bundles/nginx: only redirect to ssl for sites which actually have ssl enabled
All checks were successful
bundlewrap/pipeline/head This commit looks good
All checks were successful
bundlewrap/pipeline/head This commit looks good
This commit is contained in:
parent
690e56f558
commit
44d42de81c
3 changed files with 33 additions and 29 deletions
|
@ -4,11 +4,6 @@ server {
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 308 https://$host$request_uri;
|
return 404;
|
||||||
}
|
}
|
||||||
% if needs_le:
|
|
||||||
location /.well-known/acme-challenge/ {
|
|
||||||
alias /var/lib/dehydrated/acme-challenges/;
|
|
||||||
}
|
|
||||||
% endif
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,17 +7,40 @@ server {
|
||||||
root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
|
root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
|
||||||
index ${' '.join(index)};
|
index ${' '.join(index)};
|
||||||
|
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
% if ssl:
|
% if ssl:
|
||||||
|
location / {
|
||||||
|
return 308 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
% if ssl == 'letsencrypt':
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
alias /var/lib/dehydrated/acme-challenges/;
|
||||||
|
}
|
||||||
|
% endif
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
% if domain_aliases:
|
||||||
|
server_name ${domain} ${' '.join(sorted(domain_aliases))};
|
||||||
|
% else:
|
||||||
|
server_name ${domain};
|
||||||
|
% endif
|
||||||
|
root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
|
||||||
|
index ${' '.join(index)};
|
||||||
|
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
% if ssl == 'letsencrypt':
|
% if ssl == 'letsencrypt':
|
||||||
ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
|
ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
|
||||||
ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
|
ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
|
||||||
% else:
|
% else:
|
||||||
ssl_certificate /etc/nginx/ssl/${vhost}.crt;
|
ssl_certificate /etc/nginx/ssl/${vhost}.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
|
ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
|
||||||
% endif
|
% endif
|
||||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
@ -26,9 +49,6 @@ server {
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||||
% else:
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
% endif
|
% endif
|
||||||
|
|
||||||
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
||||||
|
|
|
@ -32,6 +32,12 @@ files = {
|
||||||
'svc_systemd:nginx:restart',
|
'svc_systemd:nginx:restart',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'/etc/nginx/sites/000-port80.conf': {
|
||||||
|
'source': 'port80.conf',
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:nginx:restart',
|
||||||
|
},
|
||||||
|
},
|
||||||
'/usr/local/share/icinga/plugins/check_nginx_status': {
|
'/usr/local/share/icinga/plugins/check_nginx_status': {
|
||||||
'mode': '0755',
|
'mode': '0755',
|
||||||
},
|
},
|
||||||
|
@ -53,8 +59,6 @@ svc_systemd = {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
install_port80_redirect = False
|
|
||||||
port80_has_letsencrypt = False
|
|
||||||
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
||||||
if not 'domain' in config:
|
if not 'domain' in config:
|
||||||
config['domain'] = vhost
|
config['domain'] = vhost
|
||||||
|
@ -90,8 +94,6 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
||||||
if config.get('ssl', 'letsencrypt') == 'letsencrypt':
|
if config.get('ssl', 'letsencrypt') == 'letsencrypt':
|
||||||
files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
|
files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
|
||||||
files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates')
|
files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates')
|
||||||
port80_has_letsencrypt = True
|
|
||||||
install_port80_redirect = True
|
|
||||||
|
|
||||||
elif config.get('ssl', 'letsencrypt'):
|
elif config.get('ssl', 'letsencrypt'):
|
||||||
files[f'/etc/nginx/ssl/{vhost}.crt'] = {
|
files[f'/etc/nginx/ssl/{vhost}.crt'] = {
|
||||||
|
@ -122,16 +124,3 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
||||||
|
|
||||||
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt')
|
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt')
|
||||||
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key')
|
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key')
|
||||||
install_port80_redirect = True
|
|
||||||
|
|
||||||
if install_port80_redirect:
|
|
||||||
files['/etc/nginx/sites/000-port80.conf'] = {
|
|
||||||
'source': 'port80.conf',
|
|
||||||
'content_type': 'mako',
|
|
||||||
'context': {
|
|
||||||
'needs_le': port80_has_letsencrypt,
|
|
||||||
},
|
|
||||||
'triggers': {
|
|
||||||
'svc_systemd:nginx:restart',
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in a new issue