forked from evolix/ansible-roles
haproxy: deport SSL tuning to Mozilla SSL generator
There are too many combinations and they change every so often. It's better to direct the user to the generator to have a good configuration.
This commit is contained in:
parent
2a5195078c
commit
d67be3cd91
|
@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
* lxc-php: Do --no-install-recommends for ssmtp/opensmtpd
|
||||
* packweb-apache: Don't turn on mod-evasive emails by default
|
||||
* haproxy: deport SSL tuning to Mozilla SSL generator
|
||||
* haproxy: chroot and socket path are configurable
|
||||
* haproxy: adapt backports installed package list to distibution
|
||||
* haproxy: split stats variables
|
||||
|
|
|
@ -27,19 +27,6 @@
|
|||
- haproxy
|
||||
- config
|
||||
|
||||
- name: 2048 bits DHparam file is present
|
||||
get_url:
|
||||
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
||||
dest: /etc/haproxy/dhparam2048.txt
|
||||
mode: '0600'
|
||||
owner: root
|
||||
group: root
|
||||
force: no
|
||||
notify: reload haproxy
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
|
||||
- name: HAProxy stats_access_ips are present
|
||||
blockinfile:
|
||||
dest: /etc/haproxy/stats_access_ips
|
||||
|
|
|
@ -14,14 +14,7 @@ global
|
|||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
# intermediate configuration https://ssl-config.mozilla.org/
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
ssl-dh-param-file /etc/haproxy/dhparam2048.txt
|
||||
# Go to https://ssl-config.mozilla.org/ and build your SSL configuration
|
||||
|
||||
defaults
|
||||
log global
|
||||
|
|
Loading…
Reference in a new issue