Catching up Webserver config

2022-12-18 22:21:39 -06:00 · 2022-12-18 22:21:39 -06:00 · 890e20c64c
parent 72a62b63eb
commit 890e20c64c
10 changed files with 81 additions and 46 deletions
--- a/roles/WebServer/files/conf.d/Core/aaa_default.conf
+++ b/roles/WebServer/files/conf.d/Core/aaa_default.conf
@ -1,21 +1,12 @@
 server {
    listen      443 ssl http2;
    server_name default_server;
-    include sec.conf;
-    include letsencrypt.conf;
-    include default.csp.conf;
-    rewrite ^/(.*)$ https://aninix.net/$1 permanent;
-
-}
-
-server {
-    listen      443 ssl http2;
-    server_name aninix.net;

    include sec.conf;
-    include letsencrypt.conf;
    include default.csp.conf;

+    include letsencrypt.conf;
+
    location / {

      rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
@ -54,3 +45,16 @@ server {
    }

 }
+
+server {
+    listen      443 ssl http2;
+    server_name foundation.aninix.net;
+    include sec.conf;
+    include letsencrypt.conf;
+    include default.csp.conf;
+
+    location / {
+        rewrite ^/(.*)$ https://aninix.net/$1 permanent;
+    }
+
+}
--- a/roles/WebServer/files/conf.d/Core/cyberbrain.conf
+++ b/roles/WebServer/files/conf.d/Core/cyberbrain.conf
@ -4,7 +4,6 @@ server {

    include sec.conf;
    include default.csp.conf;
-    include letsencrypt.conf;

    location /
    {
@ -19,4 +18,7 @@ server {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Real-PORT $remote_port;
    }
+
+    include letsencrypt.conf;
+
 }
--- a/roles/WebServer/files/conf.d/Core/geth.conf
+++ b/roles/WebServer/files/conf.d/Core/geth.conf
@ -15,15 +15,15 @@ server {

    location /
    {
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Forwarded-Host $host;
-      proxy_set_header X-Forwarded-Server $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_pass       http://geth.msn0.aninix.net:8123;
-      proxy_redirect http:// https://;
-      proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection $connection_upgrade;
-      proxy_read_timeout 86400;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass       http://geth.msn0.aninix.net:8123;
+        proxy_redirect http:// https://;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_read_timeout 86400;
    }
 }
--- a/roles/WebServer/files/conf.d/Core/lykos-wiki.conf
+++ b/roles/WebServer/files/conf.d/Core/lykos-wiki.conf
@ -2,7 +2,7 @@ server {
    listen      443 ssl;
    server_name lykos.aninix.net;

-    include letsencrypt.conf;
+    # include local.conf;

    root /usr/share/webapps/;

@ -34,4 +34,6 @@ server {
        deny all;
    }

+    include letsencrypt.conf;
+
 }
--- a/roles/WebServer/files/conf.d/Core/password.conf
+++ b/roles/WebServer/files/conf.d/Core/password.conf
@ -6,28 +6,30 @@ server {
    include default.csp.conf;
    include letsencrypt.conf;

-    root /usr/share/webapps/self-service-password/htdocs/;
+    location / {
+        root /usr/share/webapps/self-service-password/htdocs/;

-    # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
-    index index.php index.html index.htm;
+        # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
+        index index.php index.html index.htm;

-    # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
-    sendfile off;
+        # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
+        sendfile off;

-    gzip on;
-    gzip_comp_level 6;
-    gzip_min_length 1000;
-    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+        gzip on;
+        gzip_comp_level 6;
+        gzip_min_length 1000;
+        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_disable "MSIE [1-6]\.(?!.*SV1)";

-    # Add stdout logging
+        # Add stdout logging

-    #error_log /dev/stdout warn;
-    #access_log /dev/stdout info;
+        #error_log /dev/stdout warn;
+        #access_log /dev/stdout info;

-    include ../conf.d/fastcgi.config;
+        include ../conf.d/fastcgi.config;
+    }

    # deny access to . files, for security
    #
--- a/roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf
+++ b/roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf
@ -0,0 +1,14 @@
+server {
+    listen      443 ssl;
+    server_name travelpawscvt.com;
+
+    #include local.conf;
+    include letsencrypt.conf;
+    include ../conf.d/fastcgi.config;
+
+    root /opt/travelpawscvt;
+
+    client_max_body_size 5m;
+    client_body_timeout 60;
+
+}
--- a/roles/WebServer/files/conf.d/Core/wolfpack.conf
+++ b/roles/WebServer/files/conf.d/Core/wolfpack.conf
@ -4,7 +4,6 @@ server {

    include sec.conf;
    include default.csp.conf;
-    include letsencrypt.conf;

    location /
    {
@ -12,4 +11,6 @@ server {
        autoindex on;
        autoindex_format html;
    }
+
+    include letsencrypt.conf;
 }
--- a/roles/WebServer/files/conf/letsencrypt.conf
+++ b/roles/WebServer/files/conf/letsencrypt.conf
@ -1,5 +1,4 @@
-location ~ ^/.well-known/acme-challenge
-{
+location /.well-known/acme-challenge {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
--- a/roles/WebServer/tasks/main.yml
+++ b/roles/WebServer/tasks/main.yml
@ -53,6 +53,17 @@
     mode: 0660
   register: conf

+ - name: Populate security config
+   become: yes
+   template:
+     src: sec.conf.j2
+     dest: /opt/openresty/nginx/conf/sec.conf
+     owner: http
+     group: http
+     mode: 0660
+  register: secconf
+
+
 - name: Ensure default openresty service file is off.
   become: yes
   service:
@ -62,7 +73,7 @@

 - name: Ensure service is started
   become: yes
-   when: conf.changed or confd.changed
+   when: conf.changed or confd.changed or secconf.changed
   service:
     name: "{{ item }}"
     enabled: yes
--- a/roles/WebServer/templates/conf/sec.conf.j2
+++ b/roles/WebServer/templates/conf/sec.conf.j2
@ -1,12 +1,12 @@
 ssl_dhparam          /etc/ssl/certs/dhparam.pem;
-ssl_certificate      /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
-ssl_certificate_key  /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
+ssl_certificate      /etc/letsencrypt/live/{{ ssl.identity }}/fullchain.pem;
+ssl_certificate_key  /etc/letsencrypt/live/{{ ssl.identity }}/privkey.pem;

 ssl_session_cache    shared:SSL:1m;
 ssl_session_timeout  5m;

 ssl_protocols        TLSv1.2 TLSv1.3;
-ssl_ciphers          "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ciphers          "{{ ssl.ciphersuite }}";
 ssl_prefer_server_ciphers  on;

 add_header           "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";