The different configurations are now all lower case, for consistent
naming.
`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.
The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
A new variable `matrix_nginx_proxy_ssl_config`, bringing some breaking changes. The default configuration is set to `"Intermadiate"`.
This changes `ssl_prefer_server_ciphers` to `off` by default instead of `off`. It also add some more ciphers to the list, this should
A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`.
This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should
give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md).
To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Custom"` and don't change any of the other variables.
To revert to the old behaviour just set the following variables:
If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`,
You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS
You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_preset`. This is based on the Mozilla Server Side TLS
Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
The posible values are:
- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
- "Intermediate" - Recommended configuration for a general-purpose server
- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
- "Custom" - For defining your own protocols an ciphers
- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
- "intermediate" - Recommended configuration for a general-purpose server
- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
The default is set to `"Intermediate"`.
The default is set to `"intermediate"`.
**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the
**Be really carefull when setting it to "modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the
If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set:
If you want to override one of the values used by the preset, you can use this three variables:
- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off".
@ -48,11 +48,10 @@ Those configuration files are adapted for use with an external web server (one n
You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"`redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:
Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:
```yaml
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
Agustin Ferrario
4 years ago