Add setting to disable nginx TLS cipher config (!21) · Merge requests · funkwhale / ansible

mal requested to merge half-duplex/ansible:ngx-no-tls-clobber into master Sep 27, 2020

I configure TLS settings in the http{} block in my /etc/nginx/nginx.conf. Attempting to override these settings:

Interferes with my cipher choices and TLS config on other sites
In my case (probably because of TLSv1.3), causes the funkwhale site to fail to load with SSL_ERROR_ILLEGAL_PARAMETER_ALERT

This PR adds the funkwhale_nginx_tls_configure_ciphers var to disable funkwhale's overriding of the following settings:

    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

The default of true maintains the current behavior for indifferent users.

Add setting to disable nginx TLS cipher config

Merge request reports