From 2c40388385f9847dc57e8c39cc2badcf26575be7 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Fri, 28 Aug 2020 23:25:42 +0200
Subject: ch-http-proxy: better fix for old SSL support

---
 chaos-at-home/ch-http-proxy.yml | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

(limited to 'chaos-at-home/ch-http-proxy.yml')

diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml
index 92076588..627343e6 100644
--- a/chaos-at-home/ch-http-proxy.yml
+++ b/chaos-at-home/ch-http-proxy.yml
@@ -10,13 +10,6 @@
   - role: acmetool/base
   - role: nginx/base
   post_tasks:
-  - name: lower minimum tls protocol version to 1.0
-    lineinfile:
-      path: /etc/ssl/openssl.cnf
-      regexp: '^MinProtocol\s*='
-      line: 'MinProtocol = TLSv1'
-
-
   #### web.chaos-at-home.org (default-server)
   - name: create directory for default server
     file:
@@ -141,6 +134,9 @@
         - webmail.chaos-at-home.org
         client_max_body_size: "200M"
         proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
+        proxy_ssl:
+          protocols: TLSv1
+          ciphers: "DEFAULT@SECLEVEL=1"
       acmetool_cert_config:
         request:
           challenge:
@@ -159,6 +155,9 @@
         hostnames:
         - webdav.chaos-at-home.org
         proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
+        proxy_ssl:
+          protocols: TLSv1
+          ciphers: "DEFAULT@SECLEVEL=1"
       acmetool_cert_config:
         request:
           challenge:
-- 
cgit v1.2.3