mirror of
https://github.com/krislamo/freecloud
synced 2024-12-16 02:30:35 +00:00
Enabled HTTPS on Let's Encrypt
Refined gitignore. Moved testing variables back to group_vars. Added apache modules: rewrite, ssl and header and created strong SSL settings.
This commit is contained in:
parent
3a7fd20fff
commit
19c55ca2fb
4
.gitignore
vendored
4
.gitignore
vendored
@ -6,9 +6,9 @@
|
||||
|
||||
# Production files
|
||||
*.yml
|
||||
host_vars/**
|
||||
host_vars
|
||||
|
||||
# Testing env exceptions
|
||||
!testing.yml
|
||||
!./host_vars/all.yml
|
||||
!all.yml
|
||||
|
||||
|
15
group_vars/all.yml
Normal file
15
group_vars/all.yml
Normal file
@ -0,0 +1,15 @@
|
||||
## Nextcloud Configuration ##
|
||||
nc_version: 16.0.3
|
||||
nc_sha256sum: a13f68ce47a1362318629ba5b118a59fa98358bb18f4afc371ea15104f2881f3
|
||||
|
||||
nc_domain: www.example.com
|
||||
nc_docroot: /var/www/nextcloud
|
||||
nc_data: /var/www/nextcloud/data
|
||||
|
||||
nc_db: nextcloud
|
||||
nc_db_user: nextcloud
|
||||
nc_db_pass: nc+password
|
||||
|
||||
nc_admin: admin
|
||||
nc_admin_pass: ncadmin+password
|
||||
|
@ -109,6 +109,27 @@
|
||||
notify:
|
||||
- Reload Apache
|
||||
|
||||
- name: Enable Apache Rewrite Module
|
||||
apache2_module:
|
||||
name: rewrite
|
||||
state: present
|
||||
notify:
|
||||
- Reload Apache
|
||||
|
||||
- name: Enable Apache SSL Module
|
||||
apache2_module:
|
||||
name: ssl
|
||||
state: present
|
||||
notify:
|
||||
- Reload Apache
|
||||
|
||||
- name: Enable Apache Headers Module
|
||||
apache2_module:
|
||||
name: headers
|
||||
state: present
|
||||
notify:
|
||||
- Reload Apache
|
||||
|
||||
- name: Enable Site
|
||||
file:
|
||||
src: /etc/apache2/sites-available/{{ nc_domain }}.conf
|
||||
@ -118,3 +139,4 @@
|
||||
group: root
|
||||
notify:
|
||||
- Reload Apache
|
||||
|
||||
|
@ -16,6 +16,19 @@
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName {{ nc_domain }}
|
||||
ServerAdmin {{ nc_admin }}
|
||||
|
||||
RewriteEngine On
|
||||
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName {{ nc_domain }}
|
||||
|
||||
ServerAdmin {{ nc_admin }}
|
||||
DocumentRoot {{ nc_docroot }}
|
||||
@ -23,8 +36,17 @@
|
||||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||||
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/letsencrypt/live/{{ nc_domain }}/cert.pem
|
||||
SSLCertificateKeyFile /etc/letsencrypt/live/{{ nc_domain }}/privkey.pem
|
||||
SSLCertificateChainFile /etc/letsencrypt/live/{{ nc_domain }}/chain.pem
|
||||
|
||||
Protocols h2 http/1.1
|
||||
|
||||
Header always set Strict-Transport-Security "max-age=63072000"
|
||||
</VirtualHost>
|
||||
|
||||
|
||||
<Directory {{ nc_docroot }}>
|
||||
Options Indexes FollowSymLinks
|
||||
AllowOverride All
|
||||
@ -33,4 +55,13 @@
|
||||
php_value memory_limit 512M
|
||||
</Directory>
|
||||
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
SSLHonorCipherOrder off
|
||||
SSLSessionTickets off
|
||||
|
||||
SSLUseStapling On
|
||||
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
|
||||
|
||||
# vim: syntax=apache
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user