Enable SSL for imagery sites
authorTom Hughes <tom@compton.nu>
Tue, 14 Feb 2017 18:37:22 +0000 (18:37 +0000)
committerTom Hughes <tom@compton.nu>
Tue, 14 Feb 2017 18:52:50 +0000 (18:52 +0000)
cookbooks/imagery/.foodcritic
cookbooks/imagery/metadata.rb
cookbooks/imagery/resources/site.rb
cookbooks/imagery/templates/default/nginx_imagery.conf.erb

index 435876eff3558e2722f5c74b15bb26d27c172954..5c5875e10a6a30da5e2dc7a9ec534767a5742ea4 100644 (file)
@@ -1,3 +1,4 @@
+~FC001
 ~FC005
 ~FC064
 ~FC065
index 5df29639d522e426c863af50ce1b09e4b61bbb9a..74a4a1d89e4aed30653144d83197bf21e0a853d2 100644 (file)
@@ -8,3 +8,4 @@ version           "1.0.0"
 depends           "nginx"
 depends           "git"
 depends           "systemd"
+depends           "ssl"
index f80f0407a0ff6c13cd8c7ddd186c9d8938991843..f8ab667319d6fcad61208bb4544b9c5a67c2b25a 100644 (file)
@@ -88,7 +88,13 @@ action :create do
     variables :bbox => bbox, :layers => layers
   end
 
-  nginx_site name do
+  base_domains = [name] + Array(aliases)
+
+  ssl_certificate new_resource.name do
+    domains base_domains.flat_map { |d| [d, "a.#{d}", "b.#{d}", "c.#{d}"] }
+  end
+
+  nginx_site new_resource.name do
     template "nginx_imagery.conf.erb"
     directory "/srv/imagery/#{name}"
     restart_nginx false
index 94b57076823770b976adde7d2078a4a14a09bec6..b926d479cf9db5436519c2fd5f3b35e45921048b 100644 (file)
@@ -1,8 +1,21 @@
 server {
     listen [::]:80;
+    listen [::]:443 ssl;
     server_name  <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>;
 
+    ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
+    ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 30m;
+    ssl_stapling on;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
     root "/srv/<%= @name %>";
+    rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
 
     gzip on;
     gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit