#2931 -- Add explicit SSL cipher rules for Ansible nginx installs.

update.sh

@@ -35,7 +35,7 @@ else
 fi
 
 APP_ENV="${APP_ENV:-production}"
-UPDATE_REVISION="${UPDATE_REVISION:-53}"
+UPDATE_REVISION="${UPDATE_REVISION:-54}"
 
 echo "Updating AzuraCast (Environment: $APP_ENV, Update revision: $UPDATE_REVISION)"
 

util/ansible/roles/nginx/templates/default.j2

@@ -1,4 +1,4 @@
-{% if ansible_distribution_release == 'bionic' %}
+{% if ansible_distribution_release != 'xenial' %}
 upstream redis_server {
     nchan_redis_server "redis://localhost:6379";
 }
@@ -27,6 +27,9 @@ server {
 
     ssl_certificate    /etc/nginx/ssl/server.crt;
     ssl_certificate_key    /etc/nginx/ssl/server.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
 
     root {{ app_base }}/www/web;
     index index.php;
@@ -113,7 +116,7 @@ server {
         proxy_set_header Connection "Upgrade";
     }
 
-    {% if ansible_distribution_release == 'bionic' %}
+    {% if ansible_distribution_release != 'xenial' %}
     # pub/sub endpoints
     location ~ /api/live/nowplaying/(\w+)$ {
         nchan_subscriber;

util/ansible/update.yml

@@ -16,7 +16,7 @@
     - { role: azuracast-radio, when: update_revision|int < 53 }
     - { role: supervisord, when: update_revision|int < 13 }
     - { role: mariadb, when: update_revision|int < 15 }
-    - { role: nginx, when: update_revision|int < 49 }
+    - { role: nginx, when: update_revision|int < 54 }
     - { role: redis, when: update_revision|int < 14 }
     - { role: php, when: update_revision|int < 50 }
     - composer