infra/ansible-role-nginx
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixed vhost config and ssl trusted certs

Browse source
This commit is contained in:
nd 2019-03-30 20:39:16 +01:00
parent 6d75684a40
commit 6d087a3938
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
2 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
files/config/conf.d/ssl.conf
View file

@ -9,7 +9,6 @@ ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=15768000"; add_header Strict-Transport-Security "max-age=15768000";
proxy_hide_header Strict-Transport-Security;
# OCSP Stapling --- # OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them # fetch OCSP records from URL in ssl_certificate and cache them

4
templates/vhost.j2
View file

@ -38,6 +38,9 @@ server {
proxy_hide_header Server; proxy_hide_header Server;
proxy_hide_header X-AspNetMvc-Version; proxy_hide_header X-AspNetMvc-Version;
proxy_hide_header X-AspNet-Version; proxy_hide_header X-AspNet-Version;
# no double headers
proxy_hide_header Strict-Transport-Security;
} }
{% endif %} {% endif %}
@ -50,7 +53,6 @@ server {
{% if vhost.letsencrypt|d(False) %} {% if vhost.letsencrypt|d(False) %}
ssl_certificate /etc/ssl/letsencrypt_{{ vhost_name }}_chained.crt; ssl_certificate /etc/ssl/letsencrypt_{{ vhost_name }}_chained.crt;
ssl_certificate_key /etc/ssl/private/letsencrypt_{{ vhost_name }}.key; ssl_certificate_key /etc/ssl/private/letsencrypt_{{ vhost_name }}.key;
ssl_trusted_certificate /etc/ssl/letsencrypt_full_chain.crt;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_stapling on; ssl_stapling on;
{% endif %} {% endif %}