From 7643a73a84e1c28e667688180f337e0fcc85827c Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Thu, 18 Nov 2021 16:50:28 +0100
Subject: [PATCH] ssl session cache and timeout are now configurable.

---
 defaults/main.yml                  | 2 ++
 templates/nginx-server-ssl.conf.j2 | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index c62f0c2..b2f00ba 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -13,6 +13,8 @@ nginx_org_modules: []
 #    enabled: yes
 # See https://mozilla.github.io/server-side-tls/ssl-config-generator/
 nginx_ssl_level: intermediate
+nginx_ssl_session_cache_size: '10m'
+nginx_ssl_session_timeout: '120m'
 nginx_strict_transport_security_expire: 15768000
 nginx_strict_transport_security_include_subdomains: False
 
diff --git a/templates/nginx-server-ssl.conf.j2 b/templates/nginx-server-ssl.conf.j2
index d578f53..c7f4a45 100644
--- a/templates/nginx-server-ssl.conf.j2
+++ b/templates/nginx-server-ssl.conf.j2
@@ -5,8 +5,8 @@ ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
 ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
 ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
 {% endif %}
-ssl_session_cache shared:SSL:10m;
-ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:{{ nginx_ssl_session_cache_size }};
+ssl_session_timeout {{ nginx_ssl_session_timeout }};
 ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
 {% if nginx_ssl_level == 'old' %}
 {% if ansible_distribution_version is version_compare('18.04', '>=') %}