Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Hubs: we use a SSL proxy in staging

Browse source
This commit is contained in:
Aurélien Bompard 2018-02-20 14:10:11 +00:00
parent 88dfabb402
commit 99fbf6fcd9
3 changed files with 28 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

7
playbooks/groups/hubs.yml
View file

@ -98,8 +98,11 @@
hubs_dev_mode: false hubs_dev_mode: false
hubs_conf_dir: /etc/fedora-hubs hubs_conf_dir: /etc/fedora-hubs
hubs_var_dir: /var/lib/fedora-hubs hubs_var_dir: /var/lib/fedora-hubs
hubs_ssl_cert: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/fullchain.pem #hubs_ssl_cert: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/fullchain.pem
hubs_ssl_key: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/privkey.pem #hubs_ssl_key: /etc/letsencrypt/live/hubs.stg.fedoraproject.org/privkey.pem
# Set to null because we use a SSL proxy
hubs_ssl_cert: null
hubs_ssl_key: null
hubs_fas_username: "{{ fedoraDummyUser }}" hubs_fas_username: "{{ fedoraDummyUser }}"
hubs_fas_password: "{{ fedoraDummyUserPassword }}" hubs_fas_password: "{{ fedoraDummyUserPassword }}"
hubs_oidc_url: id.stg.fedoraproject.org hubs_oidc_url: id.stg.fedoraproject.org

7
roles/hubs/tasks/webserver.yml
View file

@ -10,11 +10,13 @@
- name: install python3-certbot-nginx - name: install python3-certbot-nginx
dnf: name=python3-certbot-nginx state=present dnf: name=python3-certbot-nginx state=present
when: hubs_ssl_cert != None
- name: get the letsencrypt cert - name: get the letsencrypt cert
command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ ansible_fqdn }} --agree-tos --email admin@fedoraproject.org command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ hubs_url_hostname }} --agree-tos --email admin@fedoraproject.org
args: args:
creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem creates: "{{ hubs_ssl_key }}"
when: hubs_ssl_cert != None
notify: notify:
- restart nginx - restart nginx
@ -34,6 +36,7 @@
with_first_found: with_first_found:
- nginx_ssl_params.{{ ansible_hostname }} - nginx_ssl_params.{{ ansible_hostname }}
- nginx_ssl_params - nginx_ssl_params
when: hubs_ssl_cert != None
notify: notify:
- restart nginx - restart nginx

29
roles/hubs/templates/nginx.conf
View file

@ -14,24 +14,20 @@ upstream hubs-sse {
server 127.0.0.1:8080 fail_timeout=0; server 127.0.0.1:8080 fail_timeout=0;
} }
# Redirect cleartext traffic to HTTPS
server {
listen 80;
listen [::]:80;
server_name {{ hubs_url_hostname }};
return 301 https://$server_name$request_uri;
}
# Main server block # Main server block
server { server {
{% if hubs_ssl_cert == None %}
listen 80;
listen [::]:80;
{% else %}
listen 443 deferred; listen 443 deferred;
listen [::]:443 deferred; listen [::]:443 deferred;
client_max_body_size 4G; include ssl_params;
{% endif %}
server_name {{ hubs_url_hostname }}; server_name {{ hubs_url_hostname }};
include ssl_params; client_max_body_size 4G;
keepalive_timeout 5; keepalive_timeout 5;
location / { location / {
@ -67,3 +63,14 @@ server {
# root /path/to/app/current/public; # root /path/to/app/current/public;
#} #}
} }
{% if hubs_ssl_cert != None %}
# Redirect cleartext traffic to HTTPS
server {
listen 80;
listen [::]:80;
server_name {{ hubs_url_hostname }};
return 301 https://$server_name$request_uri;
}
{% endif %}