haproxy: deport SSL tuning to Mozilla SSL generator

There are too many combinations and they change every so often. It's better to direct the user to the generator to have a good configuration.
2020-06-15 22:47:08 +02:00 · 2020-06-15 22:47:08 +02:00 · d67be3cd91
parent 2a5195078c
commit d67be3cd91
3 changed files with 2 additions and 21 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.

 * lxc-php: Do --no-install-recommends for ssmtp/opensmtpd
 * packweb-apache: Don't turn on mod-evasive emails by default
+* haproxy: deport SSL tuning to Mozilla SSL generator
 * haproxy: chroot and socket path are configurable
 * haproxy: adapt backports installed package list to distibution
 * haproxy: split stats variables
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@ -27,19 +27,6 @@
    - haproxy
    - config

- name: 2048 bits DHparam file is present
-  get_url:
-    url: https://ssl-config.mozilla.org/ffdhe2048.txt
-    dest: /etc/haproxy/dhparam2048.txt
-    mode: '0600'
-    owner: root
-    group: root
-    force: no
-  notify: reload haproxy
-  tags:
-    - haproxy
-    - config
-
 - name: HAProxy stats_access_ips are present
  blockinfile:
    dest: /etc/haproxy/stats_access_ips
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@ -14,14 +14,7 @@ global
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

-    # intermediate configuration https://ssl-config.mozilla.org/
-    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-
-    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-
-    ssl-dh-param-file /etc/haproxy/dhparam2048.txt
+    # Go to https://ssl-config.mozilla.org/ and build your SSL configuration

 defaults
    log global