From f9f899fb2e79b74fb124013863141065b563e9e0 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Fri, 16 May 2025 14:01:33 +0200 Subject: [PATCH] nginx: unoverride secure defaults Both Alpine and Debian override default nginx ssl_protocols to enable older TLS versions. Unoverride to return to secure nginx defaults. --- roles/nginx/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index d902df2..bfeaeee 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -16,6 +16,13 @@ - certbot - nginx +- name: Don’t enable old TLS versions + lineinfile: + path: /etc/nginx/nginx.conf + regex: '(\s+ssl_protocols\s.*)' + backrefs: yes + line: '#\1' + - name: Create HTTP server directories file: path: /srv/http/.well-known