ch-http-proxy: better fix for old SSL support

1 files changed, 6 insertions, 7 deletions

diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml
index 92076588..627343e6 100644
--- a/chaos-at-home/ch-http-proxy.yml
+++ b/chaos-at-home/ch-http-proxy.yml
@@ -10,13 +10,6 @@
   - role: acmetool/base
   - role: nginx/base
   post_tasks:
-  - name: lower minimum tls protocol version to 1.0
-    lineinfile:
-      path: /etc/ssl/openssl.cnf
-      regexp: '^MinProtocol\s*='
-      line: 'MinProtocol = TLSv1'
-
-
   #### web.chaos-at-home.org (default-server)
   - name: create directory for default server
     file:
@@ -141,6 +134,9 @@
         - webmail.chaos-at-home.org
         client_max_body_size: "200M"
         proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
+        proxy_ssl:
+          protocols: TLSv1
+          ciphers: "DEFAULT@SECLEVEL=1"
       acmetool_cert_config:
         request:
           challenge:
@@ -159,6 +155,9 @@
         hostnames:
         - webdav.chaos-at-home.org
         proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
+        proxy_ssl:
+          protocols: TLSv1
+          ciphers: "DEFAULT@SECLEVEL=1"
       acmetool_cert_config:
         request:
           challenge: