[nginx] Multiple certficates are compatible with reverse-proxy
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>certbot_on_virtu
parent
72238d79ed
commit
de58138a22
|
|
@ -1,16 +1,21 @@
|
||||||
certbot:
|
loc_certbot:
|
||||||
|
- dns_rfc2136_server: '172.16.10.147'
|
||||||
dns_rfc2136_name: certbot_challenge.
|
dns_rfc2136_name: certbot_challenge.
|
||||||
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
|
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
|
||||||
mail: root@crans.org
|
mail: root@crans.org
|
||||||
certname: crans.org
|
certname: crans.org
|
||||||
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
|
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
|
||||||
|
|
||||||
nginx:
|
loc_nginx:
|
||||||
|
servers: []
|
||||||
ssl:
|
ssl:
|
||||||
|
- name: crans.org
|
||||||
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
|
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
|
||||||
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
|
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
|
||||||
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
|
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
|
||||||
|
|
||||||
|
|
||||||
|
glob_reverseproxy:
|
||||||
redirect_dnames:
|
redirect_dnames:
|
||||||
- crans.eu
|
- crans.eu
|
||||||
- crans.fr
|
- crans.fr
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,8 @@
|
||||||
- hosts: reverseproxy
|
- hosts: reverseproxy
|
||||||
vars:
|
vars:
|
||||||
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
||||||
mirror: '{{ glob_mirror.name }}'
|
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
|
||||||
|
reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
|
||||||
roles:
|
roles:
|
||||||
- certbot
|
- certbot
|
||||||
- nginx
|
- nginx
|
||||||
|
|
|
||||||
|
|
@ -38,7 +38,7 @@
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: Copy reverse proxy sites
|
- name: Copy reverse proxy sites
|
||||||
when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
|
when: reverseproxy is defined
|
||||||
template:
|
template:
|
||||||
src: "nginx/sites-available/{{ item }}.j2"
|
src: "nginx/sites-available/{{ item }}.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||||
|
|
@ -52,7 +52,7 @@
|
||||||
notify: Reload nginx
|
notify: Reload nginx
|
||||||
|
|
||||||
- name: Activate reverse proxy sites
|
- name: Activate reverse proxy sites
|
||||||
when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
|
when: reverseproxy is defined
|
||||||
file:
|
file:
|
||||||
src: "/etc/nginx/sites-available/{{ item }}"
|
src: "/etc/nginx/sites-available/{{ item }}"
|
||||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{{ ansible_header | comment }}
|
{{ ansible_header | comment }}
|
||||||
|
|
||||||
{% for site in nginx.redirect_sites %}
|
{% for site in reverseproxy.redirect_sites %}
|
||||||
# Redirect http://{{ site.from }} to http://{{ site.to }}
|
# Redirect http://{{ site.from }} to http://{{ site.to }}
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
|
|
@ -21,7 +21,7 @@ server {
|
||||||
server_name {{ site.from }};
|
server_name {{ site.from }};
|
||||||
|
|
||||||
# SSL common conf
|
# SSL common conf
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 https://{{ site.to }}$request_uri;
|
return 302 https://{{ site.to }}$request_uri;
|
||||||
|
|
@ -31,8 +31,8 @@ server {
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{# Also redirect for DNAMEs #}
|
{# Also redirect for DNAMEs #}
|
||||||
{% for dname in nginx.redirect_dnames %}
|
{% for dname in reverseproxy.redirect_dnames %}
|
||||||
{% for site in nginx.redirect_sites %}
|
{% for site in reverseproxy.redirect_sites %}
|
||||||
{% set from = site.from | regex_replace('crans.org', dname) %}
|
{% set from = site.from | regex_replace('crans.org', dname) %}
|
||||||
{% if from != site.from %}
|
{% if from != site.from %}
|
||||||
# Redirect http://{{ from }} to http://{{ site.to }}
|
# Redirect http://{{ from }} to http://{{ site.to }}
|
||||||
|
|
@ -55,7 +55,7 @@ server {
|
||||||
server_name {{ from }};
|
server_name {{ from }};
|
||||||
|
|
||||||
# SSL common conf
|
# SSL common conf
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 https://{{ site.to }}$request_uri;
|
return 302 https://{{ site.to }}$request_uri;
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
|
||||||
'' close;
|
'' close;
|
||||||
}
|
}
|
||||||
|
|
||||||
{% for site in nginx.reverseproxy_sites %}
|
{% for site in reverseproxy.reverseproxy_sites %}
|
||||||
# Redirect http://{{ site.from }} to https://{{ site.from }}
|
# Redirect http://{{ site.from }} to https://{{ site.from }}
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
|
|
@ -28,7 +28,7 @@ server {
|
||||||
server_name {{ site.from }};
|
server_name {{ site.from }};
|
||||||
|
|
||||||
# SSL common conf
|
# SSL common conf
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||||
|
|
||||||
# Log into separate log files
|
# Log into separate log files
|
||||||
access_log /var/log/nginx/{{ site.from }}.log;
|
access_log /var/log/nginx/{{ site.from }}.log;
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
{{ ansible_header | comment }}
|
{{ ansible_header | comment }}
|
||||||
|
|
||||||
{% for dname in nginx.redirect_dnames %}
|
{% for dname in reverseproxy.redirect_dnames %}
|
||||||
{% for site in nginx.reverseproxy_sites %}
|
{% for site in reverseproxy.reverseproxy_sites %}
|
||||||
{% set from = site.from | regex_replace('crans.org', dname) %}
|
{% set from = site.from | regex_replace('crans.org', dname) %}
|
||||||
{% set to = site.from %}
|
{% set to = site.from %}
|
||||||
{% if from != site.from %}
|
{% if from != site.from %}
|
||||||
|
|
@ -25,7 +25,7 @@ server {
|
||||||
server_name {{ from }};
|
server_name {{ from }};
|
||||||
|
|
||||||
# SSL common conf
|
# SSL common conf
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 https://{{ to }}$request_uri;
|
return 302 https://{{ to }}$request_uri;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue