Verified Commit bf3f5aec authored by mal's avatar mal
Browse files

Add setting to disable nginx TLS cipher config

parent 8e4cf925
Pipeline #12262 passed with stage
in 7 minutes and 31 seconds
......@@ -134,6 +134,7 @@ Role Variables
| `funkwhale_media_path` | `/srv/funkwhale/data/media` | Path where audio and uploaded files should be stored (**no trailing slash**) |
| `funkwhale_music_path` | `/srv/funkwhale/data/music` | Path to your existing music library, to use with [CLI import](https://docs.funkwhale.audio/admin/importing-music.html) (**no trailing slash**) |
| `funkwhale_nginx_managed` | `true` | If `true`, will install and configure nginx |
| `funkwhale_nginx_tls_configure_ciphers` | `true` | Set TLS ciphers, curves, etc, overriding any settings in http{} |
| `funkwhale_nginx_max_body_size` | `100M` | Value of nginx's `max_body_size` parameter to use |
| `funkwhale_protocol` | `https` | If set to `https`, will configure Funkwhale and Nginx to work behind HTTPS. Use `http` to completely disable SSL. |
| `funkwhale_redis_managed` | `true` | If `true`, will install and configure redis |
......
......@@ -26,8 +26,9 @@ funkwhale_database_port: 5432
#funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
funkwhale_nginx_managed: true
# If you have an hTTPS reverse proxy higher up, set this to true
# If you have an HTTPS reverse proxy higher up, set this to true
funkwhale_nginx_tls_termination: true
funkwhale_nginx_tls_configure_ciphers: true
funkwhale_nginx_max_body_size: 100M
funkwhale_nginx_use_compression: true
funkwhale_ssl_cert_path:
......
......@@ -20,6 +20,7 @@ server {
ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
{% endif -%}
{% if funkwhale_nginx_tls_configure_ciphers -%}
# from https://cipherli.st/
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
......@@ -29,6 +30,7 @@ server {
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
{% endif -%}
add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif -%}
......@@ -67,9 +69,9 @@ server {
text/x-cross-domain-policy;
{% else -%}
gzip off;
{% endif %}
{% endif -%}
# end of compression settings
location / {
include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment