diff --git a/Makefile b/Makefile index f2b4dbe..a650e4a 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,6 @@ install-roles: test-rebuild: vagrant destroy -f && vagrant up -lint-configuration: +lint: ansible-lint "./ansible/configuration.yml" --exclude="./ansible/galaxy.roles/" -v || true ansible-lint "./ansible/roles/ssl-certificate/tasks/main.yml" -v || true - diff --git a/ansible/configuration.yml b/ansible/configuration.yml index 38a01c9..60ba96d 100644 --- a/ansible/configuration.yml +++ b/ansible/configuration.yml @@ -5,13 +5,6 @@ vars: deploy_user: deployer - # Configuration for "Notes" application - notes_domain: 'notes.anwinged.ru' - notes_cert_type: 'letsencrypt' - notes_dbname: notes_db - notes_dbuser: notes_db - notes_dbpassword: Sf6tp6LKeCyrjVZ2YGKYUd - timezone: UTC # nginx settings @@ -35,16 +28,6 @@ php_enable_php_fpm: true php_date_timezone: '{{ timezone }}' - # mysql settings - - mysql_databases: - - name: '{{ notes_dbname }}' - mysql_users: - - name: '{{ notes_dbuser }}' - host: '127.0.0.1' - password: '{{ notes_dbpassword }}' - priv: '{{ notes_dbname }}.*:ALL' - pre_tasks: - name: Ensure that PHP PPA is added. apt_repository: repo=ppa:ondrej/php state=present @@ -69,33 +52,10 @@ - geerlingguy.nginx - geerlingguy.php-versions - geerlingguy.php - - geerlingguy.mysql - - role: homepage - - role: s2photo - - - role: symfony-app - app_name: notes - app_user: notes_owner - app_user_ssh_keys: ['{{ lookup("file", "av_id_rsa.pub") }}'] - app_domains: ['{{ notes_domain }}'] - app_cert: yes - app_cert_type: '{{ notes_cert_type }}' - app_cert_email: anwinged@ya.ru - app_php_connection: '127.0.0.1:9010' - app_envs: - NOTES_SECRET_TOKEN: qJqFNP5B9RP2EfqgpTPyZe - NOTES_DATABASE_HOST: 127.0.0.1 - NOTES_DATABASE_PORT: 3306 - NOTES_DATABASE_NAME: '{{ notes_dbname }}' - NOTES_DATABASE_USER: '{{ notes_dbuser }}' - NOTES_DATABASE_PASSWORD: '{{ notes_dbpassword }}' - NOTES_MAILER_HOST: smtp.timeweb.ru - NOTES_MAILER_PORT: 25 - NOTES_MAILER_USER: noreply@anwinged.ru - NOTES_MAILER_PASSWORD: C5DkD5gs - NOTES_DROPBOX_TOKEN: jHFhAiEB1nAAAAAAAAAGjWXDoNrVLDWHo4aFZFoNtb-qV7Q5qsNjlMdKU-Y95lMw - SYMFONY_ENV: prod + - homepage + - s2photo + - notes tasks: - name: Fix php-mysql-package diff --git a/ansible/roles/blocks/owner/defaults/main.yml b/ansible/roles/blocks/owner/defaults/main.yml new file mode 100644 index 0000000..7240a6b --- /dev/null +++ b/ansible/roles/blocks/owner/defaults/main.yml @@ -0,0 +1,5 @@ +--- +owner_name: '' +owner_group: '{{ owner_name }}' +owner_ssh_keys: [] +owner_envs: {} diff --git a/ansible/roles/blocks/owner/tasks/main.yml b/ansible/roles/blocks/owner/tasks/main.yml new file mode 100644 index 0000000..245d6c3 --- /dev/null +++ b/ansible/roles/blocks/owner/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: 'Check app requirements for {{ owner_name }}.' + fail: + msg: You must set owner name. + when: not owner_name + +- name: 'Create group "{{ owner_group }}".' + group: + name: '{{ owner_group }}' + state: present + +- name: 'Create user "{{ owner_name }}".' + user: + name: '{{ owner_name }}' + group: '{{ owner_group }}' + shell: /bin/bash + +- name: 'Set up user ssh keys for {{ owner_name }}.' + authorized_key: + user: '{{ owner_name }}' + key: '{{ item }}' + state: present + with_items: '{{ owner_ssh_keys }}' + +- name: 'Set up environment variables for {{ owner_name }}.' + lineinfile: + dest: '/home/{{ owner_name }}/.bashrc' + regexp: '^export {{ item.key }}=' + line: 'export {{ item.key }}="{{ item.value }}"' + with_dict: '{{ owner_envs }}' diff --git a/ansible/roles/blocks/php-app/defaults/main.yml b/ansible/roles/blocks/php-app/defaults/main.yml new file mode 100644 index 0000000..24c40f7 --- /dev/null +++ b/ansible/roles/blocks/php-app/defaults/main.yml @@ -0,0 +1,11 @@ +--- +php_app_name: '' +php_app_user: '' +php_app_group: '' +php_app_directory: '' +php_app_web_root: '' +php_app_nginx_config: '' +php_app_php_version: '' +php_app_fpm_pool_name: '{{ php_app_name }}' +php_app_fpm_listen: '127.0.0.1:9001' +php_app_envs: {} diff --git a/ansible/roles/blocks/php-app/tasks/main.yml b/ansible/roles/blocks/php-app/tasks/main.yml new file mode 100644 index 0000000..e48571c --- /dev/null +++ b/ansible/roles/blocks/php-app/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: 'Check app requirements for {{ php_app_name }}.' + fail: + msg: You must set app name. + when: not php_app_name + +- name: 'Create web directory for {{ php_app_name }}.' + file: + state: directory + path: '{{ php_app_directory }}' + owner: '{{ php_app_user }}' + group: '{{ php_app_group }}' + recurse: yes + notify: restart nginx + +- name: 'Create nginx config for {{ php_app_name }}.' + template: + src: '{{ php_app_nginx_config }}' + dest: '/etc/nginx/sites-enabled/{{ php_app_name }}.conf' + notify: restart nginx + +- name: 'Creates php-fpm pool config for {{ php_app_name }}.' + template: + src: fpm-pool.conf.j2 + dest: '/etc/php/{{ php_app_php_version }}/fpm/pool.d/{{ php_app_name }}.conf' + notify: restart php-fpm diff --git a/ansible/roles/symfony-app/templates/fpm-pool.conf.j2 b/ansible/roles/blocks/php-app/templates/fpm-pool.conf.j2 similarity index 72% rename from ansible/roles/symfony-app/templates/fpm-pool.conf.j2 rename to ansible/roles/blocks/php-app/templates/fpm-pool.conf.j2 index 8e3b0bc..49fb30e 100644 --- a/ansible/roles/symfony-app/templates/fpm-pool.conf.j2 +++ b/ansible/roles/blocks/php-app/templates/fpm-pool.conf.j2 @@ -1,11 +1,11 @@ -[{{ app_fpool_name }}] +[{{ php_app_fpm_pool_name }}] -listen = {{ app_fpool_listen }} +listen = {{ php_app_fpm_listen }} listen.allowed_clients = 127.0.0.1 listen.backlog = -1 -user = {{ app_user }} -group = {{ app_group }} +user = {{ php_app_user }} +group = {{ php_app_group }} ; request_slowlog_timeout = 5s ; slowlog = /var/log/php-fpm/slowlog-blog.log @@ -23,6 +23,6 @@ rlimit_files = 131072 rlimit_core = unlimited catch_workers_output = yes -{% for name, value in app_envs.iteritems() %} +{% for name, value in php_app_envs.iteritems() %} env[{{ name }}]={{ value }} {% endfor %} diff --git a/ansible/roles/ssl-certificate/defaults/main.yml b/ansible/roles/blocks/ssl-certificate/defaults/main.yml similarity index 100% rename from ansible/roles/ssl-certificate/defaults/main.yml rename to ansible/roles/blocks/ssl-certificate/defaults/main.yml diff --git a/ansible/roles/ssl-certificate/tasks/letsencrypt.yml b/ansible/roles/blocks/ssl-certificate/tasks/letsencrypt.yml similarity index 100% rename from ansible/roles/ssl-certificate/tasks/letsencrypt.yml rename to ansible/roles/blocks/ssl-certificate/tasks/letsencrypt.yml diff --git a/ansible/roles/ssl-certificate/tasks/main.yml b/ansible/roles/blocks/ssl-certificate/tasks/main.yml similarity index 100% rename from ansible/roles/ssl-certificate/tasks/main.yml rename to ansible/roles/blocks/ssl-certificate/tasks/main.yml diff --git a/ansible/roles/ssl-certificate/tasks/self-signed.yml b/ansible/roles/blocks/ssl-certificate/tasks/self-signed.yml similarity index 100% rename from ansible/roles/ssl-certificate/tasks/self-signed.yml rename to ansible/roles/blocks/ssl-certificate/tasks/self-signed.yml diff --git a/ansible/roles/ssl-certificate/templates/vhost.conf.j2 b/ansible/roles/blocks/ssl-certificate/templates/vhost.conf.j2 similarity index 100% rename from ansible/roles/ssl-certificate/templates/vhost.conf.j2 rename to ansible/roles/blocks/ssl-certificate/templates/vhost.conf.j2 diff --git a/ansible/roles/static-site/defaults/main.yml