From 162197ad25f7aaf661c9ad504a8fd1c91a2ad717 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 6 Sep 2014 21:32:37 +0300
Subject: [PATCH] roles/nginx: Re-work vhost template to support HTTPS

Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
---
 roles/nginx/defaults/main.yml       |  3 +++
 roles/nginx/templates/https.j2      | 16 ++++++++++++++++
 roles/nginx/templates/vhost.conf.j2 | 23 ++++++++++++++++++++++-
 3 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 roles/nginx/templates/https.j2

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 2d3a64f..6a09235 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -7,4 +7,7 @@ nginx_confd_path: /etc/nginx/conf.d
 # parent directory of vhost roots
 nginx_root_prefix: /var/www
 
+# TLS protocol versions to support
+nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2
+
 # vim: set ts=2 sw=2:
diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2
new file mode 100644
index 0000000..d094aeb
--- /dev/null
+++ b/roles/nginx/templates/https.j2
@@ -0,0 +1,16 @@
+{% set tls_cert         = item.tls_cert %}
+{% set tls_key          = item.tls_key %}
+
+    ssl_certificate {{ tls_cert }};
+    ssl_certificate_key {{ tls_key }};
+
+    ssl_session_timeout 5m;
+    ssl_session_cache shared:SSL:1m;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_protocols {{ nginx_tls_protocols }};
+    ssl_ciphers "{{ tls_cipher_suite }}";
+    ssl_prefer_server_ciphers on;
+
+    # Enable this if you want HSTS (recommended, but be careful)
+    #add_header Strict-Transport-Security max-age=15768000;
+
diff --git a/roles/nginx/templates/vhost.conf.j2 b/roles/nginx/templates/vhost.conf.j2
index c5fe70b..e8ac56b 100644
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@@ -1,18 +1,39 @@
 {% set domain_name      = item.nginx_domain_name %}
 {% set domain_aliases   = item.nginx_domain_aliases | default("") %}
+{% set use_https        = item.use_https | default("no") %}
 
+{% if use_https == "yes" %}
+# http -> https vhost
 server {
     listen 80;
+    server_name {{ domain_name }} {{ domain_aliases }};
+
+    # redirect http -> https
+    location / {
+        # ? in rewrite makes sure nginx doesn't append query string again
+        # see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
+        rewrite ^ https://{{ domain_name }}$request_uri? permanent;
+    }
+}
+{% endif %}
+
+server {
+    listen {% if use_https == "yes" %} 443 ssl spdy{% else %} 80{% endif %};
 
     root {{ nginx_root_prefix }}/{{ domain_name }};
 
-    server_name {{ domain_name }} {{ domain_aliases }};
+    {# assumes you only want the main domain name listening for https #}
+    server_name {{ domain_name }} {% if use_https == "no" %} {{ domain_aliases }}{% endif %};
 
     index index.php index.html;
 
     access_log  /var/log/nginx/{{ domain_name }}-access.log;
     error_log   /var/log/nginx/{{ domain_name }}-error.log;
 
+    {% if use_https == "yes" %}
+        {% include 'https.j2' %}
+    {% endif %}
+
     location / {
         try_files $uri $uri/ =404;
     }