Skip to content

Commit 328318b

Browse files
tallen116gdzien
tallen116
authored and
gdzien
committed
Advance SSL and proxy SSL settings (#100)
* Added stream template variables * Added logic in Stream template * Add udp variable * Add ssl protocols and ciphers * Add advance ssl to template * Add SSL variables
1 parent b7913c6 commit 328318b

File tree

4 files changed

+126
-0
lines changed

4 files changed

+126
-0
lines changed

README.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -328,6 +328,10 @@ nginx_http_template:
328328
ssl:
329329
cert: /etc/ssl/certs/default.crt
330330
key: /etc/ssl/private/default.key
331+
protocols: TLSv1 TLSv1.1 TLSv1.2
332+
ciphers: HIGH:!aNULL:!MD5
333+
session_cache: none
334+
session_timeout: 5m
331335
web_server:
332336
locations:
333337
default:
@@ -362,6 +366,17 @@ nginx_http_template:
362366
backend:
363367
location: /
364368
proxy_pass: http://backend
369+
proxy_ssl:
370+
cert: /etc/ssl/certs/proxy_default.crt
371+
key: /etc/ssl/private/proxy_default.key
372+
trusted_cert: /etc/ssl/certs/proxy_ca.crt
373+
server_name: false
374+
name: server_name
375+
protocols: TLSv1 TLSv1.1 TLSv1.2
376+
ciphers: HIGH:!aNULL:!MD5
377+
verify: false
378+
verify_depth: 1
379+
session_reuse: true
365380
proxy_cache: frontend_proxy_cache
366381
proxy_temp_path:
367382
path: /var/cache/nginx/proxy/backend/temp
@@ -434,6 +449,17 @@ nginx_stream_template:
434449
proxy_timeout: 3s
435450
proxy_connect_timeout: 1s
436451
proxy_protocol: false
452+
proxy_ssl:
453+
cert: /etc/ssl/certs/proxy_default.crt
454+
key: /etc/ssl/private/proxy_default.key
455+
trusted_cert: /etc/ssl/certs/proxy_ca.crt
456+
server_name: false
457+
name: server_name
458+
protocols: TLSv1 TLSv1.1 TLSv1.2
459+
ciphers: HIGH:!aNULL:!MD5
460+
verify: false
461+
verify_depth: 1
462+
session_reuse: true
437463
health_check_plus: false
438464
upstreams:
439465
upstream1:

defaults/main.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,10 @@ nginx_http_template:
170170
ssl:
171171
cert: /etc/ssl/certs/default.crt
172172
key: /etc/ssl/private/default.key
173+
protocols: TLSv1 TLSv1.1 TLSv1.2
174+
ciphers: HIGH:!aNULL:!MD5
175+
session_cache: none
176+
session_timeout: 5m
173177
web_server:
174178
locations:
175179
default:
@@ -204,6 +208,15 @@ nginx_http_template:
204208
backend:
205209
location: /
206210
proxy_pass: http://backend
211+
proxy_ssl:
212+
cert: /etc/ssl/certs/proxy_default.crt
213+
key: /etc/ssl/private/proxy_default.key
214+
trusted_cert: /etc/ssl/certs/proxy_ca.crt
215+
protocols: TLSv1 TLSv1.1 TLSv1.2
216+
ciphers: HIGH:!aNULL:!MD5
217+
verify: false
218+
verify_depth: 1
219+
session_reuse: true
207220
proxy_cache: frontend_proxy_cache
208221
proxy_temp_path:
209222
path: /var/cache/nginx/proxy/backend/temp
@@ -275,6 +288,15 @@ nginx_stream_template:
275288
proxy_timeout: 3s
276289
proxy_connect_timeout: 1s
277290
proxy_protocol: false
291+
proxy_ssl:
292+
cert: /etc/ssl/certs/proxy_default.crt
293+
key: /etc/ssl/private/proxy_default.key
294+
trusted_cert: /etc/ssl/certs/proxy_ca.crt
295+
protocols: TLSv1 TLSv1.1 TLSv1.2
296+
ciphers: HIGH:!aNULL:!MD5
297+
verify: false
298+
verify_depth: 1
299+
session_reuse: true
278300
health_check_plus: false
279301
upstreams:
280302
upstream1:

