diff --git a/roles/gitlab/templates/gitlab.rb.j2 b/roles/gitlab/templates/gitlab.rb.j2 index 2de061e..86f4e5e 100644 --- a/roles/gitlab/templates/gitlab.rb.j2 +++ b/roles/gitlab/templates/gitlab.rb.j2 @@ -1134,18 +1134,19 @@ external_url 'http://{{ server_fqdn }}' # nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" # nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" -# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256" -# nginx['ssl_prefer_server_ciphers'] = "on" + nginx['ssl_ciphers'] = nil + nginx['ssl_prefer_server_ciphers'] = "off" ##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ##! https://cipherli.st/** -# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3" + nginx['ssl_protocols'] = "TLSv1.3" ##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html** -# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" + nginx['ssl_session_cache'] = "builtin:1000 shared:MozSSL:10m" ##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html** -# nginx['ssl_session_timeout'] = "5m" + nginx['ssl_session_timeout'] = "5m" + nginx['ssl_session_tickets'] = "off" # nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem # nginx['listen_addresses'] = ['*', '[::]'] diff --git a/roles/ldap/tasks/4_setup_tls.yaml b/roles/ldap/tasks/4_setup_tls.yaml index f217deb..d3e9b85 100644 --- a/roles/ldap/tasks/4_setup_tls.yaml +++ b/roles/ldap/tasks/4_setup_tls.yaml @@ -120,6 +120,7 @@ - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/ssl_ca.crt' } - { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth + - { name: 'olcTLSCipherSuite', value: 'SECURE:-VERS-ALL:+VERS-TLS1.3' } # TLSv1.3 Only tags: - 'tls_int' diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 93e16b9..ed43bc0 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -31,12 +31,6 @@ dest: '/etc/nginx/sites-available/{{ server_fqdn }}.conf' notify: 'restart nginx' -- name: create Diffie Hellman exchange parameters - command: openssl dhparam -out /etc/nginx/dhparam.pem 2048 - args: - creates: /etc/nginx/dhparam.pem - notify: restart nginx - - name: 'enable nginx configurations' file: src: '/etc/nginx/sites-available/{{ server_fqdn }}.conf' diff --git a/roles/nginx/templates/base.j2 b/roles/nginx/templates/base.j2 index 8412449..120eb5c 100644 --- a/roles/nginx/templates/base.j2 +++ b/roles/nginx/templates/base.j2 @@ -2,32 +2,22 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/letsencrypt/live/{{ server_fqdn }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ server_fqdn }}/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_session_tickets off; - - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - ssl_dhparam /etc/nginx/dhparam.pem; - # intermediate configuration. tweak to your needs. - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - ssl_prefer_server_ciphers on; + ssl_session_timeout 5m; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; - # OCSP Stapling --- - # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; - ## verify chain of trust of OCSP response using Root CA and Intermediate certs + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_trusted_certificate /etc/letsencrypt/live/{{ server_fqdn }}/chain.pem; include /etc/nginx/locations/{{ server_fqdn }}/*.conf; - }