light: use new combined cert and make server reachable over v6

The server being reachable over v6 is needed for the new method of
getting the cert directly via http challenge over v6.
This commit is contained in:
June 2024-07-30 00:14:09 +02:00
parent a23c152d8e
commit 70a27ec79c
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
5 changed files with 68 additions and 55 deletions

View file

@ -53,9 +53,7 @@ ola__configs:
nginx__version_spec: "" nginx__version_spec: ""
nginx__deploy_redirect_conf: false nginx__deploy_redirect_conf: false
nginx__configurations: nginx__configurations:
- name: light.ccchh.net - name: light
content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light.ccchh.net.conf') }}" content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light.conf') }}"
- name: light-werkstatt.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light-werkstatt.ccchh.net.conf') }}"
- name: http_handler - name: http_handler
content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/http_handler.conf') }}" content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/http_handler.conf') }}"

View file

@ -1,6 +1,6 @@
server { server {
listen 80 default_server; listen 80 default_server;
#listen [::]:80 default_server; listen [::]:80 default_server;
server_name _; server_name _;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {

View file

@ -1,25 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name light-werkstatt.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}

View file

@ -1,25 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name light.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}

View file

@ -0,0 +1,65 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light-werkstatt.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light.z9.ccchh.net ;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
location / {
return 307 https://light.ccchh.net$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}