forked from evolix/ansible-roles
haproxy: preconfigure SSL with defaults
This commit is contained in:
parent
7f54b8ab60
commit
f47af9f54f
|
@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
* certbot: detect HAProxy cert directory
|
||||
* haproxy: enable stats frontend with access lists
|
||||
* haproxy: preconfigure SSL with defaults
|
||||
* lxc-php: Install php-sqlite by default
|
||||
* lxc-php: Don't disable putenv() by default in PHP settings
|
||||
* mysql: activate binary logs by specifying log_bin path
|
||||
|
|
|
@ -7,30 +7,35 @@
|
|||
- haproxy
|
||||
- packages
|
||||
|
||||
- include: packages_backports.yml
|
||||
when: haproxy_backports
|
||||
|
||||
- name: Install HAProxy package
|
||||
apt:
|
||||
name: haproxy
|
||||
state: present
|
||||
- name: HAProxy SSL directory is present
|
||||
file:
|
||||
path: /etc/haproxy/ssl
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0700"
|
||||
state: directory
|
||||
tags:
|
||||
- haproxy
|
||||
- packages
|
||||
- config
|
||||
|
||||
- name: Copy HAProxy configuration
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
force: "{{ haproxy_force_config }}"
|
||||
validate: "haproxy -c -f %s"
|
||||
with_first_found:
|
||||
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
|
||||
- "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
|
||||
- "templates/haproxy/haproxy.default.cfg.j2"
|
||||
- "haproxy.default.cfg.j2"
|
||||
- name: Self-signed certificate is present in HAProxy ssl directory
|
||||
shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
|
||||
args:
|
||||
creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
|
||||
notify: reload haproxy
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
|
||||
- name: 2048 bits DHparam file is present
|
||||
get_url:
|
||||
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
||||
dest: /etc/haproxy/dhparam2048.txt
|
||||
mode: '0600'
|
||||
owner: root
|
||||
group: root
|
||||
force: no
|
||||
notify: reload haproxy
|
||||
when: haproxy_update_config
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
|
@ -71,4 +76,32 @@
|
|||
{% endfor %}
|
||||
notify: reload haproxy
|
||||
|
||||
- include: packages_backports.yml
|
||||
when: haproxy_backports
|
||||
|
||||
- name: Install HAProxy package
|
||||
apt:
|
||||
name: haproxy
|
||||
state: present
|
||||
tags:
|
||||
- haproxy
|
||||
- packages
|
||||
|
||||
- name: Copy HAProxy configuration
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
force: "{{ haproxy_force_config }}"
|
||||
validate: "haproxy -c -f %s"
|
||||
with_first_found:
|
||||
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
|
||||
- "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
|
||||
- "templates/haproxy/haproxy.default.cfg.j2"
|
||||
- "haproxy.default.cfg.j2"
|
||||
notify: reload haproxy
|
||||
when: haproxy_update_config
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
|
||||
- include: munin.yml
|
||||
|
|
|
@ -14,11 +14,14 @@ global
|
|||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
# Default ciphers to use on SSL-enabled listening sockets.
|
||||
# For more information, see ciphers(1SSL). This list is from:
|
||||
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
||||
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
||||
ssl-default-bind-options no-sslv3
|
||||
# intermediate configuration https://ssl-config.mozilla.org/
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
ssl-dh-param-file /etc/haproxy/dhparam2048.txt
|
||||
|
||||
defaults
|
||||
log global
|
||||
|
|
Loading…
Reference in a new issue