Make DH key size configurable.

298423fc · Morgan Robertson · e3c1be16 · 298423fc · 298423fc
Commit 298423fc authored Apr 11, 2017 by Morgan Robertson
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletions

playbooks/roles/nginx/defaults/main.yml
+1 -0

playbooks/roles/nginx/tasks/main.yml
+1 -1

No files found.
--- a/playbooks/roles/nginx/defaults/main.yml
+++ b/playbooks/roles/nginx/defaults/main.yml
@@ -36,6 +36,7 @@ NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'
 NGINX_SSL_CIPHERS: "'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'"
 NGINX_SSL_PROTOCOLS: "TLSv1 TLSv1.1 TLSv1.2"
 NGINX_DH_PARAMS_PATH: "/etc/ssl/private/dhparams.pem"
+NGINX_DH_KEYSIZE: 2048

 NGINX_LOG_FORMAT_NAME: 'p_combined'
 # When set to False, nginx will pass X-Forwarded-For, X-Forwarded-Port,

--- a/playbooks/roles/nginx/tasks/main.yml
+++ b/playbooks/roles/nginx/tasks/main.yml
@@ -3,7 +3,7 @@
 ---

 - name: Create Diffie-Hellman parameters to prevent weak key exchange
-  command: openssl dhparam -out "{{ NGINX_DH_PARAMS_PATH | basename }}" 2048
+  command: openssl dhparam -out "{{ NGINX_DH_PARAMS_PATH | basename }}" {{ NGINX_DH_KEYSIZE }}
  args:
    chdir: "{{ NGINX_DH_PARAMS_PATH | dirname }}"
    creates: "{{ NGINX_DH_PARAMS_PATH }}"