b/ansible/roles/blocks/static-site/defaults/main.yml similarity index 100% rename from ansible/roles/static-site/defaults/main.yml rename to ansible/roles/blocks/static-site/defaults/main.yml diff --git a/ansible/roles/static-site/tasks/main.yml b/ansible/roles/blocks/static-site/tasks/main.yml similarity index 100% rename from ansible/roles/static-site/tasks/main.yml rename to ansible/roles/blocks/static-site/tasks/main.yml diff --git a/ansible/roles/static-site/templates/site.conf.j2 b/ansible/roles/blocks/static-site/templates/site.conf.j2 similarity index 100% rename from ansible/roles/static-site/templates/site.conf.j2 rename to ansible/roles/blocks/static-site/templates/site.conf.j2 diff --git a/ansible/roles/homepage/meta/main.yml b/ansible/roles/homepage/meta/main.yml index dbdcc52..7bb3e59 100644 --- a/ansible/roles/homepage/meta/main.yml +++ b/ansible/roles/homepage/meta/main.yml @@ -1,6 +1,6 @@ --- dependencies: - - role: ssl-certificate + - role: blocks/ssl-certificate cert_type: letsencrypt cert_name: '{{ homepage_name }}' cert_email: anwinged@ya.ru @@ -8,7 +8,7 @@ dependencies: - '{{ homepage_domain }}' - 'www.{{ homepage_domain }}' - - role: static-site + - role: blocks/static-site static_site_name: '{{ homepage_name }}' static_site_domain: '{{ homepage_domain }}' static_site_dir: '{{ homepage_dir }}' diff --git a/ansible/roles/notes/meta/main.yml b/ansible/roles/notes/meta/main.yml new file mode 100644 index 0000000..17511c4 --- /dev/null +++ b/ansible/roles/notes/meta/main.yml @@ -0,0 +1,34 @@ +--- +dependencies: + - role: geerlingguy.mysql + mysql_databases: + - name: '{{ notes_dbname }}' + mysql_users: + - name: '{{ notes_dbuser }}' + host: 127.0.0.1 + password: '{{ notes_dbpassword }}' + priv: '{{ notes_dbname }}.*:ALL' + + - role: blocks/owner + owner_name: '{{ notes_owner }}' + owner_group: '{{ notes_owner }}' + owner_ssh_keys: ['{{ lookup("file", "av_id_rsa.pub") }}'] + owner_envs: '{{ notes_env }}' + + - role: blocks/ssl-certificate + cert_type: letsencrypt + cert_name: '{{ notes_name }}' + cert_email: anwinged@ya.ru + cert_domains: + - '{{ notes_domain }}' + + - role: blocks/php-app + php_app_name: '{{ notes_name }}' + php_app_user: '{{ notes_owner }}' + php_app_group: '{{ notes_owner }}' + php_app_directory: '{{ notes_dir }}' + php_app_web_root: '{{ notes_web_root }}' + php_app_nginx_config: nginx.conf.j2 + php_app_php_version: '7.1' + php_app_fpm_listen: '{{ notes_php_connection }}' + php_app_envs: '{{ notes_env }}' diff --git a/ansible/roles/notes/tasks/main.yml b/ansible/roles/notes/tasks/main.yml new file mode 100644 index 0000000..cd21505 --- /dev/null +++ b/ansible/roles/notes/tasks/main.yml @@ -0,0 +1,2 @@ +--- + diff --git a/ansible/roles/notes/templates/nginx.conf.j2 b/ansible/roles/notes/templates/nginx.conf.j2 new file mode 100644 index 0000000..523a13a --- /dev/null +++ b/ansible/roles/notes/templates/nginx.conf.j2 @@ -0,0 +1,58 @@ +server { + server_name {{ notes_domain }}; + + listen 443 ssl http2; + + ssl on; + ssl_certificate {{ vars[notes_name + "_ssl_certificate"] }}; + ssl_certificate_key {{ vars[notes_name + "_ssl_key"] }}; + ssl_trusted_certificate {{ vars[notes_name + "_ssl_certificate"] }}; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam {{ vars[notes_name + "_ssl_dhparam"] }}; + ssl_prefer_server_ciphers on; + + root {{ notes_web_root }}; + + location / { + # try to serve file directly, fallback to app.php + try_files $uri /app.php$is_args$args; + } + + location ~ ^/app\.php(/|$) { + fastcgi_pass {{ notes_php_connection }}; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + + # When you are using symlinks to link the document root to the + # current version of your application, you should pass the real + # application path