self-signed zertifikate für interne infra-instanz benutzen

5ae135ec · void · 4c572e27 · 5ae135ec · 5ae135ec · 5ae135ec
Commit 5ae135ec authored 8 years ago by void
--- a/warpsrvint/nginx/tasks/main.yml
+++ b/warpsrvint/nginx/tasks/main.yml
@@ -7,6 +7,7 @@
  with_items:
    - nginx
    - git
+    - openssl

 - name: nginx default Konfig entfernen 
  file: 
@@ -14,12 +15,22 @@
    state: absent


+# nginx konfigurieren
+
+- name: create script to create self-signed certificates 
+  template: src=create_certs.sh dest=/etc/ssl/create_certs.sh mode=o+x
+  notify: restart nginx
+
+- name: create self-signed SSL certs
+  command: /etc/ssl/create_certs.sh
+  notify: restart nginx
+

 # nginx konfigurieren

 - name: Konfig-Datei default erstellen
-  template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone
-  with_items: webserver_domains
+  template: src=nginx-site dest=/etc/nginx/sites-enabled/{{item}}.wapzone
+  with_items: "{{ webserver_domains }}"
  notify: restart nginx



--- a/warpsrvint/nginx/templates/create_certs.sh
+++ b/warpsrvint/nginx/templates/create_certs.sh
+#!/bin/sh
+{% for domain in webserver_domains %}
+if [ ! -f /etc/ssl/server.{{ domain }}.key ]; then
+    openssl req -new -nodes -x509 -subj "/C=DE/ST=NRW/L=Muenster/O=Warpzone/CN={{ domain }}.warpzone" -days 3650 -keyout /etc/ssl/server.{{ domain }}.key -out /etc/ssl/server.{{ domain }}.crt -extensions v3_ca 
+fi
+{% endfor %}
--- a/warpsrvint/nginx/templates/nginx-site
+++ b/warpsrvint/nginx/templates/nginx-site
@@ -9,18 +9,17 @@ server {
 	listen 80;
 	listen [::]:80;

-
-#	listen 443 ssl spdy;
-#    	listen [::]:443 ssl spdy;
-
-#	ssl_certificate /etc/ssl/fullchain.pem;
-#	ssl_certificate_key /etc/ssl/key.pem;
-#	ssl_session_cache shared:SSL:5m;
-#	ssl_session_timeout 5m;
-#	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-#	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-#	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
-#	ssl_prefer_server_ciphers on;    
+	listen 443 ssl spdy;
+    	listen [::]:443 ssl spdy;
+
+	ssl_certificate /etc/ssl/server.{{ item }}.crt;
+	ssl_certificate_key /etc/ssl/server.{{ item }}.key;
+	ssl_session_cache shared:SSL:5m;
+	ssl_session_timeout 5m;
+	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
+	ssl_prefer_server_ciphers on;    


 	server_name {{ item }}.warpzone.ms;