majic-ansible-roles Changeset

Changeset - dfb91e411e40

Parent rev.

Child rev.

[Not reviewed]

0 9 0

Branko Majic (branko) - 8 years ago 2016-01-20 23:25:27
branko@majic.rs

MAR-46: Intorduced additional options to web server, PHP website, and WSGI website roles for controling if HTTPS access is enforced (HTTP redirected to HTTPS) or not. Defaults to enforcing HTTPS now. Updated docs for the new parameters.

9 files changed with 69 insertions and 8 deletions:

docs/rolereference.rst

docs/usage.rst

roles/php_website/defaults/main.yml

roles/php_website/templates/nginx_site.j2

roles/web_server/defaults/main.yml

roles/web_server/templates/nginx-default.j2

roles/wsgi_website/defaults/main.yml

roles/wsgi_website/templates/nginx_site.j2

testsite/playbooks/roles/phpinfo/meta/main.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1027,6 +1027,10 @@ Depends on the following roles: @@
 Parameters
 ~~~~~~~~~~
 **default_enforce_https** (boolean, optional, ``True``)
   Specify if HTTPS should be enforced for the default virtual host or not. If
   enforced, clients connecting via plaintext will be redirected to HTTPS.
 **default_https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_https.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   HTTPS service. The file will be copied to directory
@@ @@ -1130,6 +1134,10 @@ Parameters @@
   compatible with regular expressions used by ``nginx`` for ``location ~``
   syntax.
 **enforce_https** (boolean, optional, ``True``)
   Specify if HTTPS should be enforced for the website or not. If enforced,
   clients connecting via plaintext will be redirected to HTTPS.
 **fqdn** (string, mandatory)
   Fully-qualified domain name where the website is reachable. This value is used
   for calculating the user/group name for dedicated website user, as well as
@@ @@ -1295,6 +1303,10 @@ Parameters @@
   user is capable of making modifications to website configuration anda data
   stored within the website directory.
 **enforce_https** (boolean, optional, ``True``)
   Specify if HTTPS should be enforced for the website or not. If enforced,
   clients connecting via plaintext will be redirected to HTTPS.
 **fqdn** (string, mandatory)
   Fully-qualified domain name where the website is reachable. This value is used
   for calculating the user/group name for dedicated website user, as well as

docs/usage.rst

➞

Show inline comments

@@ @@ -1136,9 +1136,10 @@ Nginx. @@
      workon mysite && ansible-playbook playbooks/site.yml
 . If no errors have been reported, at this point you should have a default web
    page available and visible at https://www.example.com/ and http://www.example.com/. Feel free to try it
    out with some browser. Keep in mind you will get a warning about the
    untrusted certificate!
    page available and visible at https://www.example.com/ . By default plaintext
    connections are disabled, and trying to visit http://www.example.com/ should
    simply redirect you to the HTTPS address. Feel free to try it out with some
    browser. Keep in mind you will get a warning about the untrusted certificate!
 Adding the database server
      workon mysite && ansible-playbook playbooks/site.yml
 . At this point *The Bug Genie* has been installed, and you should be able to open the URL
    https://tbg.example.com/ (or http://tbg.example.com/) and log-in into
    *The Bug Genie* with username ``administrator`` and password ``admin``.
 . At this point *The Bug Genie* has been installed, and you should be able to
    open the URL https://tbg.example.com/ (if you open http://tbg.example.com/ ,
    you will be redirected to the HTTPS URL) and log-in into *The Bug Genie*
    with username ``administrator`` and password ``admin``.
 Deploying a WSGI application (Django Wiki)
@@ @@ -1798,8 +1800,9 @@ on the safe side: @@
      workon mysite && ansible-playbook playbooks/site.yml
 . At this point Django Wiki has been installed, and you should be able to open
    the URL https://wiki.example.com/ (or http://wiki.example.com/) and log-in
    into *Django Wiki* with username ``admin`` and password ``admin``.
    the URL https://wiki.example.com/ (if you open http://wiki.example.com/ , you
    will be redirected to the HTTPS URL) and log-in into *Django Wiki* with
    username ``admin`` and password ``admin``.
 Backups, backups, backups!

roles/php_website/defaults/main.yml

➞

Show inline comments

 ---
 deny_files_regex: []
 enforce_https: True
 index: index.php
 packages: []
 php_file_regex: \.php$

roles/php_website/templates/nginx_site.j2

➞

Show inline comments

 {% if enforce_https -%}
 server {
     # HTTP (plaintext) configuration.
     listen 80;
     server_name {{ fqdn }};
     # Redirect plaintext connections to HTTPS
     return 301 https://$host$request_uri;
+}
 {% endif -%}
 server {
     # Base settings.
     root {{ home }}/htdocs/;
     index {{ index }};
     server_name {{ fqdn }};
 {% if not enforce_https %}
     # HTTP (plaintext) configuration.
     listen 80;
 {% endif %}
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;

roles/web_server/defaults/main.yml

➞

Show inline comments

 ---
 default_enforce_https: True
 default_https_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_https.key"
 default_https_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_https.pem"
 web_default_title: "Welcome"

roles/web_server/templates/nginx-default.j2

➞

Show inline comments

+#
 # Default server (vhost) configuration.
+#
 {% if default_enforce_https -%}
 server {
     # HTTP (plaintext) configuration.
     listen 80 default_server;
     listen [::]:80 default_server;
     # Set server_name to something that won't be matched (for default server).
     server_name _;
     # Redirect plaintext connections to HTTPS
     return 301 https://$host$request_uri;
+}
 {% endif -%}
 server {
 {% if not default_enforce_https %}
     # HTTP (plaintext) configuration.
     listen 80 default_server;
     listen [::]:80 default_server;
 {% endif %}
     # HTTPS (TLS) configuration.
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;

roles/wsgi_website/defaults/main.yml

➞

Show inline comments

 ---
 enforce_https: True
 packages: []
 rewrites: []
 static_locations: []

roles/wsgi_website/templates/nginx_site.j2

➞

Show inline comments

 {% if enforce_https -%}
 server {
     # HTTP (plaintext) configuration.
     listen 80;
     server_name {{ fqdn }};
     # Redirect plaintext connections to HTTPS
     return 301 https://$host$request_uri;
+}
 {% endif -%}
 server {
     # Base settings.
     root {{ home }}/htdocs/;
     server_name {{ fqdn }};
 {% if not enforce_https %}
     # HTTP (plaintext) configuration.
     listen 80;
 {% endif %}
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;

testsite/playbooks/roles/phpinfo/meta/main.yml

➞

Show inline comments

@@ @@ -7,6 +7,7 @@ dependencies: @@
     php_rewrite_urls:
       - ^(.*) /index.php
     uid: 2000
     enforce_https: False
     https_tls_key: "{{ inventory_dir }}/tls/phpinfo.{{ testsite_domain }}_https.key"
     https_tls_certificate: "{{ inventory_dir }}/tls/phpinfo.{{ testsite_domain }}_https.pem"
   - role: database

0 comments (0 inline, 0 general)