Add advanced SSL settings

README.md

@@ -108,6 +108,10 @@ If you have many server names, or have very long server names, you might get an
 
 Set as the `proxy_cache_path` directive in the `nginx.conf` file. By default, this will not be configured (if left as an empty string), but if you wish to use Nginx as a reverse proxy, you can set this to a valid value (e.g. `"/var/cache/nginx keys_zone=cache:32m"`) to use Nginx's cache (further proxy configuration can be done in individual server configurations).
 
+    nginx_server_ssl_secure: false
+
+Set this to `true` to enable advanced SSL settings improving encryption strength.
+
     nginx_extra_http_options: ""
 
 Extra lines to be inserted in the top-level `http` block in `nginx.conf`. The value should be defined literally (as you would insert it directly in the `nginx.conf`, adhering to the Nginx configuration syntax - such as `;` for line termination, etc.), for example:

defaults/main.yml

@@ -39,6 +39,11 @@ nginx_client_max_body_size: "64m"
 
 nginx_server_names_hash_bucket_size: "64"
 
+nginx_server_ssl_secure: false
+nginx_server_ssl_dh_size: "4096"
+nginx_server_ssl_dhparam: "/etc/ssl/certs/dhparam.pem"
+nginx_server_ssl_ecdh_curve: "secp384r1"
+
 nginx_proxy_cache_path: ""
 
 nginx_extra_conf_options: ""

tasks/main.yml

@@ -31,6 +31,12 @@
 - import_tasks: vhosts.yml
 
 # Nginx setup.
+- name: Generate DH param file
+  shell:
+    cmd: "openssl dhparam -out {{ nginx_server_ssl_dhparam }} {{ nginx_server_ssl_dh_size }}"
+    creates: "{{ nginx_server_ssl_dhparam }}"
+  when: nginx_server_ssl_secure
+
 - name: Copy nginx configuration in place.
   template:
     src: "{{ nginx_conf_template }}"

templates/nginx.conf.j2

@@ -70,6 +70,11 @@ http {
 {% endfor %}
 {% endblock %}
 
+{% if nginx_server_ssl_secure %}
+ssl_dhparam {{ nginx_server_ssl_dhparam }};
+ssl_ecdh_curve {{ nginx_server_ssl_ecdh_curve }};
+{% endif %}
+
 {% block http_includes %}
     include {{ nginx_conf_path }}/*.conf;
 {% if nginx_conf_path != nginx_vhost_path %}