nginx: deploy ssl

c6a17764 · Pietro Albini · 63bf7923 · c6a17764 · c6a17764
Commit c6a17764 authored Mar 15, 2018 by Pietro Albini
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 3 deletions

roles/nginx/templates/firewall.sh roles/nginx/templates/firewall.sh +2 -1

roles/nginx/templates/sites/proxied.conf roles/nginx/templates/sites/proxied.conf +16 -2

No files found.
--- a/roles/nginx/templates/firewall.sh
+++ b/roles/nginx/templates/firewall.sh
@@ -3,5 +3,6 @@
 # {{ ansible_managed }}
 #

-# Allow incoming requests on port 80
+# Allow incoming requests on ports 80 and 443
 command -A public_input_tcp -p tcp --dport 80 -j ACCEPT
+command -A public_input_tcp -p tcp --dport 443 -j ACCEPT
--- a/roles/nginx/templates/sites/proxied.conf
+++ b/roles/nginx/templates/sites/proxied.conf
@@ -4,10 +4,24 @@

 server {
    listen 80;
-    listen [::]:80;
    server_name {{ item.key }};

    location / {
-        proxy_pass http://{{ item.value }}/;
+        return 302 https://{{ item.key }}$request_uri;
+    }
+
+    include /etc/nginx/snippets/dehydrated.conf;
+}
+
+
+server {
+    listen 443 ssl http2;
+    server_name {{ item.key }};
+
+    ssl_certificate /etc/ssl/localcerts/{{ item.key }}/fullchain.pem;
+    ssl_certificate_key /etc/ssl/localcerts/{{ item.key }}/privkey.pem;
+
+    location / {
+        proxy_pass http://{{ item.value }};
    }
 }