instead of the path to the symlink to PHP + # FPM. + # Otherwise, PHP's OPcache may not properly detect changes to + # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 + # for more information). + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + + # Prevents URIs that include the front controller. This will 404: + # http://domain.tld/app.php/some-path + # Remove the internal directive to allow URIs like this + internal; + } + + # return 404 for all other php files not matching the front controller + # this prevents access to other php files you don't want to be accessible. + location ~ \.php$ { + return 404; + } + + error_log /var/log/nginx/{{ notes_name }}_error.log; + access_log /var/log/nginx/{{ notes_name }}_access.log; +} diff --git a/ansible/roles/notes/vars/main.yml b/ansible/roles/notes/vars/main.yml new file mode 100644 index 0000000..d8aaa16 --- /dev/null +++ b/ansible/roles/notes/vars/main.yml @@ -0,0 +1,27 @@ +--- +notes_name: notes +notes_owner: notes_owner +notes_dir: /var/www/notes +notes_web_root: '{{ notes_dir }}/current/app' +notes_domain: 'notes.anwinged.ru' +notes_cert_type: 'letsencrypt' +notes_dbname: notes_db +notes_dbuser: notes_db +notes_dbpassword: Sf6tp6LKeCyrjVZ2YGKYUd +notes_php_connection: '127.0.0.1:9010' + +notes_env: + NOTES_DEPLOY_DIR: '{{ notes_dir }}' + NOTES_WORK_DIR: '{{ notes_dir }}/current' + NOTES_SECRET_TOKEN: qJqFNP5B9RP2EfqgpTPyZe + NOTES_DATABASE_HOST: 127.0.0.1 + NOTES_DATABASE_PORT: 3306 + NOTES_DATABASE_NAME: '{{ notes_dbname }}' + NOTES_DATABASE_USER: '{{ notes_dbuser }}' + NOTES_DATABASE_PASSWORD: '{{ notes_dbpassword }}' + NOTES_MAILER_HOST: smtp.timeweb.ru + NOTES_MAILER_PORT: 25 + NOTES_MAILER_USER: noreply@anwinged.ru + NOTES_MAILER_PASSWORD: C5DkD5gs + NOTES_DROPBOX_TOKEN: jHFhAiEB1nAAAAAAAAAGjWXDoNrVLDWHo4aFZFoNtb-qV7Q5qsNjlMdKU-Y95lMw + SYMFONY_ENV: prod diff --git a/ansible/roles/s2photo/meta/main.yml b/ansible/roles/s2photo/meta/main.yml index 189de25..581329f 100644 --- a/ansible/roles/s2photo/meta/main.yml +++ b/ansible/roles/s2photo/meta/main.yml @@ -1,5 +1,5 @@ --- dependencies: - - role: static-site + - role: blocks/static-site static_site_name: s2photo static_site_domain: s2photo.ru diff --git a/ansible/roles/symfony-app/defaults/main.yml b/ansible/roles/symfony-app/defaults/main.yml deleted file mode 100644 index 1d977d2..0000000 --- a/ansible/roles/symfony-app/defaults/main.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -app_name: '' - - -# ПОЛЬЗОАВТЕЛЬ - -app_user: '{{ app_name }}' -app_group: '{{ app_user }}' -app_user_ssh_keys: [] - - -# ОКРУЖЕНИЕ - -# Переменные окружения приложения. -# Необходимо указывать в виде пар ключ-значение, -# где ключ - имя переменной (обычно в верхнем регистре). -app_envs: {} - - -# ВЕБ-СЕРВЕР - -app_directory: '/var/www/{{ app_name }}' -app_domains: ['{{ app_name }}.loc'] -app_web_root: '/var/www/{{ app_name }}/current/web' -app_php_connection: '127.0.0.1:9001' - - -# СЕРТИФИКАТ - -app_cert: no -app_cert_type: 'self-signed' -app_cert_email: 'name@example.com' - - -# PHP-FPM - -app_php_version: '{{ php_version | default("7.0") }}' -app_fpool_name: '{{ app_name }}' -app_fpool_listen: '{{ app_php_connection }}' -app_fpool_slowlog: '/var/www/{{ app_name }}/shared/logs/' diff --git a/ansible/roles/symfony-app/tasks/main.yml b/ansible/roles/symfony-app/tasks/main.yml deleted file mode 100644 index cb1d8a8..0000000 --- a/ansible/roles/symfony-app/tasks/main.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -- name: 'Check app requirements for {{ app_name }}.' - fail: - msg: You must set app name. - when: not app_name - -- name: 'Create group "{{ app_group }}" for {{ app_name }}.' - group: - name: '{{ app_group }}' - state: present - -- name: 'Create user "{{ app_user }}" for {{ app_name }}.' - user: - name: '{{ app_user }}' - comment: '{{ app_name }} application owner' - group: '{{ app_group }}' - shell: /bin/bash - -- name: 'Set up user ssh keys for {{ app_name }}.' - authorized_key: - user: '{{ app_user }}' - key: '{{ item }}' - state: present - with_items: '{{ app_user_ssh_keys }}' - -- name: 'Set up environment variables for {{ app_name }}.' - lineinfile: - dest: '/home/{{ app_user }}/.bashrc' - regexp: '^export {{ item.key }}=' - line: 'export {{ item.key }}="{{ item.value }}"' - with_dict: '{{ app_envs }}' - -- name: 'Create ssl certificate for {{ app_name }}.' - include_role: - name: ssl-certificate - private: yes - vars: - cert_type: '{{ app_cert_type }}' - cert_name: '{{ app_name }}' - cert_email: '{{ app_cert_email }}' - cert_domains: '{{ app_domains }}' - when: app_cert - -- name: 'Create web directory for {{ app_name }}.' - file: - state: directory - path: '{{ app_directory }}' - owner: '{{ app_user }}' - group: '{{ app_group }}' - recurse: yes - notify: restart nginx - -- name: 'Create nginx config for {{ app_name }}.' - template: - src: app.conf.j2 - dest: '/etc/nginx/sites-enabled/{{ app_name }}.conf' - notify: restart nginx - -- name: 'Creates php-fpm pool config for {{ app_name }}.' - template: - src: fpm-pool.conf.j2 - dest: '/etc/php/{{ app_php_version }}/fpm/pool.d/{{ app_name }}.conf' - notify: restart php-fpm diff --git a/ansible/roles/symfony-app/templates/app.conf.j2 b/ansible/roles/symfony-app/templates/app.conf.j2 deleted file mode 100644 index e88e4e0..0000000 --- a/ansible/roles/symfony-app/templates/app.conf.j2 +++ /dev/null @@ -1,50 +0,0 @@ -server { - server_name {{ app_domains | join(" ") }}; - - {% if app_cert %} - listen 443 ssl http2; - {% else %} - listen 80; - {% endif %} - - {% if app_cert %} - {% include './ssl.j2' %} - {% endif %} - - root {{ app_web_root }}; - - location / { - # try to serve file directly, fallback to app.php - try_files $uri /app.php$is_args$args; - } - - location ~ ^/app\.php(/|$) { - fastcgi_pass {{ app_php_connection }}; - fastcgi_split_path_info ^(.+\.php)(/.*)$; - include fastcgi_params; - - # When you are using symlinks to link the document root to the - # current version of your application, you should pass the real - # application path instead of the path to the symlink to PHP - # FPM. - # Otherwise, PHP's OPcache may not properly detect changes to - # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 - # for more information). - fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; - fastcgi_param DOCUMENT_ROOT $realpath_root; - - # Prevents URIs that include the front controller. This will 404: - # http://domain.tld/app.php/some-path - # Remove the internal directive to allow URIs like this - internal; - } - - # return 404 for all other php files not matching the front controller - # this prevents access to other php files you don't want to be accessible. - location ~ \.php$ { - return 404; - } - - error_log /var/log/nginx/{{ app_name }}_error.log; - access_log /var/log/nginx/{{ app_name }}_access.log; -} diff --git a/ansible/roles/symfony-app/templates/ssl.j2 b/ansible/roles/symfony-app/templates/ssl.j2 deleted file mode 100644 index 476cf46..0000000 --- a/ansible/roles/symfony-app/templates/ssl.j2 +++ /dev/null @@ -1,15 +0,0 @@ -ssl on; -ssl_certificate {{ vars[app_name + "_ssl_certificate"] }}; -ssl_certificate_key {{ vars[app_name + "_ssl_key"] }}; -ssl_trusted_certificate {{ vars[app_name + "_ssl_certificate"] }}; - -ssl_session_cache shared:SSL:50m; -ssl_session_timeout 5m; -ssl_stapling on; -ssl_stapling_verify on; - -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - -ssl_dhparam {{ vars[app_name + "_ssl_dhparam"] }}; -ssl_prefer_server_ciphers on;