ansible-personal/roles/nginx/templates/https.j2
Alan Orth b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
2016-06-27 19:07:48 +03:00

67 lines
2.8 KiB
Django/Jinja

{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.enable_hsts | default("no") %}
{# assume a vhost is not using Let's Encrypt unless it explicitly sets it to "yes" #}
{% set use_letsencrypt = item.use_letsencrypt | default("no") %}
{% if use_letsencrypt == "yes" %}
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
{% elif item.tls_certificate_path and item.tls_key_path %}
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ item.tls_certificate_path }};
ssl_certificate_key {{ item.tls_key_path }};
{% else %}
# "snakeoil" certificate (self signed!)
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
{% endif %}
ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }};
ssl_buffer_size {{ nginx_ssl_buffer_size }};
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
{# OSCP stapling only works with real certs #}
{% if use_letsencrypt == "yes" or item.tls_certificate_path %}
# OCSP stapling...
ssl_stapling on;
ssl_stapling_verify on;
{% if linode_id is defined %}
# use Linode internal DNS
resolver 139.162.139.5 139.162.130.5 [2a01:7e01::5] [2a01:7e01::6];
{% else %}
resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8844] [2001:4860:4860::8888];
{% endif %} {# end: linode_id #}
{% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
{% endif %}