create dhparam file

Sebastian Gumprich · Sebastian Gumprich · commit 36df40fe8e4c · 2016-09-22T18:06:39.000+02:00
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -22,4 +22,5 @@ nginx_add_header: [
 nginx_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2"
 nginx_ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 nginx_ssl_prefer_server_ciphers: "on"
+nginx_dh_param: "{{nginx_root_dir}}/dh{{nginx_dh_size}}.pem"
 nginx_dh_size: "2048"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -29,3 +29,7 @@
   file: path="{{nginx_default_conf}}" state=absent
   when: nginx_remove_default_site
   notify: reload nginx
+
+- name: generate dh group
+  command: openssl dhparam -out {{nginx_dh_param}} {{nginx_dh_size}} creates={{nginx_dh_param}}
+  notify: reload nginx
diff --git a/templates/hardening.conf.j2 b/templates/hardening.conf.j2
@@ -10,7 +10,7 @@ limit_conn_zone {{nginx_limit_conn_zone}};
 limit_conn {{nginx_limit_conn}};
 ssl_protocols {{nginx_ssl_protocols}};
 ssl_ciphers {{nginx_ssl_ciphers}};
-ssl_dhparam {{nginx_dh_size}};
+ssl_dhparam {{nginx_dh_param}};
 ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}};
 {% for header in nginx_add_header %}
 add_header {{header}};
diff --git a/vars/Debian.yml b/vars/Debian.yml
@@ -1,3 +1,4 @@
+nginx_root_dir: '/etc/nginx'
 nginx_config_conf_dir: '/etc/nginx/conf.d'
 nginx_default_conf: '/etc/nginx/sites-enabled/default'
 nginx_service_name: 'nginx'
diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml
@@ -1,3 +1,4 @@
+nginx_root_dir: '/etc/nginx'
 nginx_config_conf_dir: '/etc/nginx/conf.d'
 nginx_default_conf: '/etc/nginx/conf.d/default.conf'
 nginx_service_name: 'nginx'
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
@@ -1,3 +1,4 @@
+nginx_root_dir: '/etc/nginx'
 nginx_config_conf_dir: '/etc/nginx/conf.d'
 nginx_default_conf: '/etc/nginx/conf.d/default.conf'
 nginx_service_name: 'nginx'
