certbot static test for login3

login.yaml

@@ -13,3 +13,4 @@
       - role: login
       - role: reverse_proxy
         hostname: login3
+      - role: certbot

roles/certbot/tasks/main.yaml

@@ -0,0 +1,22 @@
+- name: install certbot
+  apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+  with_items:
+    - certbot
+    - sendmail-bin
+    - cron
+
+- name: request certificate
+  command: certbot certonly -a standalone --preferred-challenges http -d login3.lilik.it -n
+  args:
+    creates: /etc/letsencrypt/live/login3.lilik.it/cert.pem
+
+- name: add certbot cron
+  cron:
+    name: "certbot cron"
+    minute: "30"
+    hour: "2"
+    job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload nginx"'

roles/nginx/templates/proxy_nginx.j2

@@ -1,5 +1,32 @@
 server {
-    server_name {{ server_name }};
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+    ssl_certificate /etc/letsencrypt/live/login3.lilik.it/cert.pem;
+    ssl_certificate_key /etc/letsencrypt/live/login3.lilik.it/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+    #ssl_dhparam /path/to/dhparam.pem;
+
+    # intermediate configuration. tweak to your needs.
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+    ssl_prefer_server_ciphers on;
+
+    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+    add_header Strict-Transport-Security max-age=15768000;
+
+    # OCSP Stapling ---
+    # fetch OCSP records from URL in ssl_certificate and cache them
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
+    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
 
     location / {
         client_max_body_size 50M;
@@ -12,4 +39,5 @@ server {
         proxy_set_header X-Frame-Options SAMEORIGIN;
         proxy_pass {{ remote_host }};
     }
+
 }

roles/reverse_proxy/templates/http.j2

@@ -3,13 +3,17 @@ server {
 
     server_name {{ hostname }}.{{ domain }} www.{{ hostname }}.{{ domain }};
 
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $host;
-    proxy_set_header X-NginX-Proxy true;
-
+    location /.well-known/acme-challenge/ {
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host $host;
+      proxy_set_header X-NginX-Proxy true;
+      proxy_pass http://{{ hostvars[ansible_hostname]['ansible_host'] }};
+    }
     location / {
-        proxy_pass http://{{ hostvars[ansible_hostname]['ansible_host'] }};
+      if ($request_method = POST) {
+        return 307 https://$server_name$request_uri;
+      }
+      return 301 https://$server_name$request_uri;
     }
 }
-