alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/nginx: Remove "enable_https" config logic

Browse Source 
Everything is HTTPS now, whether self-signed or otherwise, so it
doesn't make sense to have a config switch for this.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth
2015-12-10 00:38:53 +02:00
parent 940b2720da
commit 43a7039dc9
2 changed files with 78 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
roles/nginx/templates/vhost.conf.j2
View File

@ -1,12 +1,10 @@
{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{% set enable_https = item.enable_https | default("no") %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.enable_hsts | default("no") %}
{% set has_wordpress = item.has_wordpress | default("no") %}
{% if enable_https == "yes" %}
# http -> https vhost
server {
listen 80;
@ -20,25 +18,22 @@ server {
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
}
}
{% endif %}
server {
listen {% if enable_https == "yes" %} 443 ssl http2{% else %} 80{% endif %};
listen [::]{% if enable_https == "yes" %}:443 ssl http2{% else %}:80{% endif %};
listen 443 ssl http2;
listen [::]:443 ssl http2;
root {{ nginx_root_prefix }}/{{ domain_name }};
{# assumes you only want the main domain name listening for https #}
server_name {{ domain_name }} {% if enable_https == "no" %} {{ domain_aliases }}{% endif %};
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }};
index index.php index.html;
access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log;
{% if enable_https == "yes" %}
{% include 'https.j2' %}
{% endif %}
{% include 'https.j2' %}
{% if has_wordpress == "yes" %}
{% include 'wordpress.j2' %}
@ -72,7 +67,7 @@ server {
fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if enable_https == "yes" and enable_hsts == "yes" %}
{% if enable_hsts == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/