From 99fbf6fcd9b7eda760a081efc5a31aa64beb1195 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Tue, 20 Feb 2018 14:10:11 +0000 Subject: [PATCH] Hubs: we use a SSL proxy in staging --- playbooks/groups/hubs.yml | 7 +++++-- roles/hubs/tasks/webserver.yml | 7 +++++-- roles/hubs/templates/nginx.conf | 29 ++++++++++++++++++----------- 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/playbooks/groups/hubs.yml b/playbooks/groups/hubs.yml index bb571d1384..382a6c1085 100644 --- a/playbooks/groups/hubs.yml +++ b/playbooks/groups/hubs.yml @@ -98,8 +98,11 @@ hubs_dev_mode: false hubs_conf_dir: /etc/fedora-hubs hubs_var_dir: /var/lib/fedora-hubs - hubs_ssl_cert: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/fullchain.pem - hubs_ssl_key: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/privkey.pem + #hubs_ssl_cert: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/fullchain.pem + #hubs_ssl_key: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/privkey.pem + # Set to null because we use a SSL proxy + hubs_ssl_cert: null + hubs_ssl_key: null hubs_fas_username: "{{ fedoraDummyUser }}" hubs_fas_password: "{{ fedoraDummyUserPassword }}" hubs_oidc_url: id.stg.fedoraproject.org diff --git a/roles/hubs/tasks/webserver.yml b/roles/hubs/tasks/webserver.yml index 4224cd2b7f..9aecba8160 100644 --- a/roles/hubs/tasks/webserver.yml +++ b/roles/hubs/tasks/webserver.yml @@ -10,11 +10,13 @@ - name: install python3-certbot-nginx dnf: name=python3-certbot-nginx state=present + when: hubs_ssl_cert != None - name: get the letsencrypt cert - command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ ansible_fqdn }} --agree-tos --email admin@fedoraproject.org + command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ hubs_url_hostname }} --agree-tos --email admin@fedoraproject.org args: - creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem + creates: "{{ hubs_ssl_key }}" + when: hubs_ssl_cert != None notify: - restart nginx @@ -34,6 +36,7 @@ with_first_found: - nginx_ssl_params.{{ ansible_hostname }} - nginx_ssl_params + when: hubs_ssl_cert != None notify: - restart nginx diff --git a/roles/hubs/templates/nginx.conf b/roles/hubs/templates/nginx.conf index 853ba747e0..d36c412ee7 100644 --- a/roles/hubs/templates/nginx.conf +++ b/roles/hubs/templates/nginx.conf @@ -14,24 +14,20 @@ upstream hubs-sse { server 127.0.0.1:8080 fail_timeout=0; } - -# Redirect cleartext traffic to HTTPS -server { - listen 80; - listen [::]:80; - server_name {{ hubs_url_hostname }}; - return 301 https://$server_name$request_uri; -} - # Main server block server { +{% if hubs_ssl_cert == None %} + listen 80; + listen [::]:80; +{% else %} listen 443 deferred; listen [::]:443 deferred; - client_max_body_size 4G; + include ssl_params; +{% endif %} server_name {{ hubs_url_hostname }}; - include ssl_params; + client_max_body_size 4G; keepalive_timeout 5; location / { @@ -67,3 +63,14 @@ server { # root /path/to/app/current/public; #} } + + +{% if hubs_ssl_cert != None %} +# Redirect cleartext traffic to HTTPS +server { + listen 80; + listen [::]:80; + server_name {{ hubs_url_hostname }}; + return 301 https://$server_name$request_uri; +} +{% endif %}