From 2082242499bab3c8a91f294eb3aaba451c2b27fc Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:35:37 +0100 Subject: [PATCH 01/10] Add `matrix_nginx_proxy_ssl_config` A new variable called `matrix_nginx_proxy_ssl_config` is created for configuring how the nginx proxy configures SSL. Also a new configuration validation option and other auxiliary variables are created. A new variable configuration called `matrix_nginx_proxy_ssl_config` is created. This allow to set the SSL configuration easily using the default options proposed by Mozilla. The default configuration is set to "Intermediate", removing the weak ciphers used in the old configurations. The new variable can also be set to "Custom" for a more granular control. This allows to set another three variables called: - `matrix_nginx_proxy_ssl_protocols`, - `matrix_nginx_proxy_ssl_prefer_server_ciphers` - `matrix_nginx_proxy_ssl_ciphers` Also a new task is added to validate the SSL configuration variable. --- roles/matrix-nginx-proxy/defaults/main.yml | 28 +++++++++++- .../tasks/validate_config.yml | 6 +++ .../conf.d/matrix-client-element.conf.j2 | 24 ++++++++-- .../nginx/conf.d/matrix-dimension.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-domain.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-jitsi.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-riot-web.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-synapse.conf.j2 | 45 +++++++++++++++++-- 8 files changed, 175 insertions(+), 16 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7331c589..224998c3 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -217,9 +217,35 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" -# Specifies which SSL protocols to use when serving all the various vhosts +# Specifies the SSL configuration that should be used for the SSL protocols and ciphers +# This is based on the Mozilla Server Side TLS Recommended configurations. +# +# The posible values are: +# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +# - "Intermediate" - Recommended configuration for a general-purpose server +# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +# - "Custom" - For defining your own protocols an ciphers +# +# For more information visit: +# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations +# - https://ssl-config.mozilla.org/#server=nginx +matrix_nginx_proxy_ssl_config: "Intermediate" + +# Specifies which *SSL protocols* to use when serving all the various vhosts. +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" +# Specifies whether to prefer *the client’s choice or the server’s choice* when +# negociating the chipher to serve all the various vhost +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" + +# Specifies which *SSL Cipher suites* to use when serving all the various vhosts. +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +# To see the full list for suportes ciphers run `openssl ciphers` on your server +# Remember to use '' and "" if you are specified a list of ciphers +matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"' + # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 993fc150..0b737662 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -18,3 +18,9 @@ msg: >- `matrix_ssl_retrieval_method` needs to be set to a known value. when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" + +- name: Fail on unknown matrix_nginx_proxy_ssl_config + fail: + msg: >- + `matrix_nginx_proxy_ssl_config` needs to be set to a known value. + when: "matrix_nginx_proxy_ssl_config not in ['Custom', 'Old', 'Intermediate', 'Modern']" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index cbabc9f6..69a61a39 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -5,7 +5,7 @@ gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; + add_header X-Frame-Options SAMEORIGIN; {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -67,9 +67,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index b041d3ca..fce652eb 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -65,9 +65,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 027f2d31..be659305 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -58,9 +58,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 500f1943..d08ac7be 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -86,9 +86,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 3ef42815..11b8a0fd 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -51,9 +51,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index adbee18e..a32b7bad 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -203,9 +203,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } @@ -235,9 +253,28 @@ server { {% if matrix_nginx_proxy_https_enabled %} ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} + {% endif %} location / { From ff6db5fd3b212630e4335a30a67a66b615829e2f Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:50:08 +0100 Subject: [PATCH 02/10] Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. --- docs/configuring-playbook-nginx.md | 23 ++++++++++++++++++++++ docs/configuring-playbook-own-webserver.md | 3 ++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 945864e9..39a96e40 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -24,6 +24,29 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: - 1.1.1.1 ``` +## Adjusting SSL in your server + +You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS +Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. +The posible values are: + +- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- "Intermediate" - Recommended configuration for a general-purpose server +- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +- "Custom" - For defining your own protocols an ciphers + +The default is set to `"Intermediate"`. + +**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the +[Federarion tester](https://federationtester.matrix.org/) won't work. + +If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set: + +- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. +- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". +- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx. + +For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. ## Synapse + OpenID Connect for Single-Sign-On diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index c930da40..4f0d3591 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -48,10 +48,11 @@ Those configuration files are adapted for use with an external web server (one n You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: +Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. +matrix_nginx_proxy_ssl_config: "Custom" matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` From 49b3cc024bd4ff8c94f74beacaf3228593e30e5c Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:53:11 +0100 Subject: [PATCH 03/10] Document the SSL changes in the CHANGELOG The breaking changes are properly documented in the CHANGELOG.md file. The date used is specified as XXXX-XX-XX and should be modified at the moment of merge. --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 946ec5b0..8473b4aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# XXXX-XX-XX + +## New SSL Configuration + +A new variable `matrix_nginx_proxy_ssl_config`, bringing some breaking changes. The default configuration is set to `"Intermadiate"`. +This changes `ssl_prefer_server_ciphers` to `off` by default instead of `off`. It also add some more ciphers to the list, this should +give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). +To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Custom"` and don't change any of the other variables. + +If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`, +otherwise it this variable will be ignored. + # 2020-12-11 ## synapse-janitor support removed From 25d423e6b62a318f0021c7caa1f653368bb0b49a Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Fri, 8 Jan 2021 11:20:29 +0100 Subject: [PATCH 04/10] Fix errors per spantaleev suggestions The different configurations are now all lower case, for consistent naming. `matrix_nginx_proxy_ssl_config` is now called `matrix_nginx_proxy_ssl_preset`. The different options for "modern", "intermediate" and "old" are stored in the main.yml file, instead of being hardcoded in the configuration files. This will improve the maintainability of the code. The "custom" preset was removed. Now if one of the variables is set, it will use it instead of the preset. This will allow to mix and match more easily, for example using all the intermediate options but only supporting TLSv1.2. This will also provide better backward compatibility. --- CHANGELOG.md | 12 ++-- docs/configuring-playbook-nginx.md | 15 +++-- docs/configuring-playbook-own-webserver.md | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 45 ++++++++++---- .../tasks/validate_config.yml | 4 +- .../conf.d/matrix-client-element.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-dimension.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-domain.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-jitsi.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-riot-web.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-synapse.conf.j2 | 62 +++++++++---------- 11 files changed, 154 insertions(+), 142 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2833b4bb..854156e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,13 +2,15 @@ ## New SSL Configuration -A new variable `matrix_nginx_proxy_ssl_config`, bringing some breaking changes. The default configuration is set to `"Intermadiate"`. -This changes `ssl_prefer_server_ciphers` to `off` by default instead of `off`. It also add some more ciphers to the list, this should +A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`. +This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). -To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Custom"` and don't change any of the other variables. +To revert to the old behaviour just set the following variables: -If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`, -otherwise it this variable will be ignored. +```yaml +matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" +``` # 2021-01-03 diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index dffd962f..a95fbf72 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -26,21 +26,20 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ## Adjusting SSL in your server -You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS +You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_preset`. This is based on the Mozilla Server Side TLS Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. The posible values are: -- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -- "Intermediate" - Recommended configuration for a general-purpose server -- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -- "Custom" - For defining your own protocols an ciphers +- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- "intermediate" - Recommended configuration for a general-purpose server +- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -The default is set to `"Intermediate"`. +The default is set to `"intermediate"`. -**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the +**Be really carefull when setting it to "modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the [Federarion tester](https://federationtester.matrix.org/) won't work. -If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set: +If you want to override one of the values used by the preset, you can use this three variables: - `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. - `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index ee4402b3..915c2c37 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -48,11 +48,10 @@ Those configuration files are adapted for use with an external web server (one n You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: +Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_config: "Custom" matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index e2fc107e..f88dbc7e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -223,30 +223,49 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # This is based on the Mozilla Server Side TLS Recommended configurations. # # The posible values are: -# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -# - "Intermediate" - Recommended configuration for a general-purpose server -# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -# - "Custom" - For defining your own protocols an ciphers +# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +# - "intermediate" - Recommended configuration for a general-purpose server +# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 # # For more information visit: # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # - https://ssl-config.mozilla.org/#server=nginx -matrix_nginx_proxy_ssl_config: "Intermediate" +matrix_nginx_proxy_ssl_preset: "intermediate" + +# This are the presets as taken from Mozilla's Server Side TLS Recommended configurations +# DO NOT modify this values and use `matrix_nginx_proxy_ssl_protocols` and `matrix_nginx_proxy_ssl_ciphers` +matrix_nginx_proxy_ssl_presets: + modern: + protocols: TLSv1.3 + ciphers: "" + prefer_server_ciphers: "off" + intermediate: + protocols: TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + prefer_server_ciphers: "off" + old: + protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA + prefer_server_ciphers: "on" + # Specifies which *SSL protocols* to use when serving all the various vhosts. -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" -matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" +# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override +# the values from the preset +matrix_nginx_proxy_ssl_protocols: "" # Specifies whether to prefer *the client’s choice or the server’s choice* when -# negociating the chipher to serve all the various vhost -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" -matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" +# negociating the chipher to serve all the various vhost. +# +# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override +# the values from the preset +matrix_nginx_proxy_ssl_prefer_server_ciphers: "" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +# By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override +# the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server -# Remember to use '' and "" if you are specified a list of ciphers -matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"' +matrix_nginx_proxy_ssl_ciphers: "" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 0b737662..c12017f3 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -22,5 +22,5 @@ - name: Fail on unknown matrix_nginx_proxy_ssl_config fail: msg: >- - `matrix_nginx_proxy_ssl_config` needs to be set to a known value. - when: "matrix_nginx_proxy_ssl_config not in ['Custom', 'Old', 'Intermediate', 'Modern']" + `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. + when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 69a61a39..6d1583fd 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -68,25 +68,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index fce652eb..4557ce26 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -66,25 +66,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index be659305..0e07fa9f 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -59,25 +59,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index d08ac7be..1da48f4d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -87,25 +87,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 11b8a0fd..f4bf909d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -52,25 +52,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a32b7bad..0455922a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -204,25 +204,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} {{ render_vhost_directives() }} @@ -254,25 +253,24 @@ server { ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {% endif %} From 5156c63a76ad963a682a478312b854cea7a02eae Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Fri, 8 Jan 2021 18:35:27 +0100 Subject: [PATCH 05/10] Clean up code Code was clean up and simplified to make it simpler and easier to maintain. No features were modified. --- roles/matrix-nginx-proxy/defaults/main.yml | 6 +-- .../conf.d/matrix-client-element.conf.j2 | 18 +------- .../nginx/conf.d/matrix-dimension.conf.j2 | 18 +------- .../nginx/conf.d/matrix-domain.conf.j2 | 18 +------- .../nginx/conf.d/matrix-jitsi.conf.j2 | 18 +------- .../nginx/conf.d/matrix-riot-web.conf.j2 | 18 +------- .../nginx/conf.d/matrix-synapse.conf.j2 | 42 ++++--------------- 7 files changed, 20 insertions(+), 118 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index f88dbc7e..648779b4 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -252,20 +252,20 @@ matrix_nginx_proxy_ssl_presets: # Specifies which *SSL protocols* to use when serving all the various vhosts. # By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override # the values from the preset -matrix_nginx_proxy_ssl_protocols: "" +matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" # Specifies whether to prefer *the client’s choice or the server’s choice* when # negociating the chipher to serve all the various vhost. # # By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override # the values from the preset -matrix_nginx_proxy_ssl_prefer_server_ciphers: "" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. # By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override # the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server -matrix_nginx_proxy_ssl_ciphers: "" +matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 6d1583fd..8e665298 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -68,25 +68,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 4557ce26..abfccbc1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -66,25 +66,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 0e07fa9f..1ffd95e5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -59,25 +59,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 1da48f4d..91c94de7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -87,25 +87,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index f4bf909d..87bef2f3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -52,25 +52,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 0455922a..6640054e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -204,25 +204,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} {{ render_vhost_directives() }} } @@ -253,25 +239,11 @@ server { ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; - {% endif %} + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {% endif %} From 4bc8193f698945230d7dd848ce25cb2fe931b438 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:13:01 +0200 Subject: [PATCH 06/10] Fix typos and improve wording --- docs/configuring-playbook-nginx.md | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index a95fbf72..ba6c5c12 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -26,26 +26,24 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ## Adjusting SSL in your server -You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_preset`. This is based on the Mozilla Server Side TLS -Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. -The posible values are: +You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS +Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. +Possible values are: -- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -- "intermediate" - Recommended configuration for a general-purpose server -- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- `"intermediate"` (**default**) - Recommended configuration for a general-purpose server +- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -The default is set to `"intermediate"`. +**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. The +[Federarion tester](https://federationtester.matrix.org/) also won't work. -**Be really carefull when setting it to "modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the -[Federarion tester](https://federationtester.matrix.org/) won't work. - -If you want to override one of the values used by the preset, you can use this three variables: +Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables: - `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. -- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". +- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`. - `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx. -For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. +For more information about these variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. ## Synapse + OpenID Connect for Single-Sign-On From de6ecd8818db9c49d1e2ef9f4ca0d263802a1672 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:15:14 +0200 Subject: [PATCH 07/10] Update inaccurate comments --- roles/matrix-nginx-proxy/defaults/main.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 648779b4..b02ecf91 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -232,8 +232,9 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # - https://ssl-config.mozilla.org/#server=nginx matrix_nginx_proxy_ssl_preset: "intermediate" -# This are the presets as taken from Mozilla's Server Side TLS Recommended configurations -# DO NOT modify this values and use `matrix_nginx_proxy_ssl_protocols` and `matrix_nginx_proxy_ssl_ciphers` +# Presets are taken from Mozilla's Server Side TLS Recommended configurations +# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers` +# if you wish to use something more custom. matrix_nginx_proxy_ssl_presets: modern: protocols: TLSv1.3 @@ -250,20 +251,12 @@ matrix_nginx_proxy_ssl_presets: # Specifies which *SSL protocols* to use when serving all the various vhosts. -# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override -# the values from the preset matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" -# Specifies whether to prefer *the client’s choice or the server’s choice* when -# negociating the chipher to serve all the various vhost. -# -# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override -# the values from the preset +# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers. matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override -# the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" From 5822ba0c01fbc4bcd06963c29876fdfe620f2e81 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:21:33 +0200 Subject: [PATCH 08/10] Use a more natural if statement --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 8e665298..29641021 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -69,7 +69,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index abfccbc1..04f0e63d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -67,7 +67,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 1ffd95e5..3db17292 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -60,7 +60,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 91c94de7..ca5d5a22 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -88,7 +88,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 87bef2f3..1f7c3f97 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -53,7 +53,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 6640054e..a6c93268 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -205,7 +205,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; @@ -240,7 +240,7 @@ server { ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; From f7ae050eaf9e6169caaec0bf26ffcfbfe4544ae2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:22:44 +0200 Subject: [PATCH 09/10] Remove useless quotes around ssl_ciphers value Not sure if it breaks with them or not, but no other directive uses quotes and the nginx docs show examples without quotes, so we're being consistent with all of that. --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 29641021..f56d7fd5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -70,7 +70,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 04f0e63d..038d3557 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -68,7 +68,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 3db17292..227747a5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -61,7 +61,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index ca5d5a22..eb3d67b1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -89,7 +89,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 1f7c3f97..a70dcea3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -54,7 +54,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a6c93268..1b4c0a8d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -206,7 +206,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; @@ -241,7 +241,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; From 95ebff1ef19fa63b04e44c10fc4b47336bb75909 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:30:13 +0200 Subject: [PATCH 10/10] Announce nginx SSL configuration presets --- CHANGELOG.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 854156e8..bb60561e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,25 @@ -# XXXX-XX-XX +# 2021-01-08 -## New SSL Configuration +## (Breaking Change) New SSL configuration -A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`. -This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should -give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). -To revert to the old behaviour just set the following variables: +SSL configuration (protocols, ciphers) can now be more easily controlled thanks to us making use of configuration presets. + +We define a few presets (old, intermediate, modern), following the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=nginx). + +A new variable `matrix_nginx_proxy_ssl_preset` controls which preset is used (defaults to `"intermediate"`). + +Compared to before, this changes nginx's `ssl_prefer_server_ciphers` to `off` (used to default to `on`). It also add some more ciphers to the list, giving better performance on mobile devices, and removes some weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). + +To revert to the old behaviour, set the following variables: ```yaml matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" ``` +Just like before, you can still use your own custom protocols by specifying them in `matrix_nginx_proxy_ssl_protocols`. Doing so overrides the values coming from the preset. + + # 2021-01-03 ## Signal bridging support via mautrix-signal