Aller au contenu principal

ansible-ssl-nginx-playbook

Playbook Ansible pour configurer HTTPS en utilisant Let's encrypt sur nginx.

Le playbook Ansible installe tout ce qui est nécessaire pour servir des fichiers statiques à partir d'un serveur nginx via HTTPS. Le serveur passe la note A sur [SSL Labs] (https://www.ssllabs.com/).

Pour l'utiliser :

  1. InstallerAnsible 2. Configurer un serveur Ubuntu 16.04 accessible par ssh
  2. Créez /etc/ansible/hosts selon le modèle ci-dessous et remplacez example.com par votre domaine
  3. Copiez le reste des fichiers dans un répertoire vide (playbook.yml à la racine de ce dossier et le reste dans le sous-dossier templates)
  4. Exécutez ansible-playbook playbook.yml
  5. Copiez votre code (HTML statique) dans /var/www/example.com (example.com remplacé par votre domaine)
  6. Redémarrez nginx (systemctl restart nginx)

hosts.yml

[letsencrypt]
example.com ansible_user=root letsencrypt_email=me@example.com domain_name=example.com

playbook.yml

---
- hosts: letsencrypt
  become: true
  gather_facts: no

  pre_tasks:
    - raw: apt-get install -y python-simplejson

  tasks:
    - name: Upgrade system
      apt: upgrade=dist update_cache=yes

    - name: Install nginx
      apt: name=nginx state=latest

    - name: install letsencrypt
      apt: name=letsencrypt state=latest

    - name: create letsencrypt directory
      file: name=/var/www/letsencrypt state=directory

    - name: Remove default nginx config
      file: name=/etc/nginx/sites-enabled/default state=absent

    - name: Install system nginx config
      template:
        src: templates/nginx.conf.j2
        dest: /etc/nginx/nginx.conf

    - name: Install nginx site for letsencrypt requests
      template:
        src: templates/nginx-http.j2
        dest: /etc/nginx/sites-enabled/http

    - name: Reload nginx to activate letsencrypt site
      service: name=nginx state=restarted

    - name: Create letsencrypt certificate
      shell: letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }}
      args:
        creates: /etc/letsencrypt/live/{{ domain_name }}

    - name: Generate dhparams
      shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
      args:
        creates: /etc/nginx/dhparams.pem

    - name: Install nginx site for specified site
      template:
        src: templates/nginx-le.j2
        dest: /etc/nginx/sites-enabled/le

    - name: Reload nginx to activate specified site
      service: name=nginx state=restarted

    - name: Add letsencrypt cronjob for cert renewal
      cron:
        name: letsencrypt_renewal
        special_time: weekly
        job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload

templates nginx-http.j2

server_tokens off;

server {
    listen 80 default_server;
    server_name {{ domain_name }};

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
        try_files $uri $uri/ =404;
    }

    location / {
        rewrite ^ https://{{ domain_name }}$request_uri? permanent;
    }
}

emplates nginx-le.j2

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; object-src 'none'";


# HTTPS server
#
server {
    listen 443 ssl default deferred;
    server_name {{ domain_name }};

    ssl on;
    ssl_certificate         /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    ssl_dhparam /etc/nginx/dhparams.pem;
    ssl_prefer_server_ciphers on;

    root /var/www/{{ domain_name }};
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

templates nginx.conf

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 768;
}

http {

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip on;
    gzip_disable "msie6";

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}