From 2e67b6809d3b44da2e1e6ee6a974f10a3844964f Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2015 17:21:06 +0100
Subject: ngnix: mv ssl/config conf.d/ssl

---
 roles/common-web/files/etc/nginx/conf.d/ssl | 20 ++++++++++++++++++++
 roles/common-web/files/etc/nginx/ssl/config | 20 --------------------
 roles/common-web/tasks/main.yml             |  6 +++---
 3 files changed, 23 insertions(+), 23 deletions(-)
 create mode 100644 roles/common-web/files/etc/nginx/conf.d/ssl
 delete mode 100644 roles/common-web/files/etc/nginx/ssl/config

(limited to 'roles/common-web')

diff --git a/roles/common-web/files/etc/nginx/conf.d/ssl b/roles/common-web/files/etc/nginx/conf.d/ssl
new file mode 100644
index 0000000..26a64f4
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/conf.d/ssl
@@ -0,0 +1,20 @@
+ssl on;
+
+# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
+keepalive_timeout           75 75;
+ssl_session_timeout         5m;
+ssl_session_cache           shared:SSL:5m;
+
+# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
+# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
+# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
+# in favor of RC4, but that's not satisfactory either since RC4 has
+# other weaknesses.
+ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers                 HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
+ssl_dhparam                 /etc/ssl/private/dhparams.pem;
+ssl_prefer_server_ciphers   on;
+
+# Strict Transport Security header for enhanced security. See
+# http://www.chromium.org/sts.
+add_header Strict-Transport-Security "max-age=15552000";
diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config
deleted file mode 100644
index 26a64f4..0000000
--- a/roles/common-web/files/etc/nginx/ssl/config
+++ /dev/null
@@ -1,20 +0,0 @@
-ssl on;
-
-# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
-keepalive_timeout           75 75;
-ssl_session_timeout         5m;
-ssl_session_cache           shared:SSL:5m;
-
-# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
-# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
-# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
-# in favor of RC4, but that's not satisfactory either since RC4 has
-# other weaknesses.
-ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers                 HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
-ssl_dhparam                 /etc/ssl/private/dhparams.pem;
-ssl_prefer_server_ciphers   on;
-
-# Strict Transport Security header for enhanced security. See
-# http://www.chromium.org/sts.
-add_header Strict-Transport-Security "max-age=15552000";
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index d2b2acd..1f06c13 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -36,9 +36,9 @@
   notify:
     - Restart Nginx
 
-- name: Copy SSL configuration
-  copy: src=etc/nginx/ssl/config
-        dest=/etc/nginx/ssl/config
+- name: Copy SSL configuration snippet
+  copy: src=etc/nginx/conf.d/ssl
+        dest=/etc/nginx/conf.d/ssl
         owner=root group=root
         mode=0644
   register: r2
-- 
cgit v1.2.3