templates/http/default.conf.j2

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,18 @@ server {
5252
listen {{ item.value.port }} ssl;
5353
ssl_certificate {{ item.value.ssl.cert }};
5454
ssl_certificate_key {{ item.value.ssl.key }};
55+
{% if item.value.ssl.protocols is defined %}
56+
ssl_protocols {{ item.value.ssl.protocols }};
57+
{% endif %}
58+
{% if item.value.ssl.ciphers is defined %}
59+
ssl_ciphers {{ item.value.ssl.ciphers }};
60+
{% endif %}
61+
{% if item.value.ssl.session_cache is defined %}
62+
ssl_session_cache {{ item.value.ssl.session_cache }};
63+
{% endif %}
64+
{% if item.value.ssl.session_timeout is defined %}
65+
ssl_session_timeout {{ item.value.ssl.session_timeout }};
66+
{% endif %}
5567
{% else %}
5668
listen {{ item.value.port }};
5769
{% endif %}
@@ -75,6 +87,39 @@ server {
7587
auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }};
7688
{% endif %}
7789
proxy_pass {{ item.value.reverse_proxy.locations[location].proxy_pass }};
90+
{% if item.value.reverse_proxy.locations[location].proxy_ssl is defined %}
91+
92+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.cert is defined %}
93+
proxy_ssl_certificate {{ item.value.reverse_proxy.locations[location].proxy_ssl.cert }};
94+
{% endif %}
95+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.key is defined %}
96+
proxy_ssl_certificate_key {{ item.value.reverse_proxy.locations[location].proxy_ssl.key }};
97+
{% endif %}
98+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.trusted_cert is defined %}
99+
proxy_ssl_trusted_certificate {{ item.value.reverse_proxy.locations[location].proxy_ssl.trusted_cert }};
100+
{% endif %}
101+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.server_name is defined %}
102+
proxy_ssl_server_name {{ item.value.reverse_proxy.locations[location].proxy_ssl.server_name | ternary("on", "off") }};
103+
{% endif %}
104+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.name is defined %}
105+
proxy_ssl_name {{ item.value.reverse_proxy.locations[location].proxy_ssl.name }};
106+
{% endif %}
107+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.protocols is defined %}
108+
proxy_ssl_protocols {{ item.value.reverse_proxy.locations[location].proxy_ssl.protocols }};
109+
{% endif %}
110+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.ciphers is defined %}
111+
proxy_ssl_ciphers {{ item.value.reverse_proxy.locations[location].proxy_ssl.ciphers }};
112+
{% endif %}
113+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.verify is defined %}
114+
proxy_ssl_verify {{ item.value.reverse_proxy.locations[location].proxy_ssl.verify | ternary("on", "off") }};
115+
{% endif %}
116+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.verify_depth is defined %}
117+
proxy_ssl_verify_depth {{ item.value.reverse_proxy.locations[location].proxy_ssl.verify_depth }};
118+
{% endif %}
119+
{% if item.value.reverse_proxy.locations[location].proxy_ssl.session_reuse is defined %}
120+
proxy_ssl_session_reuse {{ item.value.reverse_proxy.locations[location].proxy_ssl.session_reuse | ternary("on", "off") }};
121+
{% endif %}
122+
{% endif %}
78123
{% if item.value.reverse_proxy.locations[location].proxy_redirect is defined %}
79124
proxy_redirect {{ item.value.reverse_proxy.locations[location].proxy_redirect | ternary(item.value.reverse_proxy.locations[location].proxy_redirect, "off") }};
80125
{% endif %}

templates/stream/default.conf.j2

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,39 @@ server {
4242
{% else %}
4343
proxy_protocol off;
4444
{% endif %}
45+
{% if item.value.network_streams[stream].proxy_ssl is defined %}
46+
proxy_ssl on;
47+
{% if item.value.network_streams[stream].proxy_ssl.cert is defined %}
48+
proxy_ssl_certificate {{ item.value.network_streams[stream].proxy_ssl.cert }};
49+
{% endif %}
50+
{% if item.value.network_streams[stream].proxy_ssl.key is defined %}
51+
proxy_ssl_certificate_key {{ item.value.network_streams[stream].proxy_ssl.key }};
52+
{% endif %}
53+
{% if item.value.network_streams[stream].proxy_ssl.server_name is defined %}
54+
proxy_ssl_server_name {{ item.value.network_streams[stream].proxy_ssl.server_name | ternary("on", "off") }};
55+
{% endif %}
56+
{% if item.value.network_streams[stream].proxy_ssl.name is defined %}
57+
proxy_ssl_name {{ item.value.network_streams[stream].proxy_ssl.name }};
58+
{% endif %}
59+
{% if item.value.network_streams[stream].proxy_ssl.protocols is defined %}
60+
proxy_ssl_protocols {{ item.value.network_streams[stream].proxy_ssl.protocols }};
61+
{% endif %}
62+
{% if item.value.network_streams[stream].proxy_ssl.ciphers is defined %}
63+
proxy_ssl_ciphers {{ item.value.network_streams[stream].proxy_ssl.ciphers }};
64+
{% endif %}
65+
{% if item.value.network_streams[stream].proxy_ssl.trusted_cert is defined %}
66+
proxy_ssl_trusted_certificate {{ item.value.network_streams[stream].proxy_ssl.trusted_cert }};
67+
{% endif %}
68+
{% if item.value.network_streams[stream].proxy_ssl.verify is defined %}
69+
proxy_ssl_verify {{ item.value.network_streams[stream].proxy_ssl.verify | ternary("on", "off") }};
70+
{% endif %}
71+
{% if item.value.network_streams[stream].proxy_ssl.verify_depth is defined %}
72+
proxy_ssl_verify_depth {{ item.value.network_streams[stream].proxy_ssl.verify_depth }};
73+
{% endif %}
74+
{% if item.value.network_streams[stream].proxy_ssl.session_reuse is defined %}
75+
proxy_ssl_session_reuse {{ item.value.network_streams[stream].proxy_ssl.session_reuse | ternary("on", "off") }};
76+
{% endif %}
77+
{% endif %}
4578
{% if item.value.network_streams[stream].health_check_plus %}
4679
health_check;
4780
{% endif %}

0 commit comments

Comments
 (0)