From 7febf3bda5ce20c70fb9763751fc5e04bf227a03 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Tue, 16 Mar 2021 22:45:21 +0000
Subject: [PATCH] nginx/server: Use mozilla recommended ssl settings

---
 roles/nginx/server/meta/main.yml           | 3 +++
 roles/nginx/server/templates/nginx.conf.j2 | 7 +++++--
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 roles/nginx/server/meta/main.yml

diff --git a/roles/nginx/server/meta/main.yml b/roles/nginx/server/meta/main.yml
new file mode 100644
index 0000000..3ae915f
--- /dev/null
+++ b/roles/nginx/server/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: dhparams}
diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
index 225368f..971f2b3 100644
--- a/roles/nginx/server/templates/nginx.conf.j2
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -21,10 +21,13 @@ http {
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
-    ssl_protocols {{ tls_protocols }};
-    ssl_ciphers {{ tls_ciphers }};
+    ssl_dhparam {{ tls_certs }}/ffdhe3072.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
 
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
     proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
     proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;