Compare commits
5 Commits
Author | SHA1 | Date |
---|---|---|
muppeth | fb2dde1d7d | |
muppeth | 41b95fb710 | |
meaz | bc560888db | |
meaz | b82921e642 | |
meaz | 8b9468191a |
61
README.MD
61
README.MD
|
@ -38,11 +38,58 @@ nginx_vhosts:
|
|||
- 'fastcgi_pass unix:{{ pool_listen }};'
|
||||
state: 'enable'
|
||||
letsencrypt: 'false'
|
||||
```
|
||||
|
||||
# Selfsigned cert example:
|
||||
- name: 'privatebin.example.com'
|
||||
template: 'privatebin'
|
||||
proto: 'https'
|
||||
listen: '443'
|
||||
root: 'privatebin'
|
||||
index: 'index.php'
|
||||
ssl_name: 'bin.example.com'
|
||||
selfsigned: 'true'
|
||||
use_access_log: 'false'
|
||||
use_error_log: 'true'
|
||||
nginx_error_log_level: 'warn'
|
||||
upstream_params:
|
||||
- 'fastcgi_pass unix:{{ pool_listen }};'
|
||||
- 'fastcgi_index index.php;'
|
||||
- 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
|
||||
header_xframe: 'none'
|
||||
header_cto: 'none'
|
||||
file_cache:
|
||||
- cache: 'max=1000 inactive=20s'
|
||||
valid: '30s'
|
||||
min_users: '2'
|
||||
cache_errors: 'on'
|
||||
state: 'enable'
|
||||
letsencrypt: 'false'
|
||||
|
||||
## Changelog
|
||||
- **04.03.2021** - Modyfied header info for proxy (locations), and core templates
|
||||
- **26.01.2021** - Rewritten templates structure
|
||||
- **02.12.2020** - conversejs template
|
||||
- **14.12.2019** - Start changelog
|
||||
- **14.12.2019** - Updated hubzilla,privatebin, framadate template
|
||||
# Selfsigned wildcard cert example:
|
||||
- name: 'privatebin.example.com'
|
||||
template: 'privatebin'
|
||||
proto: 'https'
|
||||
listen: '443'
|
||||
root: 'privatebin'
|
||||
index: 'index.php'
|
||||
wildcard: 'true' #enable wildcard
|
||||
ssl_name: 'wildcard.example.com' #specify direcotry name for wildcard cert
|
||||
domain_name: 'example.com' #domain name to create the cert for: *.example.com
|
||||
selfsigned: 'true'
|
||||
use_access_log: 'false'
|
||||
use_error_log: 'true'
|
||||
nginx_error_log_level: 'warn'
|
||||
upstream_params:
|
||||
- 'fastcgi_pass unix:{{ pool_listen }};'
|
||||
- 'fastcgi_index index.php;'
|
||||
- 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
|
||||
header_xframe: 'none'
|
||||
header_cto: 'none'
|
||||
file_cache:
|
||||
- cache: 'max=1000 inactive=20s'
|
||||
valid: '30s'
|
||||
min_users: '2'
|
||||
cache_errors: 'on'
|
||||
state: 'enable'
|
||||
letsencrypt: 'false'
|
||||
```
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
state: directory
|
||||
mode: 0755
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.selfsigned == 'true'
|
||||
when: item.selfsigned is defined and item.selfsigned == 'true'
|
||||
notify: reload nginx
|
||||
|
||||
- name: '[SELFSIGNED] - Create a self-signed key'
|
||||
|
@ -85,15 +85,25 @@
|
|||
size: 2048
|
||||
type: RSA
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
|
||||
notify: reload nginx
|
||||
|
||||
- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)'
|
||||
openssl_csr:
|
||||
path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
|
||||
path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
|
||||
privatekey_path: '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and (item.wildcard is not defined or item.wildcard != 'true')
|
||||
notify: reload nginx
|
||||
|
||||
- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR) for wildcard'
|
||||
