simponic/infra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add httpsms

Browse Source
This commit is contained in:
Elizabeth Hunt 2025-01-02 19:24:55 -05:00
parent b19321bab5
commit 43415bdd56
4 changed files with 60 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
roles/private/files/johan/http.httpsms.internal.simponic.xyz.conf Normal file
View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name httpsms.internal.simponic.xyz;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://httpsms.internal.simponic.xyz$request_uri? permanent;
}
}

45
roles/private/files/johan/https.httpsms.internal.simponic.xyz.conf Normal file
View File

@ -0,0 +1,45 @@
server {
listen 443 ssl;
server_name httpsms.internal.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/httpsms.internal.simponic.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/httpsms.internal.simponic.xyz/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/httpsms.internal.simponic.xyz/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:33221;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $server_name;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
location /api/ {
proxy_pass http://127.0.0.1:33222/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $server_name;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}

2
roles/private/tasks/main.yml
View File

@ -95,4 +95,4 @@
cron:
name: "letsencrypt_renewal"
special_time: "daily"
job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --force-renewal --non-interactive && systemctl reload nginx"
job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --force-renewal --non-interactive ; systemctl restart nginx"

2
roles/webservers/tasks/main.yml
View File

@ -115,7 +115,7 @@
day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}"
hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}"
minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}"
job: "letsencrypt renew --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos && service nginx reload"
job: "letsencrypt renew --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos ; service nginx restart"
loop: "{{ extracted_domains.results }}"
when: item.stdout != ""