roles/nginx: Re-work vhost template to support HTTPS

Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth 2014-09-06 21:32:37 +03:00
parent b6d4f090ec
commit 162197ad25
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
3 changed files with 41 additions and 1 deletions

View File

@ -7,4 +7,7 @@ nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots # parent directory of vhost roots
nginx_root_prefix: /var/www nginx_root_prefix: /var/www
# TLS protocol versions to support
nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -0,0 +1,16 @@
{% set tls_cert = item.tls_cert %}
{% set tls_key = item.tls_key %}
ssl_certificate {{ tls_cert }};
ssl_certificate_key {{ tls_key }};
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:1m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols {{ nginx_tls_protocols }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
# Enable this if you want HSTS (recommended, but be careful)
#add_header Strict-Transport-Security max-age=15768000;

View File

@ -1,18 +1,39 @@
{% set domain_name = item.nginx_domain_name %} {% set domain_name = item.nginx_domain_name %}
{% set domain_aliases = item.nginx_domain_aliases | default("") %} {% set domain_aliases = item.nginx_domain_aliases | default("") %}
{% set use_https = item.use_https | default("no") %}
{% if use_https == "yes" %}
# http -> https vhost
server { server {
listen 80; listen 80;
server_name {{ domain_name }} {{ domain_aliases }};
# redirect http -> https
location / {
# ? in rewrite makes sure nginx doesn't append query string again
# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
}
}
{% endif %}
server {
listen {% if use_https == "yes" %} 443 ssl spdy{% else %} 80{% endif %};
root {{ nginx_root_prefix }}/{{ domain_name }}; root {{ nginx_root_prefix }}/{{ domain_name }};
server_name {{ domain_name }} {{ domain_aliases }}; {# assumes you only want the main domain name listening for https #}
server_name {{ domain_name }} {% if use_https == "no" %} {{ domain_aliases }}{% endif %};
index index.php index.html; index index.php index.html;
access_log /var/log/nginx/{{ domain_name }}-access.log; access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log; error_log /var/log/nginx/{{ domain_name }}-error.log;
{% if use_https == "yes" %}
{% include 'https.j2' %}
{% endif %}
location / { location / {
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }