haproxy: preconfigure SSL with defaults
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
7f54b8ab60
commit
f47af9f54f
|
@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
* certbot: detect HAProxy cert directory
|
* certbot: detect HAProxy cert directory
|
||||||
* haproxy: enable stats frontend with access lists
|
* haproxy: enable stats frontend with access lists
|
||||||
|
* haproxy: preconfigure SSL with defaults
|
||||||
* lxc-php: Install php-sqlite by default
|
* lxc-php: Install php-sqlite by default
|
||||||
* lxc-php: Don't disable putenv() by default in PHP settings
|
* lxc-php: Don't disable putenv() by default in PHP settings
|
||||||
* mysql: activate binary logs by specifying log_bin path
|
* mysql: activate binary logs by specifying log_bin path
|
||||||
|
|
|
@ -7,30 +7,35 @@
|
||||||
- haproxy
|
- haproxy
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- include: packages_backports.yml
|
- name: HAProxy SSL directory is present
|
||||||
when: haproxy_backports
|
file:
|
||||||
|
path: /etc/haproxy/ssl
|
||||||
- name: Install HAProxy package
|
owner: root
|
||||||
apt:
|
group: root
|
||||||
name: haproxy
|
mode: "0700"
|
||||||
state: present
|
state: directory
|
||||||
tags:
|
tags:
|
||||||
- haproxy
|
- haproxy
|
||||||
- packages
|
- config
|
||||||
|
|
||||||
- name: Copy HAProxy configuration
|
- name: Self-signed certificate is present in HAProxy ssl directory
|
||||||
template:
|
shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
|
||||||
src: "{{ item }}"
|
args:
|
||||||
dest: /etc/haproxy/haproxy.cfg
|
creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
|
||||||
force: "{{ haproxy_force_config }}"
|
notify: reload haproxy
|
||||||
validate: "haproxy -c -f %s"
|
tags:
|
||||||
with_first_found:
|
- haproxy
|
||||||
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
|
- config
|
||||||
- "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
|
|
||||||
- "templates/haproxy/haproxy.default.cfg.j2"
|
- name: 2048 bits DHparam file is present
|
||||||
- "haproxy.default.cfg.j2"
|
get_url:
|
||||||
|
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
||||||
|
dest: /etc/haproxy/dhparam2048.txt
|
||||||
|
mode: '0600'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
force: no
|
||||||
notify: reload haproxy
|
notify: reload haproxy
|
||||||
when: haproxy_update_config
|
|
||||||
tags:
|
tags:
|
||||||
- haproxy
|
- haproxy
|
||||||
- config
|
- config
|
||||||
|
@ -71,4 +76,32 @@
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
notify: reload haproxy
|
notify: reload haproxy
|
||||||
|
|
||||||
|
- include: packages_backports.yml
|
||||||
|
when: haproxy_backports
|
||||||
|
|
||||||
|
- name: Install HAProxy package
|
||||||
|
apt:
|
||||||
|
name: haproxy
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- packages
|
||||||
|
|
||||||
|
- name: Copy HAProxy configuration
|
||||||
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /etc/haproxy/haproxy.cfg
|
||||||
|
force: "{{ haproxy_force_config }}"
|
||||||
|
validate: "haproxy -c -f %s"
|
||||||
|
with_first_found:
|
||||||
|
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
|
||||||
|
- "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
|
||||||
|
- "templates/haproxy/haproxy.default.cfg.j2"
|
||||||
|
- "haproxy.default.cfg.j2"
|
||||||
|
notify: reload haproxy
|
||||||
|
when: haproxy_update_config
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
|
||||||
- include: munin.yml
|
- include: munin.yml
|
||||||
|
|
|
@ -14,11 +14,14 @@ global
|
||||||
ca-base /etc/ssl/certs
|
ca-base /etc/ssl/certs
|
||||||
crt-base /etc/ssl/private
|
crt-base /etc/ssl/private
|
||||||
|
|
||||||
# Default ciphers to use on SSL-enabled listening sockets.
|
# intermediate configuration https://ssl-config.mozilla.org/
|
||||||
# For more information, see ciphers(1SSL). This list is from:
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||||
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
|
||||||
ssl-default-bind-options no-sslv3
|
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||||
|
|
||||||
|
ssl-dh-param-file /etc/haproxy/dhparam2048.txt
|
||||||
|
|
||||||
defaults
|
defaults
|
||||||
log global
|
log global
|
||||||
|
|
Loading…
Reference in a new issue