Catching up Webserver config

roles/WebServer/files/conf.d/Core/aaa_default.conf

@@ -1,21 +1,12 @@
 server {
     listen      443 ssl http2;
     server_name default_server;
-    include sec.conf;
-    include letsencrypt.conf;
-    include default.csp.conf;
-    rewrite ^/(.*)$ https://aninix.net/$1 permanent;
-
-}
-
-server {
-    listen      443 ssl http2;
-    server_name aninix.net;
 
     include sec.conf;
-    include letsencrypt.conf;
     include default.csp.conf;
 
+    include letsencrypt.conf;
+
     location / {
 
       rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
@@ -54,3 +45,16 @@ server {
     }
 
 }
+
+server {
+    listen      443 ssl http2;
+    server_name foundation.aninix.net;
+    include sec.conf;
+    include letsencrypt.conf;
+    include default.csp.conf;
+
+    location / {
+        rewrite ^/(.*)$ https://aninix.net/$1 permanent;
+    }
+
+}

roles/WebServer/files/conf.d/Core/cyberbrain.conf

@@ -4,7 +4,6 @@ server {
 
     include sec.conf;
     include default.csp.conf;
-    include letsencrypt.conf;
 
     location /
     {
@@ -19,4 +18,7 @@ server {
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Real-PORT $remote_port;
     }
+
+    include letsencrypt.conf;
+
 }

roles/WebServer/files/conf.d/Core/geth.conf

@@ -15,15 +15,15 @@ server {
 
     location /
     {
-      proxy_set_header Host $http_host;
+        proxy_set_header Host $http_host;
-      proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Host $host;
-      proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-Server $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_pass       http://geth.msn0.aninix.net:8123;
+        proxy_pass       http://geth.msn0.aninix.net:8123;
-      proxy_redirect http:// https://;
+        proxy_redirect http:// https://;
-      proxy_http_version 1.1;
+        proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Connection $connection_upgrade;
-      proxy_read_timeout 86400;
+        proxy_read_timeout 86400;
     }
 }

roles/WebServer/files/conf.d/Core/lykos-wiki.conf

@@ -2,7 +2,7 @@ server {
     listen      443 ssl;
     server_name lykos.aninix.net;
 
-    include letsencrypt.conf;
+    # include local.conf;
 
     root /usr/share/webapps/;
 
@@ -34,4 +34,6 @@ server {
         deny all;
     }
 
+    include letsencrypt.conf;
+
 }

roles/WebServer/files/conf.d/Core/password.conf

@@ -6,28 +6,30 @@ server {
     include default.csp.conf;
     include letsencrypt.conf;
 
-    root /usr/share/webapps/self-service-password/htdocs/;
+    location / {
+        root /usr/share/webapps/self-service-password/htdocs/;
 
-    # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
+        # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
-    index index.php index.html index.htm;
+        index index.php index.html index.htm;
 
-    # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
+        # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
-    sendfile off;
+        sendfile off;
 
-    gzip on;
+        gzip on;
-    gzip_comp_level 6;
+        gzip_comp_level 6;
-    gzip_min_length 1000;
+        gzip_min_length 1000;
-    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
+        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
-    gzip_vary on;
+        gzip_vary on;
-    gzip_proxied any;
+        gzip_proxied any;
-    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+        gzip_disable "MSIE [1-6]\.(?!.*SV1)";
 
-    # Add stdout logging
+        # Add stdout logging
 
-    #error_log /dev/stdout warn;
+        #error_log /dev/stdout warn;
-    #access_log /dev/stdout info;
+        #access_log /dev/stdout info;
 
-    include ../conf.d/fastcgi.config;
+        include ../conf.d/fastcgi.config;
+    }
 
     # deny access to . files, for security
     #

roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf

@@ -0,0 +1,14 @@
+server {
+    listen      443 ssl;
+    server_name travelpawscvt.com;
+
+    #include local.conf;
+    include letsencrypt.conf;
+    include ../conf.d/fastcgi.config;
+
+    root /opt/travelpawscvt;
+
+    client_max_body_size 5m;
+    client_body_timeout 60;
+
+}

roles/WebServer/files/conf.d/Core/wolfpack.conf

@@ -4,7 +4,6 @@ server {
 
     include sec.conf;
     include default.csp.conf;
-    include letsencrypt.conf;
 
     location /
     {
@@ -12,4 +11,6 @@ server {
         autoindex on;
         autoindex_format html;
     }
+
+    include letsencrypt.conf;
 }

roles/WebServer/files/conf/letsencrypt.conf

@@ -1,5 +1,4 @@
-location ~ ^/.well-known/acme-challenge
+location /.well-known/acme-challenge {
-{
   allow all;
   root /var/lib/letsencrypt/;
   default_type "text/plain";

roles/WebServer/tasks/main.yml

@@ -53,6 +53,17 @@
      mode: 0660
    register: conf
 
+ - name: Populate security config
+   become: yes
+   template:
+     src: sec.conf.j2
+     dest: /opt/openresty/nginx/conf/sec.conf
+     owner: http
+     group: http
+     mode: 0660
+  register: secconf
+
+
  - name: Ensure default openresty service file is off.
    become: yes
    service:
@@ -62,7 +73,7 @@
 
  - name: Ensure service is started
    become: yes
-   when: conf.changed or confd.changed
+   when: conf.changed or confd.changed or secconf.changed
    service:
      name: "{{ item }}"
      enabled: yes

roles/WebServer/templates/conf/sec.conf.j2

@@ -1,12 +1,12 @@
 ssl_dhparam          /etc/ssl/certs/dhparam.pem;
-ssl_certificate      /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
+ssl_certificate      /etc/letsencrypt/live/{{ ssl.identity }}/fullchain.pem;
-ssl_certificate_key  /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
+ssl_certificate_key  /etc/letsencrypt/live/{{ ssl.identity }}/privkey.pem;
 
 ssl_session_cache    shared:SSL:1m;
 ssl_session_timeout  5m;
 
 ssl_protocols        TLSv1.2 TLSv1.3;
-ssl_ciphers          "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ciphers          "{{ ssl.ciphersuite }}";
 ssl_prefer_server_ciphers  on;
 
 add_header           "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";