Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent naming. `matrix_nginx_proxy_ssl_config` is now called `matrix_nginx_proxy_ssl_preset`. The different options for "modern", "intermediate" and "old" are stored in the main.yml file, instead of being hardcoded in the configuration files. This will improve the maintainability of the code. The "custom" preset was removed. Now if one of the variables is set, it will use it instead of the preset. This will allow to mix and match more easily, for example using all the intermediate options but only supporting TLSv1.2. This will also provide better backward compatibility.
This commit is contained in:
Agustin Ferrario
@ -223,30 +223,49 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
||||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||||
#
|
||||
# The posible values are:
|
||||
# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||
# - "Intermediate" - Recommended configuration for a general-purpose server
|
||||
# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||
# - "Custom" - For defining your own protocols an ciphers
|
||||
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||
# - "intermediate" - Recommended configuration for a general-purpose server
|
||||
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||
#
|
||||
# For more information visit:
|
||||
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
# - https://ssl-config.mozilla.org/#server=nginx
|
||||
matrix_nginx_proxy_ssl_config: "Intermediate"
|
||||
matrix_nginx_proxy_ssl_preset: "intermediate"
|
||||
|
||||
# This are the presets as taken from Mozilla's Server Side TLS Recommended configurations
|
||||
# DO NOT modify this values and use `matrix_nginx_proxy_ssl_protocols` and `matrix_nginx_proxy_ssl_ciphers`
|
||||
matrix_nginx_proxy_ssl_presets:
|
||||
modern:
|
||||
protocols: TLSv1.3
|
||||
ciphers: ""
|
||||
prefer_server_ciphers: "off"
|
||||
intermediate:
|
||||
protocols: TLSv1.2 TLSv1.3
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
prefer_server_ciphers: "off"
|
||||
old:
|
||||
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
||||
prefer_server_ciphers: "on"
|
||||
|
||||
|
||||
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
||||
# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config"
|
||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
|
||||
# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override
|
||||
# the values from the preset
|
||||
matrix_nginx_proxy_ssl_protocols: ""
|
||||
|
||||
# Specifies whether to prefer *the client’s choice or the server’s choice* when
|
||||
# negociating the chipher to serve all the various vhost
|
||||
# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config"
|
||||
matrix_nginx_proxy_ssl_prefer_server_ciphers: "on"
|
||||
# negociating the chipher to serve all the various vhost.
|
||||
#
|
||||
# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override
|
||||
# the values from the preset
|
||||
matrix_nginx_proxy_ssl_prefer_server_ciphers: ""
|
||||
|
||||
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
||||
# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config"
|
||||
# By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override
|
||||
# the values from the preset.
|
||||
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
||||
# Remember to use '' and "" if you are specified a list of ciphers
|
||||
matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"'
|
||||
matrix_nginx_proxy_ssl_ciphers: ""
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_nginx_proxy_self_check_validate_certificates: true
|
||||
|
||||
Reference in New Issue
Block a user