From 90b2605cae98148428e84ce6772501aa64f7599b Mon Sep 17 00:00:00 2001
From: Pavel Usov <pavel.usov@hermesworld.com>
Date: Thu, 26 Mar 2020 13:36:25 +0100
Subject: [PATCH] Add advanced SSL settings

---
 README.md               | 4 ++++
 defaults/main.yml       | 5 +++++
 tasks/main.yml          | 6 ++++++
 templates/nginx.conf.j2 | 5 +++++
 4 files changed, 20 insertions(+)

diff --git a/README.md b/README.md
index e285571..b37dab2 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,10 @@ If you have many server names, or have very long server names, you might get an
 
 Set as the `proxy_cache_path` directive in the `nginx.conf` file. By default, this will not be configured (if left as an empty string), but if you wish to use Nginx as a reverse proxy, you can set this to a valid value (e.g. `"/var/cache/nginx keys_zone=cache:32m"`) to use Nginx's cache (further proxy configuration can be done in individual server configurations).
 
+    nginx_server_ssl_secure: false
+
+Set this to `true` to enable advanced SSL settings improving encryption strength.
+
     nginx_extra_http_options: ""
 
 Extra lines to be inserted in the top-level `http` block in `nginx.conf`. The value should be defined literally (as you would insert it directly in the `nginx.conf`, adhering to the Nginx configuration syntax - such as `;` for line termination, etc.), for example:
diff --git a/defaults/main.yml b/defaults/main.yml
index 0509dbe..848260e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -39,6 +39,11 @@ nginx_client_max_body_size: "64m"
 
 nginx_server_names_hash_bucket_size: "64"
 
+nginx_server_ssl_secure: false
+nginx_server_ssl_dh_size: "4096"
+nginx_server_ssl_dhparam: "/etc/ssl/certs/dhparam.pem"
+nginx_server_ssl_ecdh_curve: "secp384r1"
+
 nginx_proxy_cache_path: ""
 
 nginx_extra_conf_options: ""
diff --git a/tasks/main.yml b/tasks/main.yml
index bfb5fe4..d5edf97 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -31,6 +31,12 @@
 - import_tasks: vhosts.yml
 
 # Nginx setup.
+- name: Generate DH param file
+  shell:
+    cmd: "openssl dhparam -out {{ nginx_server_ssl_dhparam }} {{ nginx_server_ssl_dh_size }}"
+    creates: "{{ nginx_server_ssl_dhparam }}"
+  when: nginx_server_ssl_secure
+
 - name: Copy nginx configuration in place.
   template:
     src: "{{ nginx_conf_template }}"
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
index 7cdec60..0d4dcf0 100644
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -70,6 +70,11 @@ http {
 {% endfor %}
 {% endblock %}
 
+{% if nginx_server_ssl_secure %}
+ssl_dhparam {{ nginx_server_ssl_dhparam }};
+ssl_ecdh_curve {{ nginx_server_ssl_ecdh_curve }};
+{% endif %}
+
 {% block http_includes %}
     include {{ nginx_conf_path }}/*.conf;
 {% if nginx_conf_path != nginx_vhost_path %}