crt
key: /etc/ssl/private/default.key key: /etc/ssl/private/default.key
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
session_cache: none
session_timeout: 5m
web_server: web_server:
locations: locations:
default: default:
@ -362,6 +366,17 @@ nginx_http_template:
backend: backend:
location: / location: /
proxy_pass: http://backend proxy_pass: http://backend
proxy_ssl:
cert: /etc/ssl/certs/proxy_default.crt
key: /etc/ssl/private/proxy_default.key
trusted_cert: /etc/ssl/certs/proxy_ca.crt
server_name: false
name: server_name
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
verify: false
verify_depth: 1
session_reuse: true
proxy_cache: frontend_proxy_cache proxy_cache: frontend_proxy_cache
proxy_temp_path: proxy_temp_path:
path: /var/cache/nginx/proxy/backend/temp path: /var/cache/nginx/proxy/backend/temp
@ -434,6 +449,17 @@ nginx_stream_template:
proxy_timeout: 3s proxy_timeout: 3s
proxy_connect_timeout: 1s proxy_connect_timeout: 1s
proxy_protocol: false proxy_protocol: false
proxy_ssl:
cert: /etc/ssl/certs/proxy_default.crt
key: /etc/ssl/private/proxy_default.key
trusted_cert: /etc/ssl/certs/proxy_ca.crt
server_name: false
name: server_name
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
verify: false
verify_depth: 1
session_reuse: true
health_check_plus: false health_check_plus: false
upstreams: upstreams:
upstream1: upstream1:

22
defaults/main.yml
View File

@ -170,6 +170,10 @@ nginx_http_template:
ssl: ssl:
cert: /etc/ssl/certs/default.crt cert: /etc/ssl/certs/default.crt
key: /etc/ssl/private/default.key key: /etc/ssl/private/default.key
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
session_cache: none
session_timeout: 5m
web_server: web_server:
locations: locations:
default: default:
@ -204,6 +208,15 @@ nginx_http_template:
backend: backend:
location: / location: /
proxy_pass: http://backend proxy_pass: http://backend
proxy_ssl:
cert: /etc/ssl/certs/proxy_default.crt
key: /etc/ssl/private/proxy_default.key
trusted_cert: /etc/ssl/certs/proxy_ca.crt
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
verify: false
verify_depth: 1
session_reuse: true
proxy_cache: frontend_proxy_cache proxy_cache: frontend_proxy_cache
proxy_temp_path: proxy_temp_path:
path: /var/cache/nginx/proxy/backend/temp path: /var/cache/nginx/proxy/backend/temp
@ -275,6 +288,15 @@ nginx_stream_template:
proxy_timeout: 3s proxy_timeout: 3s
proxy_connect_timeout: 1s proxy_connect_timeout: 1s
proxy_protocol: false proxy_protocol: false
proxy_ssl:
cert: /etc/ssl/certs/proxy_default.crt
key: /etc/ssl/private/proxy_default.key
trusted_cert: /etc/ssl/certs/proxy_ca.crt
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
verify: false
verify_depth: 1
session_reuse: true
health_check_plus: false health_check_plus: false
upstreams: upstreams:
upstream1: upstream1:

