From c4af7754b21903cce54fe3bf9e7efde201cac39c Mon Sep 17 00:00:00 2001 From: Stefan Haun Date: Thu, 8 Sep 2022 15:41:36 +0200 Subject: [PATCH 1/3] :sparkles: Use variables to configure dehydrated locations These variables match https://github.com/24367dfa/ansible-role-dehydrated --- roles/setup-http-site-proxy/defaults/main.yml | 6 ++++++ .../templates/apache-docker-proxy-site.j2 | 14 +++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) create mode 100644 roles/setup-http-site-proxy/defaults/main.yml diff --git a/roles/setup-http-site-proxy/defaults/main.yml b/roles/setup-http-site-proxy/defaults/main.yml new file mode 100644 index 0000000..e6171ff --- /dev/null +++ b/roles/setup-http-site-proxy/defaults/main.yml @@ -0,0 +1,6 @@ +# Defaults for setup-http-dehydrated +--- +# These match https://github.com/24367dfa/ansible-role-dehydrated +dehydrated_config_dir: "/usr/local/etc/dehydrated" +dehydrated_certs_dir: "{{ dehydrated_config_dir }}/certs" +dehydrated_wellknown_dir: "{{ dehydrated_config_dir }}/challenge" diff --git a/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 b/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 index b9f58a7..55dc711 100644 --- a/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 +++ b/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 @@ -9,7 +9,7 @@ ErrorLog /var/log/apache2/{{ site_name }}-error.log CustomLog /var/log/apache2/{{ site_name }}-access.log common - Alias /.well-known/acme-challenge /usr/local/etc/dehydrated/challenge + Alias /.well-known/acme-challenge {{ dehydrated_wellknown_dir }} RewriteEngine On @@ -18,9 +18,9 @@ - - - + + + {% if 'address' in ansible_default_ipv6 %} {% else %} @@ -35,9 +35,9 @@ SSLEngine on SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown - SSLCertificateFile /usr/local/etc/dehydrated/certs/{{ site_name }}/cert.pem - SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/{{ site_name }}/privkey.pem - SSLCertificateChainFile /usr/local/etc/dehydrated/certs/{{ site_name }}/chain.pem + SSLCertificateFile {{dehydrated_certs_dir}/{{ site_name }}/cert.pem + SSLCertificateKeyFile {{dehydrated_certs_dir}/{{ site_name }}/privkey.pem + SSLCertificateChainFile {{dehydrated_certs_dir}/{{ site_name }}/chain.pem AllowEncodedSlashes NoDecode ProxyPass / http://{{ backend_host | default("localhost") }}:{{proxy_port}}/ nocanon From e3020b6d711efc146056ac0bae9ced374f084371 Mon Sep 17 00:00:00 2001 From: Stefan Haun Date: Thu, 8 Sep 2022 15:43:54 +0200 Subject: [PATCH 2/3] :sparkles: Enable setup-http-site-proxy with missing proxy target If no proxy port is defined, only the dehydrated HTTP endpoint is created and the HTTPS endpoint returns 404. --- .../templates/apache-docker-proxy-site.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 b/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 index 55dc711..022b0e2 100644 --- a/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 +++ b/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 @@ -39,6 +39,7 @@ SSLCertificateKeyFile {{dehydrated_certs_dir}/{{ site_name }}/privkey.pem SSLCertificateChainFile {{dehydrated_certs_dir}/{{ site_name }}/chain.pem +<% if proxy_port %> AllowEncodedSlashes NoDecode ProxyPass / http://{{ backend_host | default("localhost") }}:{{proxy_port}}/ nocanon RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} @@ -51,6 +52,9 @@ RewriteCond %{HTTP:Connection} upgrade [NC] RewriteRule ^/?(.*) "ws://{{ backend_host | default("localhost") }}:{{ proxy_port }}/$1" [P,L] +<% else %> + Redirect 404 / +< %endif %> From 182feeca58e6bc089d1bcc6fd6e34c1581dbdf6a Mon Sep 17 00:00:00 2001 From: Stefan Haun Date: Thu, 8 Sep 2022 15:45:39 +0200 Subject: [PATCH 3/3] :fire: Remove role setup-http-dehydrated This feature is now provided by setup-http-site-proxy --- roles/setup-http-dehydrated/handlers/main.yml | 5 --- roles/setup-http-dehydrated/meta/main.yml | 3 -- roles/setup-http-dehydrated/tasks/main.yml | 12 ------ .../templates/apache-dehydrated.j2 | 38 ------------------- 4 files changed, 58 deletions(-) delete mode 100644 roles/setup-http-dehydrated/handlers/main.yml delete mode 100644 roles/setup-http-dehydrated/meta/main.yml delete mode 100644 roles/setup-http-dehydrated/tasks/main.yml delete mode 100644 roles/setup-http-dehydrated/templates/apache-dehydrated.j2 diff --git a/roles/setup-http-dehydrated/handlers/main.yml b/roles/setup-http-dehydrated/handlers/main.yml deleted file mode 100644 index 670471f..0000000 --- a/roles/setup-http-dehydrated/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart apache2 - service: - name: apache2 - state: restarted diff --git a/roles/setup-http-dehydrated/meta/main.yml b/roles/setup-http-dehydrated/meta/main.yml deleted file mode 100644 index 5eff279..0000000 --- a/roles/setup-http-dehydrated/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: -- role: ansible-role-dehydrated diff --git a/roles/setup-http-dehydrated/tasks/main.yml b/roles/setup-http-dehydrated/tasks/main.yml deleted file mode 100644 index a6f1650..0000000 --- a/roles/setup-http-dehydrated/tasks/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Add or update Apache2 site - template: - src: templates/apache-dehydrated.j2 - dest: /etc/apache2/sites-available/{{ site_name }}.conf - notify: restart apache2 - -- name: Activate Apache2 site - command: a2ensite {{ site_name }} - args: - creates: /etc/apache2/sites-enabled/{{ site_name }}.conf - notify: restart apache2 diff --git a/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 b/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 deleted file mode 100644 index 60076b4..0000000 --- a/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 +++ /dev/null @@ -1,38 +0,0 @@ -{% if 'address' in ansible_default_ipv6 %} - -{% else %} - -{% endif %} - ServerAdmin {{ server_admin }} - ServerName {{ site_name }} - ServerAlias {{ site_name }} - ErrorLog /var/log/apache2/{{ site_name }}-error.log - CustomLog /var/log/apache2/{{ site_name }}-access.log common - - Alias /.well-known/acme-challenge {{ dehydrated_wellknown_dir }} - - - -{% if 'address' in ansible_default_ipv6 %} - -{% else %} - -{% endif %} - ServerAdmin {{ server_admin }} - ServerName {{ site_name }} - ServerAlias {{ site_name }} - - ErrorLog /var/log/apache2/{{ site_name }}-error.log - CustomLog /var/log/apache2/{{ site_name }}-access.log common - - SSLEngine on - SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown - SSLCertificateFile {{dehydrated_certs_dir}}/{{ site_name }}/cert.pem - SSLCertificateKeyFile {{dehydrated_certs_dir}}/{{ site_name }}/privkey.pem - SSLCertificateChainFile {{dehydrated_certs_dir}}/{{ site_name }}/chain.pem - - Alias /.well-known/acme-challenge {{ dehydrated_wellknown_dir }} - - Redirect 404 / - -