1
0
mirror of https://github.com/krislamo/freecloud synced 2024-12-16 02:30:35 +00:00

Enabled HTTPS on Let's Encrypt

Refined gitignore. Moved testing variables back to group_vars.
Added apache modules: rewrite, ssl and header and created strong
SSL settings.
This commit is contained in:
Kris Lamoureux 2019-07-12 23:23:01 -04:00
parent 3a7fd20fff
commit 19c55ca2fb
4 changed files with 70 additions and 2 deletions

4
.gitignore vendored
View File

@ -6,9 +6,9 @@
# Production files
*.yml
host_vars/**
host_vars
# Testing env exceptions
!testing.yml
!./host_vars/all.yml
!all.yml

15
group_vars/all.yml Normal file
View File

@ -0,0 +1,15 @@
## Nextcloud Configuration ##
nc_version: 16.0.3
nc_sha256sum: a13f68ce47a1362318629ba5b118a59fa98358bb18f4afc371ea15104f2881f3
nc_domain: www.example.com
nc_docroot: /var/www/nextcloud
nc_data: /var/www/nextcloud/data
nc_db: nextcloud
nc_db_user: nextcloud
nc_db_pass: nc+password
nc_admin: admin
nc_admin_pass: ncadmin+password

View File

@ -109,6 +109,27 @@
notify:
- Reload Apache
- name: Enable Apache Rewrite Module
apache2_module:
name: rewrite
state: present
notify:
- Reload Apache
- name: Enable Apache SSL Module
apache2_module:
name: ssl
state: present
notify:
- Reload Apache
- name: Enable Apache Headers Module
apache2_module:
name: headers
state: present
notify:
- Reload Apache
- name: Enable Site
file:
src: /etc/apache2/sites-available/{{ nc_domain }}.conf
@ -118,3 +139,4 @@
group: root
notify:
- Reload Apache

View File

@ -16,6 +16,19 @@
<VirtualHost *:80>
ServerName {{ nc_domain }}
ServerAdmin {{ nc_admin }}
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName {{ nc_domain }}
ServerAdmin {{ nc_admin }}
DocumentRoot {{ nc_docroot }}
@ -23,8 +36,17 @@
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/{{ nc_domain }}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ nc_domain }}/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/{{ nc_domain }}/chain.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
<Directory {{ nc_docroot }}>
Options Indexes FollowSymLinks
AllowOverride All
@ -33,4 +55,13 @@
php_value memory_limit 512M
</Directory>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# vim: syntax=apache