From 002e1183fccd757beb816af99f99e2e94d8e5b87 Mon Sep 17 00:00:00 2001 From: muppeth Date: Thu, 7 Mar 2024 10:07:17 +0000 Subject: [PATCH 1/3] Vhosts creation change (#63) Changed the way vhosts are created. This is to prevent situation where https vhosts are created without corresponding certificate which is causing error. Solution to that is to check if ssl cert exists for vhost before creating them. Suggested approach is to create vhost called '01.letsencrypt' or `01.domain.ltd` using `letsencrypt` template. This will allow new certificates to be created for upcoming vhosts and once certs are created, nginx will be able to create vhosts and not error out. (so first run letsencrypt and then nginx). Currently vhost creation and enabling is done separate for HTTP and HTTPS vhosts. Not the best solution, but works for now. Reviewed-on: https://git.disroot.org/Disroot-Ansible/nginx/pulls/63 Reviewed-by: meaz Co-authored-by: muppeth Co-committed-by: muppeth --- tasks/vhost.yml | 87 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 78 insertions(+), 9 deletions(-) diff --git a/tasks/vhost.yml b/tasks/vhost.yml index 864aeb0..5b98e8c 100644 --- a/tasks/vhost.yml +++ b/tasks/vhost.yml @@ -3,19 +3,44 @@ slurp: src: "/var/lib/tor/{{ item.name }}/hostname" register: "onion_address" - when: item.onion is defined and item.onion == 'true' + when: + - item.onion is defined + - item.onion == 'true' - name: "[NGINX] - Set fact" set_fact: enable_tor: 'false' + +- name: "[NGINX] - Check if the certificate for the vhost exists" + stat: + path: '{{ nginx_ssl_dir }}/{{ item.name }}/privkey.pem' + register: cert_exists + when: + - item.ssl_name is defined -- name: "[NGINX] - Create vhosts" +- name: "[NGINX] - Create HTTPS vhosts" template: src: etc/nginx/sites-available/{{ item.template }}.j2 dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}" notify: - reload nginx - when: item.state is defined and item.state != 'delete' + when: + - item.ssl_name is defined + - cert_exists is defined + - cert_exists.stat.exists + - item.state is defined + - item.state != 'delete' + +- name: "[NGINX] - Create HTTP vhosts" + template: + src: etc/nginx/sites-available/{{ item.template }}.j2 + dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}" + notify: + - reload nginx + when: + - item.ssl_name is not defined + - item.state is defined + - item.state != 'delete' - name: "[NGINX] - Delete vhosts" file: @@ -23,16 +48,36 @@ state: absent notify: - reload nginx - when: item.state is defined and item.state == 'delete' + when: + - item.state is defined + - item.state == 'delete' -- name: "[NGINX] - Enable vhosts" +- name: "[NGINX] - Enable HTTPS vhosts" file: src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}" dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}" state: link notify: - reload nginx - when: item.state is defined and item.state == 'enable' + when: + - item.ssl_name is defined + - cert_exists is defined + - cert_exists.skipped == 'false' + - cert_exists.stat.exists + - item.state is defined + - item.state == 'enable' + +- name: "[NGINX] - Enable HTTP vhosts" + file: + src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}" + dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}" + state: link + notify: + - reload nginx + when: + - item.ssl_name is not defined + - item.state is defined + - item.state == 'enable' - name: "[NGINX] - Disable vhosts" file: @@ -40,7 +85,10 @@ state: absent notify: - reload nginx - when: item.state is defined and (item.state == 'disable' or item.state == 'delete') + when: + - item.state is defined + - item.state == 'disable' + - item.state == 'delete' - name: "[NGINX] - Delete default vhost when explicitely defined" file: @@ -50,10 +98,31 @@ - reload nginx when: nginx_default_vhost is not none -- name: "[NGINX] - Create maintenance vhosts" +- name: "[NGINX] - Create HTTPS maintenance vhosts" template: src: etc/nginx/sites-available/maintenance.j2 dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}" notify: - reload nginx - when: (item.state is defined) and (item.state != 'delete') and (item.maintenance is defined) and (item.maintenance == 'true') + when: + - item.ssl_name is defined + - cert_exists is defined + - cert_exists.skipped == 'false' + - cert_exists.stat.exists + - item.state is defined + - item.state != 'delete' + - item.maintenance is defined + - item.maintenance == 'true' + +- name: "[NGINX] - Create HTTP maintenance vhosts" + template: + src: etc/nginx/sites-available/maintenance.j2 + dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}" + notify: + - reload nginx + when: + - item.ssl_name is not defined + - item.state is defined + - item.state != 'delete' + - item.maintenance is defined + - item.maintenance == 'true' -- 2.30.2 From 5646a553fcd050cccbdb52cd7a3ecc8244e22ba1 Mon Sep 17 00:00:00 2001 From: meaz Date: Tue, 5 Mar 2024 20:19:22 +0000 Subject: [PATCH 2/3] bump to cryptpad 5.7.0 (#62) Reviewed-on: https://git.disroot.org/Disroot-Ansible/nginx/pulls/62 Reviewed-by: muppeth Co-authored-by: meaz Co-committed-by: meaz --- templates/etc/nginx/sites-available/cryptpad.j2 | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/templates/etc/nginx/sites-available/cryptpad.j2 b/templates/etc/nginx/sites-available/cryptpad.j2 index 0243d8f..67176ed 100644 --- a/templates/etc/nginx/sites-available/cryptpad.j2 +++ b/templates/etc/nginx/sites-available/cryptpad.j2 @@ -5,6 +5,10 @@ {% extends "core.j2" %} {% block app_specific %} + + # Include mime.types to be able to support .mjs files (see "types" below) + include mime.types; + # CryptPad serves static assets over these two domains. # `main_domain` is what users will enter in their address bar. # Privileged computation such as key management is handled in this scope @@ -113,11 +117,6 @@ # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; } - # draw.io uses inline script tags in it's index.html. The hashes are added here. - if ($uri ~ ^\/components\/drawio\/src\/main\/webapp\/index.html.*$) { - set $scriptSrc "'self' 'sha256-dLMFD7ijAw6AVaqecS7kbPcFFzkxQ+yeZSsKpOdLxps=' 'sha256-6g514VrT/cZFZltSaKxIVNFF46+MFaTSDTPB8WfYK+c=' resource: https://${main_domain}"; - } - # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied if ($unsafe) { set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}"; @@ -126,6 +125,11 @@ # Finally, set all the rules you composed above. add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors"; + # Add support for .mjs files used by pdfjs + types { + application/javascript mjs; + } + {% endblock %} {% block root %} -- 2.30.2 From 2aa683346c254850caa26a429bf26a282e76d783 Mon Sep 17 00:00:00 2001 From: muppeth Date: Thu, 7 Mar 2024 16:17:33 +0100 Subject: [PATCH 3/3] fixed vhost task; again --- tasks/vhost.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/vhost.yml b/tasks/vhost.yml index 5b98e8c..20c6b2f 100644 --- a/tasks/vhost.yml +++ b/tasks/vhost.yml @@ -62,7 +62,6 @@ when: - item.ssl_name is defined - cert_exists is defined - - cert_exists.skipped == 'false' - cert_exists.stat.exists - item.state is defined - item.state == 'enable' @@ -107,7 +106,6 @@ when: - item.ssl_name is defined - cert_exists is defined - - cert_exists.skipped == 'false' - cert_exists.stat.exists - item.state is defined - item.state != 'delete' -- 2.30.2