45
templates/http/default.conf.j2
View File

@ -52,6 +52,18 @@ server {
listen {{ item.value.port }} ssl; listen {{ item.value.port }} ssl;
ssl_certificate {{ item.value.ssl.cert }}; ssl_certificate {{ item.value.ssl.cert }};
ssl_certificate_key {{ item.value.ssl.key }}; ssl_certificate_key {{ item.value.ssl.key }};
{% if item.value.ssl.protocols is defined %}
ssl_protocols {{ item.value.ssl.protocols }};
{% endif %}
{% if item.value.ssl.ciphers is defined %}
ssl_ciphers {{ item.value.ssl.ciphers }};
{% endif %}
{% if item.value.ssl.session_cache is defined %}
ssl_session_cache {{ item.value.ssl.session_cache }};
{% endif %}
{% if item.value.ssl.session_timeout is defined %}
ssl_session_timeout {{ item.value.ssl.session_timeout }};
{% endif %}
{% else %} {% else %}
listen {{ item.value.port }}; listen {{ item.value.port }};
{% endif %} {% endif %}
@ -75,6 +87,39 @@ server {
auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }}; auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }};
{% endif %} {% endif %}
proxy_pass {{ item.value.reverse_proxy.locations[location].proxy_pass }}; proxy_pass {{ item.value.reverse_proxy.locations[location].proxy_pass }};
{% if item.value.reverse_proxy.locations[location].proxy_ssl is defined %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.cert is defined %}
proxy_ssl_certificate {{ item.value.reverse_proxy.locations[location].proxy_ssl.cert }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.key is defined %}
proxy_ssl_certificate_key {{ item.value.reverse_proxy.locations[location].proxy_ssl.key }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.trusted_cert is defined %}
proxy_ssl_trusted_certificate {{ item.value.reverse_proxy.locations[location].proxy_ssl.trusted_cert }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.server_name is defined %}
proxy_ssl_server_name {{ item.value.reverse_proxy.locations[location].proxy_ssl.server_name | ternary("on", "off") }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.name is defined %}
proxy_ssl_name {{ item.value.reverse_proxy.locations[location].proxy_ssl.name }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.protocols is defined %}
proxy_ssl_protocols {{ item.value.reverse_proxy.locations[location].proxy_ssl.protocols }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.ciphers is defined %}
proxy_ssl_ciphers {{ item.value.reverse_proxy.locations[location].proxy_ssl.ciphers }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.verify is defined %}
proxy_ssl_verify {{ item.value.reverse_proxy.locations[location].proxy_ssl.verify | ternary("on", "off") }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.verify_depth is defined %}
proxy_ssl_verify_depth {{ item.value.reverse_proxy.locations[location].proxy_ssl.verify_depth }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_ssl.session_reuse is defined %}
proxy_ssl_session_reuse {{ item.value.reverse_proxy.locations[location].proxy_ssl.session_reuse | ternary("on", "off") }};
{% endif %}
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_redirect is defined %} {% if item.value.reverse_proxy.locations[location].proxy_redirect is defined %}
proxy_redirect {{ item.value.reverse_proxy.locations[location].proxy_redirect | ternary(item.value.reverse_proxy.locations[location].proxy_redirect, "off") }}; proxy_redirect {{ item.value.reverse_proxy.locations[location].proxy_redirect | ternary(item.value.reverse_proxy.locations[location].proxy_redirect, "off") }};
{% endif %} {% endif %}

33
templates/stream/default.conf.j2
View File

@ -42,6 +42,39 @@ server {
{% else %} {% else %}
proxy_protocol off; proxy_protocol off;
{% endif %} {% endif %}
{% if item.value.network_streams[stream].proxy_ssl is defined %}
proxy_ssl on;
{% if item.value.network_streams[stream].proxy_ssl.cert is defined %}
proxy_ssl_certificate {{ item.value.network_streams[stream].proxy_ssl.cert }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.key is defined %}
proxy_ssl_certificate_key {{ item.value.network_streams[stream].proxy_ssl.key }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.server_name is defined %}
proxy_ssl_server_name {{ item.value.network_streams[stream].proxy_ssl.server_name | ternary("on", "off") }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.name is defined %}
proxy_ssl_name {{ item.value.network_streams[stream].proxy_ssl.name }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.protocols is defined %}
proxy_ssl_protocols {{ item.value.network_streams[stream].proxy_ssl.protocols }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.ciphers is defined %}
proxy_ssl_ciphers {{ item.value.network_streams[stream].proxy_ssl.ciphers }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.trusted_cert is defined %}
proxy_ssl_trusted_certificate {{ item.value.network_streams[stream].proxy_ssl.trusted_cert }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.verify is defined %}
proxy_ssl_verify {{ item.value.network_streams[stream].proxy_ssl.verify | ternary("on", "off") }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.verify_depth is defined %}
proxy_ssl_verify_depth {{ item.value.network_streams[stream].proxy_ssl.verify_depth }};
{% endif %}
{% if item.value.network_streams[stream].proxy_ssl.session_reuse is defined %}
proxy_ssl_session_reuse {{ item.value.network_streams[stream].proxy_ssl.session_reuse | ternary("on", "off") }};
{% endif %}
{% endif %}
{% if item.value.network_streams[stream].health_check_plus %} {% if item.value.network_streams[stream].health_check_plus %}
health_check; health_check;
{% endif %} {% endif %}