Skip to content
Snippets Groups Projects
Verified Commit bf3f5aec authored by mal's avatar mal
Browse files

Add setting to disable nginx TLS cipher config

parent 8e4cf925
No related branches found
No related tags found
1 merge request!21Add setting to disable nginx TLS cipher config
...@@ -134,6 +134,7 @@ Role Variables ...@@ -134,6 +134,7 @@ Role Variables
| `funkwhale_media_path` | `/srv/funkwhale/data/media` | Path where audio and uploaded files should be stored (**no trailing slash**) | | `funkwhale_media_path` | `/srv/funkwhale/data/media` | Path where audio and uploaded files should be stored (**no trailing slash**) |
| `funkwhale_music_path` | `/srv/funkwhale/data/music` | Path to your existing music library, to use with [CLI import](https://docs.funkwhale.audio/admin/importing-music.html) (**no trailing slash**) | | `funkwhale_music_path` | `/srv/funkwhale/data/music` | Path to your existing music library, to use with [CLI import](https://docs.funkwhale.audio/admin/importing-music.html) (**no trailing slash**) |
| `funkwhale_nginx_managed` | `true` | If `true`, will install and configure nginx | | `funkwhale_nginx_managed` | `true` | If `true`, will install and configure nginx |
| `funkwhale_nginx_tls_configure_ciphers` | `true` | Set TLS ciphers, curves, etc, overriding any settings in http{} |
| `funkwhale_nginx_max_body_size` | `100M` | Value of nginx's `max_body_size` parameter to use | | `funkwhale_nginx_max_body_size` | `100M` | Value of nginx's `max_body_size` parameter to use |
| `funkwhale_protocol` | `https` | If set to `https`, will configure Funkwhale and Nginx to work behind HTTPS. Use `http` to completely disable SSL. | | `funkwhale_protocol` | `https` | If set to `https`, will configure Funkwhale and Nginx to work behind HTTPS. Use `http` to completely disable SSL. |
| `funkwhale_redis_managed` | `true` | If `true`, will install and configure redis | | `funkwhale_redis_managed` | `true` | If `true`, will install and configure redis |
......
...@@ -26,8 +26,9 @@ funkwhale_database_port: 5432 ...@@ -26,8 +26,9 @@ funkwhale_database_port: 5432
#funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }} #funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
funkwhale_nginx_managed: true funkwhale_nginx_managed: true
# If you have an hTTPS reverse proxy higher up, set this to true # If you have an HTTPS reverse proxy higher up, set this to true
funkwhale_nginx_tls_termination: true funkwhale_nginx_tls_termination: true
funkwhale_nginx_tls_configure_ciphers: true
funkwhale_nginx_max_body_size: 100M funkwhale_nginx_max_body_size: 100M
funkwhale_nginx_use_compression: true funkwhale_nginx_use_compression: true
funkwhale_ssl_cert_path: funkwhale_ssl_cert_path:
......
...@@ -20,6 +20,7 @@ server { ...@@ -20,6 +20,7 @@ server {
ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
{% endif -%} {% endif -%}
{% if funkwhale_nginx_tls_configure_ciphers -%}
# from https://cipherli.st/ # from https://cipherli.st/
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
...@@ -29,6 +30,7 @@ server { ...@@ -29,6 +30,7 @@ server {
ssl_session_tickets off; ssl_session_tickets off;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
{% endif -%}
add_header Strict-Transport-Security "max-age=63072000; preload"; add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif -%} {% endif -%}
...@@ -67,9 +69,9 @@ server { ...@@ -67,9 +69,9 @@ server {
text/x-cross-domain-policy; text/x-cross-domain-policy;
{% else -%} {% else -%}
gzip off; gzip off;
{% endif %} {% endif -%}
# end of compression settings # end of compression settings
location / { location / {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled # this is needed if you have file import via upload enabled
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment