1
0
mirror of https://github.com/krislamo/freecloud synced 2024-12-16 10:40:36 +00:00

Enabled HTTPS on Let's Encrypt

Refined gitignore. Moved testing variables back to group_vars.
Added apache modules: rewrite, ssl and header and created strong
SSL settings.
This commit is contained in:
Kris Lamoureux 2019-07-12 23:23:01 -04:00
parent 3a7fd20fff
commit 19c55ca2fb
4 changed files with 70 additions and 2 deletions

4
.gitignore vendored
View File

@ -6,9 +6,9 @@
# Production files # Production files
*.yml *.yml
host_vars/** host_vars
# Testing env exceptions # Testing env exceptions
!testing.yml !testing.yml
!./host_vars/all.yml !all.yml

15
group_vars/all.yml Normal file
View File

@ -0,0 +1,15 @@
## Nextcloud Configuration ##
nc_version: 16.0.3
nc_sha256sum: a13f68ce47a1362318629ba5b118a59fa98358bb18f4afc371ea15104f2881f3
nc_domain: www.example.com
nc_docroot: /var/www/nextcloud
nc_data: /var/www/nextcloud/data
nc_db: nextcloud
nc_db_user: nextcloud
nc_db_pass: nc+password
nc_admin: admin
nc_admin_pass: ncadmin+password

View File

@ -109,6 +109,27 @@
notify: notify:
- Reload Apache - Reload Apache
- name: Enable Apache Rewrite Module
apache2_module:
name: rewrite
state: present
notify:
- Reload Apache
- name: Enable Apache SSL Module
apache2_module:
name: ssl
state: present
notify:
- Reload Apache
- name: Enable Apache Headers Module
apache2_module:
name: headers
state: present
notify:
- Reload Apache
- name: Enable Site - name: Enable Site
file: file:
src: /etc/apache2/sites-available/{{ nc_domain }}.conf src: /etc/apache2/sites-available/{{ nc_domain }}.conf
@ -118,3 +139,4 @@
group: root group: root
notify: notify:
- Reload Apache - Reload Apache

View File

@ -16,6 +16,19 @@
<VirtualHost *:80> <VirtualHost *:80>
ServerName {{ nc_domain }} ServerName {{ nc_domain }}
ServerAdmin {{ nc_admin }}
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName {{ nc_domain }}
ServerAdmin {{ nc_admin }} ServerAdmin {{ nc_admin }}
DocumentRoot {{ nc_docroot }} DocumentRoot {{ nc_docroot }}
@ -23,8 +36,17 @@
ErrorLog ${APACHE_LOG_DIR}/error.log ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/{{ nc_domain }}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ nc_domain }}/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/{{ nc_domain }}/chain.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost> </VirtualHost>
<Directory {{ nc_docroot }}> <Directory {{ nc_docroot }}>
Options Indexes FollowSymLinks Options Indexes FollowSymLinks
AllowOverride All AllowOverride All
@ -33,4 +55,13 @@
php_value memory_limit 512M php_value memory_limit 512M
</Directory> </Directory>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# vim: syntax=apache # vim: syntax=apache