Enabled HTTPS on Let's Encrypt

Refined gitignore. Moved testing variables back to group_vars. Added apache modules: rewrite, ssl and header and created strong SSL settings.
2024-11-10 01:40:35 +00:00 · 2019-07-12 23:23:01 -04:00 · 2019-07-12 23:23:01 -04:00 · 19c55ca2fb
commit 19c55ca2fb
parent 3a7fd20fff
4 changed files with 70 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,9 +6,9 @@

 # Production files
 *.yml
-host_vars/**
+host_vars

 # Testing env exceptions
 !testing.yml
-!./host_vars/all.yml
+!all.yml

--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -0,0 +1,15 @@
+## Nextcloud Configuration ##
+nc_version: 16.0.3
+nc_sha256sum: a13f68ce47a1362318629ba5b118a59fa98358bb18f4afc371ea15104f2881f3
+
+nc_domain: www.example.com
+nc_docroot: /var/www/nextcloud
+nc_data: /var/www/nextcloud/data
+
+nc_db: nextcloud
+nc_db_user: nextcloud
+nc_db_pass: nc+password
+
+nc_admin: admin
+nc_admin_pass: ncadmin+password
+
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -109,6 +109,27 @@
  notify:
    - Reload Apache

+- name: Enable Apache Rewrite Module
+  apache2_module:
+    name: rewrite
+    state: present
+  notify:
+    - Reload Apache
+
+- name: Enable Apache SSL Module
+  apache2_module:
+    name: ssl
+    state: present
+  notify:
+    - Reload Apache
+
+- name: Enable Apache Headers Module
+  apache2_module:
+    name: headers
+    state: present
+  notify:
+     - Reload Apache
+
 - name: Enable Site
  file:
    src: /etc/apache2/sites-available/{{ nc_domain }}.conf
@ -118,3 +139,4 @@
    group: root
  notify:
    - Reload Apache
+
--- a/roles/nextcloud/templates/apacheconf.conf
+++ b/roles/nextcloud/templates/apacheconf.conf
@ -16,6 +16,19 @@

 <VirtualHost *:80>
        ServerName {{ nc_domain }}
+        ServerAdmin {{ nc_admin }}
+
+        RewriteEngine On
+        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+</VirtualHost>
+
+
+<VirtualHost *:443>
+        ServerName {{ nc_domain }}

        ServerAdmin {{ nc_admin }}
        DocumentRoot {{ nc_docroot }}
@ -23,8 +36,17 @@
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

+        SSLEngine on
+        SSLCertificateFile      /etc/letsencrypt/live/{{ nc_domain }}/cert.pem
+        SSLCertificateKeyFile   /etc/letsencrypt/live/{{ nc_domain }}/privkey.pem
+        SSLCertificateChainFile /etc/letsencrypt/live/{{ nc_domain }}/chain.pem
+
+        Protocols h2 http/1.1
+
+        Header always set Strict-Transport-Security "max-age=63072000"
 </VirtualHost>

+
 <Directory {{ nc_docroot }}>
    Options Indexes FollowSymLinks
    AllowOverride All
@ -33,4 +55,13 @@
    php_value memory_limit 512M
 </Directory>

+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off
+SSLSessionTickets       off
+
+SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+
 # vim: syntax=apache
+