Hubs: we use a SSL proxy in staging

2018-02-20 14:10:11 +00:00 · 2018-02-20 14:10:11 +00:00 · 99fbf6fcd9
commit 99fbf6fcd9
parent 88dfabb402
3 changed files with 28 additions and 15 deletions
--- a/playbooks/groups/hubs.yml
+++ b/playbooks/groups/hubs.yml
@ -98,8 +98,11 @@
    hubs_dev_mode: false
    hubs_conf_dir: /etc/fedora-hubs
    hubs_var_dir: /var/lib/fedora-hubs
-    hubs_ssl_cert: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/fullchain.pem
-    hubs_ssl_key: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/privkey.pem
+    #hubs_ssl_cert: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/fullchain.pem
+    #hubs_ssl_key: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/privkey.pem
+    # Set to null because we use a SSL proxy
+    hubs_ssl_cert: null
+    hubs_ssl_key: null
    hubs_fas_username: "{{ fedoraDummyUser }}"
    hubs_fas_password: "{{ fedoraDummyUserPassword }}"
    hubs_oidc_url: id.stg.fedoraproject.org
--- a/roles/hubs/tasks/webserver.yml
+++ b/roles/hubs/tasks/webserver.yml
@ -10,11 +10,13 @@

 - name: install python3-certbot-nginx
  dnf: name=python3-certbot-nginx state=present
+  when: hubs_ssl_cert != None

 - name: get the letsencrypt cert
-  command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ ansible_fqdn }} --agree-tos --email admin@fedoraproject.org
+  command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ hubs_url_hostname }} --agree-tos --email admin@fedoraproject.org
  args:
-    creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
+    creates: "{{ hubs_ssl_key }}"
+  when: hubs_ssl_cert != None
  notify:
    - restart nginx

@ -34,6 +36,7 @@
  with_first_found:
    - nginx_ssl_params.{{ ansible_hostname }}
    - nginx_ssl_params
+  when: hubs_ssl_cert != None
  notify:
    - restart nginx

--- a/roles/hubs/templates/nginx.conf
+++ b/roles/hubs/templates/nginx.conf
@ -14,24 +14,20 @@ upstream hubs-sse {
    server 127.0.0.1:8080 fail_timeout=0;
 }

-
-# Redirect cleartext traffic to HTTPS
-server {
-    listen 80;
-    listen [::]:80;
-    server_name {{ hubs_url_hostname }};
-    return 301 https://$server_name$request_uri;
-}
-
 # Main server block
 server {
+{% if hubs_ssl_cert == None %}
+    listen 80;
+    listen [::]:80;
+{% else %}
    listen 443 deferred;
    listen [::]:443 deferred;
-    client_max_body_size 4G;
+    include ssl_params;
+{% endif %}

    server_name {{ hubs_url_hostname }};

-    include ssl_params;
+    client_max_body_size 4G;
    keepalive_timeout 5;

    location / {
@ -67,3 +63,14 @@ server {
    #  root /path/to/app/current/public;
    #}
  }
+
+
+{% if hubs_ssl_cert != None %}
+# Redirect cleartext traffic to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ hubs_url_hostname }};
+    return 301 https://$server_name$request_uri;
+}
+{% endif %}