openssl_csr:
|
||||
path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
|
||||
privatekey_path: '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
|
||||
common_name: "*.{{ item.domain_name }}"
|
||||
subject_alt_name: "DNS:*.{{ item.domain_name }}"
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
|
||||
notify: reload nginx
|
||||
|
||||
- name: '[SELFSIGNED] - Create a self-signed certificate'
|
||||
|
@ -105,3 +115,4 @@
|
|||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
|
||||
notify: reload nginx
|
||||
|
||||
|
|
|
@ -3,44 +3,19 @@
|
|||
slurp:
|
||||
src: "/var/lib/tor/{{ item.name }}/hostname"
|
||||
register: "onion_address"
|
||||
when:
|
||||
- item.onion is defined
|
||||
- item.onion == 'true'
|
||||
when: item.onion is defined and item.onion == 'true'
|
||||
|
||||
- name: "[NGINX] - Set fact"
|
||||
set_fact:
|
||||
enable_tor: 'false'
|
||||
|
||||
- name: "[NGINX] - Check if the certificate for the vhost exists"
|
||||
stat:
|
||||
path: '{{ nginx_ssl_dir }}/{{ item.name }}/privkey.pem'
|
||||
register: cert_exists
|
||||
when:
|
||||
- item.ssl_name is defined
|
||||
|
||||
- name: "[NGINX] - Create HTTPS vhosts"
|
||||
- name: "[NGINX] - Create vhosts"
|
||||
template:
|
||||
src: etc/nginx/sites-available/{{ item.template }}.j2
|
||||
dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
|
||||
notify:
|
||||
- reload nginx
|
||||
when:
|
||||
- item.ssl_name is defined
|
||||
- cert_exists is defined
|
||||
- cert_exists.stat.exists
|
||||
- item.state is defined
|
||||
- item.state != 'delete'
|
||||
|
||||
- name: "[NGINX] - Create HTTP vhosts"
|
||||
template:
|
||||
src: etc/nginx/sites-available/{{ item.template }}.j2
|
||||
dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
|
||||
notify:
|
||||
- reload nginx
|
||||
when:
|
||||
- item.ssl_name is not defined
|
||||
- item.state is defined
|
||||
- item.state != 'delete'
|
||||
when: item.state is defined and item.state != 'delete'
|
||||
|
||||
- name: "[NGINX] - Delete vhosts"
|
||||
file:
|
||||
|
@ -48,35 +23,16 @@
|
|||
state: absent
|
||||
notify:
|
||||
- reload nginx
|
||||
when:
|
||||
- item.state is defined
|
||||
- item.state == 'delete'
|
||||
when: item.state is defined and item.state == 'delete'
|
||||
|
||||
- name: "[NGINX] - Enable HTTPS vhosts"
|
||||
- name: "[NGINX] - Enable vhosts"
|
||||
file:
|
||||
src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
|
||||
dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
|
||||
state: link
|
||||
notify:
|
||||
- reload nginx
|
||||
when:
|
||||
- item.ssl_name is defined
|
||||
- cert_exists is defined
|
||||
- cert_exists.stat.exists
|
||||
- item.state is defined
|
||||
- item.state == 'enable'
|
||||
|
||||
- name: "[NGINX] - Enable HTTP vhosts"
|
||||
file:
|
||||
src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
|
||||
dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
|
||||
state: link
|
||||
notify:
|
||||
- reload nginx
|
||||
when:
|
||||
- item.ssl_name is not defined
|
||||
- item.state is defined
|
||||
- item.state == 'enable'
|
||||
when: item.state is defined and item.state == 'enable'
|
||||
|
||||
- name: "[NGINX] - Disable vhosts"
|
||||
file:
|
||||
|
@ -84,10 +40,7 @@
|
|||
state: absent
|
||||
notify:
|
||||
- reload nginx
|
||||
when:
|
||||
- item.state is defined
|
||||
- item.state == 'disable'
|
||||
- item.state == 'delete'
|
||||
when: item.state is defined and (item.state == 'disable' or item.state == 'delete')
|
||||
|
||||
- name: "[NGINX] - Delete default vhost when explicitely defined"
|
||||
file:
|
||||
|
@ -97,30 +50,10 @@
|
|||
- reload nginx
|
||||
when: nginx_default_vhost is not none
|
||||
|
||||
- name: "[NGINX] - Create HTTPS maintenance vhosts"
|
||||
- name: "[NGINX] - Create maintenance vhosts"
|
||||
template:
|
||||
src: etc/nginx/sites-available/maintenance.j2
|
||||
dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
|
||||
notify:
|
||||
- reload nginx
|
||||
when:
|
||||
- item.ssl_name is defined
|
||||
- cert_exists is defined
|
||||
- cert_exists.stat.exists
|
||||
- item.state is defined
|
||||
- item.state != 'delete'
|
||||
- item.maintenance is defined
|
||||
- item.maintenance == 'true'
|
||||
|
||||
- name: "[NGINX] - Create HTTP maintenance vhosts"
|
||||
template:
|
||||
src: etc/nginx/sites-available/maintenance.j2
|
||||
dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
|
||||
notify:
|
||||
- reload nginx
|
||||
when:
|
||||
- item.ssl_name is not defined
|
||||
- item.state is defined
|
||||
- item.state != 'delete'
|
||||
- item.maintenance is defined
|
||||
- item.maintenance == 'true'
|
||||
when: (item.state is defined) and (item.state != 'delete') and (item.maintenance is defined) and (item.maintenance == 'true')
|
||||
|
|
|
@ -20,10 +20,8 @@ server {
|
|||
{% endif %}
|
||||
{% if item.proto == 'https' %}
|
||||
listen {{ item.listen }} ssl {% if item.http2 is defined %}http2{% endif %};
|
||||
|
||||
ssl_certificate {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'fullchain.pem' + ';' }}
|
||||
ssl_certificate_key {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'privkey.pem;' }}
|
||||
|
||||
{% endif %}
|
||||
server_tokens off;
|
||||
{% if item.max_upload is defined %}
|
||||
|
|
|
@ -5,10 +5,6 @@
|
|||
{% extends "core.j2" %}
|
||||
|
||||
{% block app_specific %}
|
||||
|
||||
# Include mime.types to be able to support .mjs files (see "types" below)
|
||||
include mime.types;
|
||||
|
||||
# CryptPad serves static assets over these two domains.
|
||||
# `main_domain` is what users will enter in their address bar.
|
||||
# Privileged computation such as key management is handled in this scope
|
||||
|
@ -117,6 +113,11 @@
|
|||
# We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
|
||||
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
|
||||
|
||||
# draw.io uses inline script tags in it's index.html. The hashes are added here.
|
||||
if ($uri ~ ^\/components\/drawio\/src\/main\/webapp\/index.html.*$) {
|
||||
set $scriptSrc "'self' 'sha256-dLMFD7ijAw6AVaqecS7kbPcFFzkxQ+yeZSsKpOdLxps=' 'sha256-6g514VrT/cZFZltSaKxIVNFF46+MFaTSDTPB8WfYK+c=' resource: https://${main_domain}";
|
||||
}
|
||||
|
||||
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
|
||||
if ($unsafe) {
|
||||
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
|
||||
|
@ -125,11 +126,6 @@
|
|||
# Finally, set all the rules you composed above.
|
||||
add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
|
||||
|
||||
# Add support for .mjs files used by pdfjs
|
||||
types {
|
||||
application/javascript mjs;
|
||||
}
|
||||
|
||||
{% endblock %}
|
||||
|
||||
{% block root %}
|
||||
|
|
Loading…
Reference in New Issue