From 25d423e6b62a318f0021c7caa1f653368bb0b49a Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Fri, 8 Jan 2021 11:20:29 +0100 Subject: [PATCH] Fix errors per spantaleev suggestions The different configurations are now all lower case, for consistent naming. `matrix_nginx_proxy_ssl_config` is now called `matrix_nginx_proxy_ssl_preset`. The different options for "modern", "intermediate" and "old" are stored in the main.yml file, instead of being hardcoded in the configuration files. This will improve the maintainability of the code. The "custom" preset was removed. Now if one of the variables is set, it will use it instead of the preset. This will allow to mix and match more easily, for example using all the intermediate options but only supporting TLSv1.2. This will also provide better backward compatibility. --- CHANGELOG.md | 12 ++-- docs/configuring-playbook-nginx.md | 15 +++-- docs/configuring-playbook-own-webserver.md | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 45 ++++++++++---- .../tasks/validate_config.yml | 4 +- .../conf.d/matrix-client-element.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-dimension.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-domain.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-jitsi.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-riot-web.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-synapse.conf.j2 | 62 +++++++++---------- 11 files changed, 154 insertions(+), 142 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2833b4bb4..854156e8f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,13 +2,15 @@ ## New SSL Configuration -A new variable `matrix_nginx_proxy_ssl_config`, bringing some breaking changes. The default configuration is set to `"Intermadiate"`. -This changes `ssl_prefer_server_ciphers` to `off` by default instead of `off`. It also add some more ciphers to the list, this should +A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`. +This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). -To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Custom"` and don't change any of the other variables. +To revert to the old behaviour just set the following variables: -If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`, -otherwise it this variable will be ignored. +```yaml +matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" +``` # 2021-01-03 diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index dffd962ff..a95fbf722 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -26,21 +26,20 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ## Adjusting SSL in your server -You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS +You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_preset`. This is based on the Mozilla Server Side TLS Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. The posible values are: -- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -- "Intermediate" - Recommended configuration for a general-purpose server -- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -- "Custom" - For defining your own protocols an ciphers +- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- "intermediate" - Recommended configuration for a general-purpose server +- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -The default is set to `"Intermediate"`. +The default is set to `"intermediate"`. -**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the +**Be really carefull when setting it to "modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the [Federarion tester](https://federationtester.matrix.org/) won't work. -If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set: +If you want to override one of the values used by the preset, you can use this three variables: - `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. - `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index ee4402b34..915c2c375 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -48,11 +48,10 @@ Those configuration files are adapted for use with an external web server (one n You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: +Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_config: "Custom" matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index e2fc107eb..f88dbc7e9 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -223,30 +223,49 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # This is based on the Mozilla Server Side TLS Recommended configurations. # # The posible values are: -# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -# - "Intermediate" - Recommended configuration for a general-purpose server -# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -# - "Custom" - For defining your own protocols an ciphers +# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +# - "intermediate" - Recommended configuration for a general-purpose server +# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 # # For more information visit: # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # - https://ssl-config.mozilla.org/#server=nginx -matrix_nginx_proxy_ssl_config: "Intermediate" +matrix_nginx_proxy_ssl_preset: "intermediate" + +# This are the presets as taken from Mozilla's Server Side TLS Recommended configurations +# DO NOT modify this values and use `matrix_nginx_proxy_ssl_protocols` and `matrix_nginx_proxy_ssl_ciphers` +matrix_nginx_proxy_ssl_presets: + modern: + protocols: TLSv1.3 + ciphers: "" + prefer_server_ciphers: "off" + intermediate: + protocols: TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + prefer_server_ciphers: "off" + old: + protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA + prefer_server_ciphers: "on" + # Specifies which *SSL protocols* to use when serving all the various vhosts. -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" -matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" +# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override +# the values from the preset +matrix_nginx_proxy_ssl_protocols: "" # Specifies whether to prefer *the client’s choice or the server’s choice* when -# negociating the chipher to serve all the various vhost -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" -matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" +# negociating the chipher to serve all the various vhost. +# +# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override +# the values from the preset +matrix_nginx_proxy_ssl_prefer_server_ciphers: "" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +# By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override +# the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server -# Remember to use '' and "" if you are specified a list of ciphers -matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"' +matrix_nginx_proxy_ssl_ciphers: "" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 0b737662a..c12017f37 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -22,5 +22,5 @@ - name: Fail on unknown matrix_nginx_proxy_ssl_config fail: msg: >- - `matrix_nginx_proxy_ssl_config` needs to be set to a known value. - when: "matrix_nginx_proxy_ssl_config not in ['Custom', 'Old', 'Intermediate', 'Modern']" + `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. + when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 69a61a394..6d1583fd8 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -68,25 +68,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index fce652eb3..4557ce26c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -66,25 +66,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index be659305a..0e07fa9f6 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -59,25 +59,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index d08ac7be5..1da48f4dc 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -87,25 +87,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 11b8a0fd4..f4bf909d1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -52,25 +52,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a32b7bad6..0455922a8 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -204,25 +204,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} {{ render_vhost_directives() }} @@ -254,25 +253,24 @@ server { ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {% endif %}