roles/nginx: Allow using self-signed TLS certs with dev hosts
Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev hosts where we don't have real domains or real certs. But everything should have TLS. Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
parent
4507e20155
commit
98afeddbbf
@ -1,11 +1,20 @@
|
||||
{% set domain_name = item.nginx_domain_name %}
|
||||
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
|
||||
{% set enable_hsts = item.nginx_enable_hsts | default("no") %}
|
||||
{# use self-signed certs? yes on development, no on production #}
|
||||
{% set use_snakeoil_cert = item.use_snakeoil_cert | default("no") %}
|
||||
|
||||
{# better to check for "not yes" then "no" #}
|
||||
{% if use_snakeoil_cert != "yes" %}
|
||||
# concatenated key + cert
|
||||
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
||||
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}/fullchain.pem;
|
||||
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}/privkey.pem;
|
||||
{% else %}
|
||||
# "snakeoil" certificate (self signed!)
|
||||
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
|
||||
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
|
||||
{% endif %}
|
||||
|
||||
ssl_session_timeout {{ nginx_ssl_session_timeout }};
|
||||
ssl_session_cache {{ nginx_ssl_session_cache }};
|
||||
@ -16,6 +25,8 @@
|
||||
ssl_ciphers "{{ tls_cipher_suite }}";
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
{# OSCP stapling only works with real certs #}
|
||||
{% if use_snakeoil_cert != "yes" %}
|
||||
# OCSP stapling...
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
@ -24,7 +35,8 @@
|
||||
resolver 109.74.192.20 109.74.193.20;
|
||||
{% else %}
|
||||
resolver 8.8.8.8 8.8.4.4;
|
||||
{% endif %}
|
||||
{% endif %} {# end: linode_id #}
|
||||
{% endif %} {# end: use_snakeoil_cert #}
|
||||
|
||||
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
||||
# when a restart is performed the previous key is lost, which resets all previous
|
||||
|
Loading…
x
Reference in New Issue
Block a user