From f47af9f54f0ee3d4ed22367c3d4a6604872dfc54 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 14 Jun 2020 12:36:58 +0200
Subject: [PATCH] haproxy: preconfigure SSL with defaults

---
 CHANGELOG.md                             |  1 +
 haproxy/tasks/main.yml                   | 73 +++++++++++++++++-------
 haproxy/templates/haproxy.default.cfg.j2 | 13 +++--
 3 files changed, 62 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ae6a2d2d..5277e978 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
 
 * certbot: detect HAProxy cert directory
 * haproxy: enable stats frontend with access lists
+* haproxy: preconfigure SSL with defaults
 * lxc-php: Install php-sqlite by default
 * lxc-php: Don't disable putenv() by default in PHP settings
 * mysql: activate binary logs by specifying log_bin path
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index f17d14bc..9fade1a6 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -7,30 +7,35 @@
     - haproxy
     - packages
 
-- include: packages_backports.yml
-  when: haproxy_backports
-
-- name: Install HAProxy package
-  apt:
-    name: haproxy
-    state: present
+- name: HAProxy SSL directory is present
+  file:
+    path: /etc/haproxy/ssl
+    owner: root
+    group: root
+    mode: "0700"
+    state: directory
   tags:
     - haproxy
-    - packages
+    - config
 
-- name: Copy HAProxy configuration
-  template:
-    src: "{{ item }}"
-    dest: /etc/haproxy/haproxy.cfg
-    force: "{{ haproxy_force_config }}"
-    validate: "haproxy -c -f %s"
-  with_first_found:
-    - "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
-    - "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
-    - "templates/haproxy/haproxy.default.cfg.j2"
-    - "haproxy.default.cfg.j2"
+- name: Self-signed certificate is present in HAProxy ssl directory
+  shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
+  args:
+    creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
+  notify: reload haproxy
+  tags:
+    - haproxy
+    - config
+
+- name: 2048 bits DHparam file is present
+  get_url:
+    url: https://ssl-config.mozilla.org/ffdhe2048.txt
+    dest: /etc/haproxy/dhparam2048.txt
+    mode: '0600'
+    owner: root
+    group: root
+    force: no
   notify: reload haproxy
-  when: haproxy_update_config
   tags:
     - haproxy
     - config
@@ -71,4 +76,32 @@
       {% endfor %}
   notify: reload haproxy
 
+- include: packages_backports.yml
+  when: haproxy_backports
+
+- name: Install HAProxy package
+  apt:
+    name: haproxy
+    state: present
+  tags:
+    - haproxy
+    - packages
+
+- name: Copy HAProxy configuration
+  template:
+    src: "{{ item }}"
+    dest: /etc/haproxy/haproxy.cfg
+    force: "{{ haproxy_force_config }}"
+    validate: "haproxy -c -f %s"
+  with_first_found:
+    - "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
+    - "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
+    - "templates/haproxy/haproxy.default.cfg.j2"
+    - "haproxy.default.cfg.j2"
+  notify: reload haproxy
+  when: haproxy_update_config
+  tags:
+    - haproxy
+    - config
+
 - include: munin.yml
diff --git a/haproxy/templates/haproxy.default.cfg.j2 b/haproxy/templates/haproxy.default.cfg.j2
index 09e0e3ff..b3a290eb 100644
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@@ -14,11 +14,14 @@ global
     ca-base /etc/ssl/certs
     crt-base /etc/ssl/private
 
-    # Default ciphers to use on SSL-enabled listening sockets.
-    # For more information, see ciphers(1SSL). This list is from:
-    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
-    ssl-default-bind-options no-sslv3
+    # intermediate configuration https://ssl-config.mozilla.org/
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-dh-param-file /etc/haproxy/dhparam2048.txt
 
 defaults
     log global