Add setting to disable nginx TLS cipher config

bf3f5aec · mal · 8e4cf925 · bf3f5aec · bf3f5aec · bf3f5aec
Verified Commit bf3f5aec authored 4 years ago by mal
--- a/README.md
+++ b/README.md
@@ -134,6 +134,7 @@ Role Variables
 | `funkwhale_media_path`                  | `/srv/funkwhale/data/media`   | Path where audio and uploaded files should be stored (**no trailing slash**)  |
 | `funkwhale_music_path`                  | `/srv/funkwhale/data/music`   | Path to your existing music library, to use with [CLI import](https://docs.funkwhale.audio/admin/importing-music.html) (**no trailing slash**) |
 | `funkwhale_nginx_managed`               | `true`                        | If `true`, will install and configure nginx |
+| `funkwhale_nginx_tls_configure_ciphers` | `true`                        | Set TLS ciphers, curves, etc, overriding any settings in http{} |
 | `funkwhale_nginx_max_body_size`         | `100M`                        | Value of nginx's `max_body_size` parameter to use |
 | `funkwhale_protocol`                    | `https`                       | If set to `https`, will configure Funkwhale and Nginx to work behind HTTPS. Use `http` to completely disable SSL. |
 | `funkwhale_redis_managed`               | `true`                        | If `true`, will install and configure redis |

--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -26,8 +26,9 @@ funkwhale_database_port: 5432
 #funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
 funkwhale_nginx_managed: true
-# If you have an hTTPS reverse proxy higher up, set this to true
+# If you have an HTTPS reverse proxy higher up, set this to true
 funkwhale_nginx_tls_termination: true
+funkwhale_nginx_tls_configure_ciphers: true
 funkwhale_nginx_max_body_size: 100M
 funkwhale_nginx_use_compression: true
 funkwhale_ssl_cert_path:

--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -20,6 +20,7 @@ server {
    ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
    {% endif -%}
+    {% if funkwhale_nginx_tls_configure_ciphers -%}
    # from https://cipherli.st/
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
@@ -29,6 +30,7 @@ server {
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
+    {% endif -%}
    add_header Strict-Transport-Security "max-age=63072000; preload";
    {% endif -%}
@@ -67,9 +69,9 @@ server {
        text/x-cross-domain-policy;
    {% else -%}
    gzip off;
-    {% endif %}
+    {% endif -%}
    # end of compression settings
    location / {
        include /etc/nginx/funkwhale_proxy.conf;
        # this is needed if you have file import via upload enabled