From 0a16ac0b0c14b5a85b1d165a85881754227a27d8 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 13:03:29 +0200
Subject: [PATCH] Minor fixes on reverse proxy
---
network.yml | 3 +--
roles/certbot/tasks/main.yml | 5 +++++
roles/nginx-reverseproxy/tasks/main.yml | 10 +++++++++-
roles/nginx-reverseproxy/templates/nginx/redirect.j2 | 2 ++
.../nginx-reverseproxy/templates/nginx/reverseproxy.j2 | 2 +-
.../templates/nginx/reverseproxy_redirect_dname.j2 | 2 ++
6 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/network.yml b/network.yml
index fdc49662..2bde72ff 100755
--- a/network.yml
+++ b/network.yml
@@ -50,7 +50,7 @@
- bind-authoritative
# Deploy reverse proxy
-- hosts: bakdaur.adm.crans.org
+- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org
vars:
certbot:
dns_rfc2136_name: certbot_challenge.
@@ -93,7 +93,6 @@
- {from: www.crans.org, to: 10.231.136.46}
- {from: doc.crans.org, to: 10.231.136.46}
- {from: limesurvey.crans.org, to: 10.231.136.253}
- - {from: lutim.crans.org, to: 10.231.136.69}
- {from: perso.crans.org, to: 10.231.136.1}
- {from: webnews.crans.org, to: 10.231.136.63}
- {from: re2o.crans.org, to: 10.231.136.9}
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index b32845cc..2e9c8b26 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -22,6 +22,11 @@
mode: 0600
owner: root
+- name: Create /etc/letsencrypt/conf.d
+ file:
+ path: /etc/letsencrypt/conf.d
+ state: directory
+
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index 3c95a8f7..1fee6a3c 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -2,11 +2,19 @@
- name: Install NGINX
apt:
update_cache: true
- name: nginx
+ name:
+ - nginx
+ - python3-certbot-nginx # for options-ssl-nginx.conf
register: apt_result
retries: 3
until: apt_result is succeeded
+- name: Copy certbot SSL snippet
+ copy:
+ remote_src: true
+ src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf
+ dest: /etc/letsencrypt/options-ssl-nginx.conf
+
- name: Copy reverse proxy sites
template:
src: "nginx/{{ item }}.j2"
diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
index fb177b9a..4d60807e 100644
--- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
@@ -43,6 +43,7 @@ server {
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.redirect_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
+{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ site.to }}
server {
listen 80;
@@ -79,5 +80,6 @@ server {
}
}
+{% endif %}
{% endfor %}
{% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
index eab44a49..31c34462 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
@@ -4,7 +4,7 @@
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
listen 80;
- listen [::]:80
+ listen [::]:80;
server_name {{ site.from }};
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
index 1affe511..8fc57808 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
@@ -4,6 +4,7 @@
{% for site in nginx.reverseproxy_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% set to = site.from %}
+{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ to }}
server {
listen 80;
@@ -40,5 +41,6 @@ server {
}
}
+{% endif %}
{% endfor %}
{% endfor %}