foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nginx/server: Add plaintext HTTP server support for cert validation

Browse source
This commit is contained in:
Timo Makinen 2021-03-22 20:35:38 +00:00
parent 65e34954f0
commit 147c8d4db5
1 changed files with 20 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

25
roles/nginx/server/templates/nginx.conf.j2
View file

@ -13,6 +13,25 @@ http {
'"$http_user_agent" $host';
access_log {{ nginx_logdir }}/access.log main;
proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt;
proxy_ssl_verify on;
{% if plaintext is defined %}
server {
listen 80;
listen [::]:80;
server_name {{ inventory_hostname }};
location /.well-known/acme-challenge/ {
proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
}
location / {
return 301 https://$host$request_uri;
}
}
{% else %}
ssl on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
@ -22,11 +41,6 @@ http {
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt;
proxy_ssl_verify on;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
@ -45,5 +59,6 @@ http {
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
{% endif %}
}