Use weak ciphers for boot.foo.sh

iPXE doesn't support modern ciphers so use older ones.
2021-02-12 07:12:13 +00:00 · 2021-02-12 07:12:13 +00:00 · b2de68ebac
commit b2de68ebac
parent 353e7facf7
2 changed files with 8 additions and 0 deletions
--- a/playbooks/proxy.yml
+++ b/playbooks/proxy.yml
@ -21,6 +21,7 @@
      site: autoconfig.foo.sh
    - role: nginx/site
      site: boot.foo.sh
+      ssl_config: old
    - role: nginx/site
      site: bitbucket.foo.sh
      redirect: https://bitbucket.org/tmakinen/
--- a/roles/nginx/site/templates/site.conf.j2
+++ b/roles/nginx/site/templates/site.conf.j2
@ -10,6 +10,13 @@ server {
    listen [::]:443 ssl http2;
    server_name {{ site }};

+{% if ssl_config is defined %}
+{%   if ssl_config == "old" %}
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
+    ssl_prefer_server_ciphers on;
+{%   endif %}
+{% endif %}
    ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
    ssl_certificate_key {{ tls_private }}/{{ site }}.key;