roles/nginx: Re-work vhost template to support HTTPS
Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
parent
b6d4f090ec
commit
162197ad25
@ -7,4 +7,7 @@ nginx_confd_path: /etc/nginx/conf.d
|
||||
# parent directory of vhost roots
|
||||
nginx_root_prefix: /var/www
|
||||
|
||||
# TLS protocol versions to support
|
||||
nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2
|
||||
|
||||
# vim: set ts=2 sw=2:
|
||||
|
16
roles/nginx/templates/https.j2
Normal file
16
roles/nginx/templates/https.j2
Normal file
@ -0,0 +1,16 @@
|
||||
{% set tls_cert = item.tls_cert %}
|
||||
{% set tls_key = item.tls_key %}
|
||||
|
||||
ssl_certificate {{ tls_cert }};
|
||||
ssl_certificate_key {{ tls_key }};
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
ssl_protocols {{ nginx_tls_protocols }};
|
||||
ssl_ciphers "{{ tls_cipher_suite }}";
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Enable this if you want HSTS (recommended, but be careful)
|
||||
#add_header Strict-Transport-Security max-age=15768000;
|
||||
|
@ -1,18 +1,39 @@
|
||||
{% set domain_name = item.nginx_domain_name %}
|
||||
{% set domain_aliases = item.nginx_domain_aliases | default("") %}
|
||||
{% set use_https = item.use_https | default("no") %}
|
||||
|
||||
{% if use_https == "yes" %}
|
||||
# http -> https vhost
|
||||
server {
|
||||
listen 80;
|
||||
server_name {{ domain_name }} {{ domain_aliases }};
|
||||
|
||||
# redirect http -> https
|
||||
location / {
|
||||
# ? in rewrite makes sure nginx doesn't append query string again
|
||||
# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
|
||||
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
|
||||
}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
server {
|
||||
listen {% if use_https == "yes" %} 443 ssl spdy{% else %} 80{% endif %};
|
||||
|
||||
root {{ nginx_root_prefix }}/{{ domain_name }};
|
||||
|
||||
server_name {{ domain_name }} {{ domain_aliases }};
|
||||
{# assumes you only want the main domain name listening for https #}
|
||||
server_name {{ domain_name }} {% if use_https == "no" %} {{ domain_aliases }}{% endif %};
|
||||
|
||||
index index.php index.html;
|
||||
|
||||
access_log /var/log/nginx/{{ domain_name }}-access.log;
|
||||
error_log /var/log/nginx/{{ domain_name }}-error.log;
|
||||
|
||||
{% if use_https == "yes" %}
|
||||
{% include 'https.j2' %}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user