refactor: replace custom DH parameters with built-in 2048-bit DH param

elasticroentgen · elasticroentgen · commit 96c0bf677a43 · 2026-04-21T10:16:05.000+02:00
Remove manual download of Mozilla DH parameters file and use HAProxy's
built-in tune.ssl.default-dh-param setting for better maintainability
diff --git a/roles/haproxy_lb/tasks/main.yaml b/roles/haproxy_lb/tasks/main.yaml
@@ -53,12 +53,6 @@
     src: files/{{ item }}.html
     dest: /etc/haproxy/errors/{{ item }}.http
     mode: "0644"
-- name: Download diffie-hellman parameters from mozilla
-  ansible.builtin.get_url:
-    url: https://ssl-config.mozilla.org/ffdhe2048.txt
-    dest: /var/lib/dhparam
-    mode: '0644'
-    force: true
 - name: Set lb_hostvars equal to hostvars if not already set
   check_mode: false
   ansible.builtin.set_fact:
diff --git a/roles/haproxy_lb/templates/haproxy.conf.j2 b/roles/haproxy_lb/templates/haproxy.conf.j2
@@ -27,7 +27,7 @@ global
     ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
     ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
 
-    ssl-dh-param-file /var/lib/dhparam
+    tune.ssl.default-dh-param 2048
 
     {% if haproxy_lb_quic_enabled | default(false) %}
     # QUIC DDoS protection: force Retry token exchange above threshold
