commit 2cafc8ca64afa8cebf2eee8412b74ae93e3ee559 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Sun Nov 27 10:30:05 2016 +0100 Reverse sshonly_hsts logic playbooks/include/proxies-websites.yml | 2 +- roles/httpd/website/templates/website.conf | 2 +- vars/global.yml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) --- diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 04af19c..542ee6b 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -51,7 +51,7 @@ server_aliases: - www.rpmfusion.org sslonly: true - sslonly_no_hsts: true + sslonly_hsts: false cert_name: rpmfusion.org SSLCertificateChainFile : rpmfusion.org-intermediate.cert diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf index 9d87025..f001ec8 100644 --- a/roles/httpd/website/templates/website.conf +++ b/roles/httpd/website/templates/website.conf @@ -46,7 +46,7 @@ SSLCipherSuite {{ ssl_ciphers }} {% if sslonly %} -{% if not sslonly_no_hsts %} +{% if sslonly_hsts %} Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" {% endif %} {% endif %} diff --git a/vars/global.yml b/vars/global.yml index f889225..ce13e55 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -46,6 +46,7 @@ rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64 ssl_protocols: "-All +TLSv1 +TLSv1.1 +TLSv1.2" ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK" +sslonly_hsts: true # Set a default hostname base to transient. Override in host vars or command line. hostbase: transient