Browse Source

certbot static test for login3

python3
Andrea Cimbalo 8 years ago
parent
commit
4de58737b6
4 changed files with 63 additions and 8 deletions
  1. +1
    -0
      login.yaml
  2. +22
    -0
      roles/certbot/tasks/main.yaml
  3. +29
    -1
      roles/nginx/templates/proxy_nginx.j2
  4. +11
    -7
      roles/reverse_proxy/templates/http.j2

+ 1
- 0
login.yaml View File

@ -13,3 +13,4 @@
- role: login - role: login
- role: reverse_proxy - role: reverse_proxy
hostname: login3 hostname: login3
- role: certbot

+ 22
- 0
roles/certbot/tasks/main.yaml View File

@ -0,0 +1,22 @@
- name: install certbot
apt:
name: "{{ item }}"
state: present
update_cache: yes
cache_valid_time: 3600
with_items:
- certbot
- sendmail-bin
- cron
- name: request certificate
command: certbot certonly -a standalone --preferred-challenges http -d login3.lilik.it -n
args:
creates: /etc/letsencrypt/live/login3.lilik.it/cert.pem
- name: add certbot cron
cron:
name: "certbot cron"
minute: "30"
hour: "2"
job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload nginx"'

+ 29
- 1
roles/nginx/templates/proxy_nginx.j2 View File

@ -1,5 +1,32 @@
server { server {
server_name {{ server_name }};
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/login3.lilik.it/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/login3.lilik.it/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
location / { location / {
client_max_body_size 50M; client_max_body_size 50M;
@ -12,4 +39,5 @@ server {
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass {{ remote_host }}; proxy_pass {{ remote_host }};
} }
} }

+ 11
- 7
roles/reverse_proxy/templates/http.j2 View File

@ -3,13 +3,17 @@ server {
server_name {{ hostname }}.{{ domain }} www.{{ hostname }}.{{ domain }}; server_name {{ hostname }}.{{ domain }} www.{{ hostname }}.{{ domain }};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
location /.well-known/acme-challenge/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://{{ hostvars[ansible_hostname]['ansible_host'] }};
}
location / { location / {
proxy_pass http://{{ hostvars[ansible_hostname]['ansible_host'] }};
if ($request_method = POST) {
return 307 https://$server_name$request_uri;
}
return 301 https://$server_name$request_uri;
} }
} }

Loading…
Cancel
Save