From 19c55ca2fb746d3724c143059f2078a5178bce48 Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Fri, 12 Jul 2019 23:23:01 -0400 Subject: [PATCH] Enabled HTTPS on Let's Encrypt Refined gitignore. Moved testing variables back to group_vars. Added apache modules: rewrite, ssl and header and created strong SSL settings. --- .gitignore | 4 +-- group_vars/all.yml | 15 +++++++++++ roles/nextcloud/tasks/main.yml | 22 ++++++++++++++++ roles/nextcloud/templates/apacheconf.conf | 31 +++++++++++++++++++++++ 4 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 group_vars/all.yml diff --git a/.gitignore b/.gitignore index 01be70a..77607d8 100644 --- a/.gitignore +++ b/.gitignore @@ -6,9 +6,9 @@ # Production files *.yml -host_vars/** +host_vars # Testing env exceptions !testing.yml -!./host_vars/all.yml +!all.yml diff --git a/group_vars/all.yml b/group_vars/all.yml new file mode 100644 index 0000000..65cd2da --- /dev/null +++ b/group_vars/all.yml @@ -0,0 +1,15 @@ +## Nextcloud Configuration ## +nc_version: 16.0.3 +nc_sha256sum: a13f68ce47a1362318629ba5b118a59fa98358bb18f4afc371ea15104f2881f3 + +nc_domain: www.example.com +nc_docroot: /var/www/nextcloud +nc_data: /var/www/nextcloud/data + +nc_db: nextcloud +nc_db_user: nextcloud +nc_db_pass: nc+password + +nc_admin: admin +nc_admin_pass: ncadmin+password + diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 085fe68..ad2c1c0 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -109,6 +109,27 @@ notify: - Reload Apache +- name: Enable Apache Rewrite Module + apache2_module: + name: rewrite + state: present + notify: + - Reload Apache + +- name: Enable Apache SSL Module + apache2_module: + name: ssl + state: present + notify: + - Reload Apache + +- name: Enable Apache Headers Module + apache2_module: + name: headers + state: present + notify: + - Reload Apache + - name: Enable Site file: src: /etc/apache2/sites-available/{{ nc_domain }}.conf @@ -118,3 +139,4 @@ group: root notify: - Reload Apache + diff --git a/roles/nextcloud/templates/apacheconf.conf b/roles/nextcloud/templates/apacheconf.conf index 39db7e8..add282c 100644 --- a/roles/nextcloud/templates/apacheconf.conf +++ b/roles/nextcloud/templates/apacheconf.conf @@ -16,6 +16,19 @@ ServerName {{ nc_domain }} + ServerAdmin {{ nc_admin }} + + RewriteEngine On + RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + + + + ServerName {{ nc_domain }} ServerAdmin {{ nc_admin }} DocumentRoot {{ nc_docroot }} @@ -23,8 +36,17 @@ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/{{ nc_domain }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ nc_domain }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ nc_domain }}/chain.pem + + Protocols h2 http/1.1 + + Header always set Strict-Transport-Security "max-age=63072000" + Options Indexes FollowSymLinks AllowOverride All @@ -33,4 +55,13 @@ php_value memory_limit 512M +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +SSLHonorCipherOrder off +SSLSessionTickets off + +SSLUseStapling On +SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" + # vim: syntax=apache +