bundles/nginx: only redirect to ssl for sites which actually have ssl enabled
All checks were successful
bundlewrap/pipeline/head This commit looks good

This commit is contained in:
Franzi 2021-04-25 09:20:16 +02:00
parent 690e56f558
commit 44d42de81c
Signed by: kunsi
GPG key ID: 12E3D2136B818350
3 changed files with 33 additions and 29 deletions

View file

@ -4,11 +4,6 @@ server {
server_name _;
location / {
return 308 https://$host$request_uri;
return 404;
}
% if needs_le:
location /.well-known/acme-challenge/ {
alias /var/lib/dehydrated/acme-challenges/;
}
% endif
}

View file

@ -7,7 +7,30 @@ server {
root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
index ${' '.join(index)};
listen 80;
listen [::]:80;
% if ssl:
location / {
return 308 https://$host$request_uri;
}
% if ssl == 'letsencrypt':
location /.well-known/acme-challenge/ {
alias /var/lib/dehydrated/acme-challenges/;
}
% endif
}
server {
% if domain_aliases:
server_name ${domain} ${' '.join(sorted(domain_aliases))};
% else:
server_name ${domain};
% endif
root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
index ${' '.join(index)};
listen 443 ssl http2;
listen [::]:443 ssl http2;
@ -26,9 +49,6 @@ server {
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
% else:
listen 80;
listen [::]:80;
% endif
resolver 8.8.8.8 8.8.4.4 valid=300s;

View file

@ -32,6 +32,12 @@ files = {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/000-port80.conf': {
'source': 'port80.conf',
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/usr/local/share/icinga/plugins/check_nginx_status': {
'mode': '0755',
},
@ -53,8 +59,6 @@ svc_systemd = {
},
}
install_port80_redirect = False
port80_has_letsencrypt = False
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
if not 'domain' in config:
config['domain'] = vhost
@ -90,8 +94,6 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
if config.get('ssl', 'letsencrypt') == 'letsencrypt':
files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates')
port80_has_letsencrypt = True
install_port80_redirect = True
elif config.get('ssl', 'letsencrypt'):
files[f'/etc/nginx/ssl/{vhost}.crt'] = {
@ -122,16 +124,3 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt')
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key')
install_port80_redirect = True
if install_port80_redirect:
files['/etc/nginx/sites/000-port80.conf'] = {
'source': 'port80.conf',
'content_type': 'mako',
'context': {
'needs_le': port80_has_letsencrypt,
},
'triggers': {
'svc_systemd:nginx:restart',
},
}