Merge pull request #224 from ESGF/ansible-ssl-improvements

    - "{{ ssl_private_key_path }}"

- name: Create Ephemeral Diffie-Helman parameters file

  command: openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096

  command: openssl dhparam -dsaparam -out /esg/config/proxy/ssl/dhparam.pem 4096

  args:

    creates: /esg/config/proxy/ssl/dhparam.pem

  when: generate_dhparam

      # Mount the Nginx configuration for the proxy

      - "/esg/config/proxy/conf.d:/etc/nginx/conf.d:ro"

      # Mount any SSL files for the proxy

      - "/esg/config/proxy/ssl:/etc/nginx/ssl:ro"

      - "/esg/config/proxy/ssl:/etc/nginx/tls:ro"

    state: started

    recreate: yes

    # Use the Docker embedded DNS server to allow us to resolve container names

    resolver 127.0.0.11 ipv6=off;

    ssl_certificate     /etc/nginx/ssl/proxy.crt;

    ssl_certificate_key /etc/nginx/ssl/proxy.key;

    ssl_certificate     /etc/nginx/tls/proxy.crt;

    ssl_certificate_key /etc/nginx/tls/proxy.key;

    ssl_trusted_certificate /etc/nginx/tls/proxy.crt;

    # SSL configuration from Mozilla SSL config generator

    # https://mozilla.github.io/server-side-tls/ssl-config-generator/

    ssl_session_timeout 1d;

    ssl_session_cache shared:SSL:50m;

    ssl_session_tickets off;

    {% if generate_dhparam %}

    # Diffie-Hellman parameter for DHE ciphersuites

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    {% endif %}

    # Enables server-side protection from BEAST attacks

    # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html

    ssl_prefer_server_ciphers on;

    # Disable SSLv3 since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES';

    ssl_stapling on;

    ssl_stapling_verify on;

    ssl_trusted_certificate /etc/nginx/ssl/proxy.crt;

    # Enable HSTS (HTTP Strict Transport Security) to avoid ssl stripping

    # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security

    # https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping

    # 15768000 seconds = 6 months

    add_header Strict-Transport-Security max-age=15768000;

    # Additional SSL configuration parameters to ensure secure connections

    include /etc/nginx/includes/ssl_params.conf;

    # By default, return 404

    location / {