X-Git-Url: https://git.ralfj.de/ansible.git/blobdiff_plain/9a2be3a8496bdf04794c14d84aa3a5017c8fb8db..34cf4db2749cb9993eb062f6f4a32c1f4067a6b3:/roles/apache/templates/ssl.conf diff --git a/roles/apache/templates/ssl.conf b/roles/apache/templates/ssl.conf index bb80746..6a0b99f 100644 --- a/roles/apache/templates/ssl.conf +++ b/roles/apache/templates/ssl.conf @@ -6,7 +6,14 @@ ServerName $domain - Redirect permanent / https://$domain/ + # Apparently you need the rewrite engine to implement + # a simple "redirect all except for..." policy. Amazing. + RewriteEngine on + # Do *not* redirect the acme-challenge dir to https, since otherwise the + # challenge cannot be fetched when there is no certificate yet for this domain. + RewriteRule ^/\.well-known/acme-challenge/(.*) /srv/acme-challenge/$1 [L] + # Make the upgrade to HTTPS a "permanent" redirect. + RewriteRule ^/(.*) https://$domain/$1 [R=301,L] @@ -17,7 +24,7 @@ Header unset Strict-Transport-Security Header set Strict-Transport-Security "max-age=864000" # Make sure we load everything via HTTPS - Header set Content-Security-Policy "upgrade-insecure-requests" + Header add Content-Security-Policy "upgrade-insecure-requests" ######################################################### # SSL configuration below ############################### @@ -33,8 +40,11 @@ SSLCipherSuite 'kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:AESGCM:ALL:!3DES:!EXPORT:!LOW:!MEDIUM:!aNULL:!eNULL' SSLHonorCipherOrder on - # Certificate, DH parameters and key - SSLCertificateFile /etc/ssl/mycerts/$cert.crt+dh + # DH parameters + SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh2048.pem" + + # Certificate and key + SSLCertificateFile /etc/ssl/mycerts/$cert.crt SSLCertificateKeyFile /etc/ssl/private/$cert.key # Server Certificate Chain: @@ -44,7 +54,7 @@ # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. - SSLCertificateChainFile /etc/ssl/mycerts/$cert.chain + SSLCertificateChainFile /etc/ssl/mycerts/$cert.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA