From 66aa304494ab0ed1c42e1cfad2497616ae8301d1 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 4 Jan 2023 12:34:40 +0100 Subject: [PATCH 01/16] update patterns --- roles/journalwatch/templates/patterns | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 7520601..49013a7 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -86,9 +86,9 @@ SYSLOG_IDENTIFIER = sshd error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user \w*|\w+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] fatal: ssh_packet_get_string: string is too large \[preauth\] -error: kex_exchange_identification: Connection closed by remote host +error: kex_exchange_identification: .* -_SYSTEMD_UNIT = bind9.service +_SYSTEMD_UNIT = named.service client (@0x[a-f0-9]+ )?[\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) _SYSTEMD_UNIT = opendkim.service -- 2.30.2 From 1daccc5eeab1ddffec891b6fa838e971b9440823 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Thu, 5 Jan 2023 14:25:14 +0100 Subject: [PATCH 02/16] more patterns --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 49013a7..3f067e0 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -86,7 +86,7 @@ SYSLOG_IDENTIFIER = sshd error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user \w*|\w+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] fatal: ssh_packet_get_string: string is too large \[preauth\] -error: kex_exchange_identification: .* +error: (kex_exchange_identification|send_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* _SYSTEMD_UNIT = named.service client (@0x[a-f0-9]+ )?[\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) -- 2.30.2 From 9adffd77bd445ed1a884a6502e409201f62ad062 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 25 Jan 2023 21:03:31 +0100 Subject: [PATCH 03/16] update patterns --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 3f067e0..1255fab 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -84,7 +84,7 @@ auth: Warning: Event 0x[\da-fA-F]+ leaked \(parent=\(nil\)\): auth-client-connec SYSLOG_IDENTIFIER = sshd error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* -error: maximum authentication attempts exceeded for (invalid user \w*|\w+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] +error: maximum authentication attempts exceeded for (invalid user [\w_-]*|[\w_-]+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] fatal: ssh_packet_get_string: string is too large \[preauth\] error: (kex_exchange_identification|send_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* -- 2.30.2 From 2cff34d2e4709f556449d235ad915454c93bb24c Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Thu, 16 Mar 2023 20:13:48 +0100 Subject: [PATCH 04/16] more journalwatch patterns --- roles/journalwatch/templates/patterns | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 1255fab..068083f 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -85,15 +85,16 @@ auth: Warning: Event 0x[\da-fA-F]+ leaked \(parent=\(nil\)\): auth-client-connec SYSLOG_IDENTIFIER = sshd error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user [\w_-]*|[\w_-]+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] -fatal: ssh_packet_get_string: string is too large \[preauth\] error: (kex_exchange_identification|send_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* +fatal: ssh_packet_get_string: string is too large \[preauth\] +fatal: userauth_pubkey: parse request failed: incomplete message \[preauth\] _SYSTEMD_UNIT = named.service client (@0x[a-f0-9]+ )?[\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) _SYSTEMD_UNIT = opendkim.service [A-Z0-9]+: (bad signature data|failed to parse [Aa]uthentication-[Rr]esults: header field) -[A-Z0-9]+: key retrieval failed \(s=[\w._-]+, d=[\w._-]+\)(: '[\w._-]+' record not found)? +[A-Z0-9]+: key retrieval failed \(s=[\w._-]+, d=[\w._-]+\)(: '[\w._-]+' (record not found|query timed out))? _SYSTEMD_SLICE=system-openvpn.slice (client/)?[0-9a-f.:]+ (peer info: .*|VERIFY OK: .*|Outgoing Data Channel: .*|Incoming Data Channel: .*|Control Channel: .*|TLS: .*|\[client\] .*|MULTI(_sva)?: .*|SIGUSR1.*|PUSH: .*|SENT CONTROL \[client\]: .*|WARNING: '(tun|link)-mtu' is used inconsistently, local='(tun|link)-mtu \d+', remote='(tun|link)-mtu \d+') -- 2.30.2 From 448046ac21eff684a2e07f541e5ac7ccd72f0718 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Fri, 17 Mar 2023 14:55:33 +0100 Subject: [PATCH 05/16] journalwatch patterns --- roles/journalwatch/templates/patterns | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 068083f..5983ad5 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -88,6 +88,7 @@ error: maximum authentication attempts exceeded for (invalid user [\w_-]*|[\w_-] error: (kex_exchange_identification|send_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* fatal: ssh_packet_get_string: string is too large \[preauth\] fatal: userauth_pubkey: parse request failed: incomplete message \[preauth\] +error: userauth_pubkey: could not parse key: Invalid key length \[preauth\] _SYSTEMD_UNIT = named.service client (@0x[a-f0-9]+ )?[\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) -- 2.30.2 From 3df1e35fac92866e734e44cdfcdef2a527262cd9 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Thu, 4 May 2023 20:35:21 +0200 Subject: [PATCH 06/16] update patterns --- roles/journalwatch/templates/patterns | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 5983ad5..2afbf28 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -99,3 +99,6 @@ _SYSTEMD_UNIT = opendkim.service _SYSTEMD_SLICE=system-openvpn.slice (client/)?[0-9a-f.:]+ (peer info: .*|VERIFY OK: .*|Outgoing Data Channel: .*|Incoming Data Channel: .*|Control Channel: .*|TLS: .*|\[client\] .*|MULTI(_sva)?: .*|SIGUSR1.*|PUSH: .*|SENT CONTROL \[client\]: .*|WARNING: '(tun|link)-mtu' is used inconsistently, local='(tun|link)-mtu \d+', remote='(tun|link)-mtu \d+') + +SYSLOG_IDENTIFIER = kernel +xfs filesystem being remounted at /run/schroot/mount/schsh-[^ ]* supports timestamps until 2038 (0x7fffffff) -- 2.30.2 From f87b4350069ccfbe018e986ee56f491a1fc0f4ca Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 6 May 2023 12:36:37 +0200 Subject: [PATCH 07/16] fix patterns --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 2afbf28..3deaa52 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -101,4 +101,4 @@ _SYSTEMD_SLICE=system-openvpn.slice (client/)?[0-9a-f.:]+ (peer info: .*|VERIFY OK: .*|Outgoing Data Channel: .*|Incoming Data Channel: .*|Control Channel: .*|TLS: .*|\[client\] .*|MULTI(_sva)?: .*|SIGUSR1.*|PUSH: .*|SENT CONTROL \[client\]: .*|WARNING: '(tun|link)-mtu' is used inconsistently, local='(tun|link)-mtu \d+', remote='(tun|link)-mtu \d+') SYSLOG_IDENTIFIER = kernel -xfs filesystem being remounted at /run/schroot/mount/schsh-[^ ]* supports timestamps until 2038 (0x7fffffff) +xfs filesystem being remounted at /run/schroot/mount/schsh-[^ ]* supports timestamps until 2038 \(0x7fffffff\) -- 2.30.2 From c1d31e776f8c309aa5d5aa2f6441f665a1cfd90a Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Fri, 27 Oct 2023 18:18:48 +0200 Subject: [PATCH 08/16] fix quota emails --- roles/email/templates/dovecot/quota-warning.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/email/templates/dovecot/quota-warning.sh b/roles/email/templates/dovecot/quota-warning.sh index f834d1c..96951b5 100644 --- a/roles/email/templates/dovecot/quota-warning.sh +++ b/roles/email/templates/dovecot/quota-warning.sh @@ -1,7 +1,8 @@ -#!/bin/sh +#!/bin/bash set -e PERCENT=$1 +USER=$2 FROM="{{postfix.postmaster}}" msg="From: $FROM @@ -14,6 +15,6 @@ Dein Posteingang ist zu $PERCENT% voll. Bitte räume etwas auf! Your mailbox is now $PERCENT% full. Please clean it up a bit!" -echo -e "$msg" | /usr/sbin/sendmail -f "$FROM" "$USER" "$FROM" +echo "$msg" | /usr/sbin/sendmail -f "$FROM" "$USER" "$FROM" exit 0 -- 2.30.2 From 339ec8c6bb111487c2618f45fae52f19ae556005 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 24 Dec 2023 11:19:06 +0100 Subject: [PATCH 09/16] update SSH patterns --- roles/base/tasks/main.yml | 2 +- roles/journalwatch/templates/patterns | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 528f662..4b4e4cd 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -13,7 +13,7 @@ - name: get rid of packages we do not want apt: name=exim4-base,rpcbind,procmail,fetchmail state=absent autoremove=yes - name: install some basic tools - apt: name=nano,aptitude,rsync,git,mercurial,curl,apt-transport-https,psmisc,dnsutils,tree,htop,acl,libpam-systemd,needrestart,debian-security-support state=latest + apt: name=nano,aptitude,rsync,git,mercurial,curl,apt-transport-https,psmisc,dnsutils,tree,htop,acl,libpam-systemd,needrestart,reboot-notifier,debian-security-support state=latest # configuration - name: configure root shell copy: diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 3deaa52..a9f2961 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -85,7 +85,7 @@ auth: Warning: Event 0x[\da-fA-F]+ leaked \(parent=\(nil\)\): auth-client-connec SYSLOG_IDENTIFIER = sshd error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user [\w_-]*|[\w_-]+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] -error: (kex_exchange_identification|send_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* +error: (kex_exchange_identification|send_error|kex_protocol_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* fatal: ssh_packet_get_string: string is too large \[preauth\] fatal: userauth_pubkey: parse request failed: incomplete message \[preauth\] error: userauth_pubkey: could not parse key: Invalid key length \[preauth\] -- 2.30.2 From ce98257f3c1c9391369f0704b59271bbcdbc35e7 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 26 Dec 2023 09:35:55 +0100 Subject: [PATCH 10/16] silence some more SSH and postscreen messages --- roles/journalwatch/templates/patterns | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index a9f2961..c0a3abf 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -70,6 +70,7 @@ warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:(no shared cipher warning: dnsblog reply timeout \d+s for .* warning: dnsblog_query: lookup error for DNS query .*: Host or domain name not found. Name service error .* warning: ciphertext read/write timeout for \[[\da-fA-F.:]+\]:\d+ +warning: getpeername: Transport endpoint is not connected -- dropping this connection {% if journalwatch is defined and journalwatch.postfix_slow | default(False) %} warning: psc_cache_update: btree:/var/lib/postfix/[a-z_]+ (update|lookup) average delay is \d\d\d ms {% endif %} @@ -89,6 +90,7 @@ error: (kex_exchange_identification|send_error|kex_protocol_error|kex protocol e fatal: ssh_packet_get_string: string is too large \[preauth\] fatal: userauth_pubkey: parse request failed: incomplete message \[preauth\] error: userauth_pubkey: could not parse key: Invalid key length \[preauth\] +fatal: monitor_read: unpermitted request .* _SYSTEMD_UNIT = named.service client (@0x[a-f0-9]+ )?[\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) -- 2.30.2 From 1a81a89d4ee46867ea405ac09fc55309a0337c82 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 26 Dec 2023 10:08:29 +0100 Subject: [PATCH 11/16] prevent SMTP smuggling --- roles/email/templates/main.cf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index 45c77d3..2d254f0 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -65,6 +65,11 @@ smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts, reject_non_fqdn_recipient, reject_non_fqdn_sender, +# SMTP smuggling protection +# +smtpd_data_restrictions = reject_unauth_pipelining +smtpd_discard_ehlo_keywords = chunking + {% if postfix.relay_host is defined %} # Relay everything default_transport = smtp:{{ postfix.relay_host }} -- 2.30.2 From 3032155ea8d948a802122f659ccef2511d7dc192 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Thu, 11 Jan 2024 20:51:37 +0100 Subject: [PATCH 12/16] more SSH patterns --- roles/journalwatch/templates/patterns | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index c0a3abf..722850f 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -88,9 +88,9 @@ error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user [\w_-]*|[\w_-]+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] error: (kex_exchange_identification|send_error|kex_protocol_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* fatal: ssh_packet_get_string: string is too large \[preauth\] -fatal: userauth_pubkey: parse request failed: incomplete message \[preauth\] -error: userauth_pubkey: could not parse key: Invalid key length \[preauth\] +error: userauth_pubkey: (parse request failed:|could not parse key:|cannot decode key:) ;* fatal: monitor_read: unpermitted request .* +error: key_from_blob: invalid format \[preauth\] _SYSTEMD_UNIT = named.service client (@0x[a-f0-9]+ )?[\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) -- 2.30.2 From f9d9fdb556ada341ff26b2bee7031c38bad893cd Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Fri, 12 Jan 2024 08:11:43 +0100 Subject: [PATCH 13/16] fix SSH patterns --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 722850f..ca4f728 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -88,7 +88,7 @@ error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user [\w_-]*|[\w_-]+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] error: (kex_exchange_identification|send_error|kex_protocol_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* fatal: ssh_packet_get_string: string is too large \[preauth\] -error: userauth_pubkey: (parse request failed:|could not parse key:|cannot decode key:) ;* +error: userauth_pubkey: (parse request failed:|could not parse key:|cannot decode key:) .* fatal: monitor_read: unpermitted request .* error: key_from_blob: invalid format \[preauth\] -- 2.30.2 From 80a1cc546b99c8380942f14d7daa594a3c4a5615 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 14 Jan 2024 10:13:21 +0100 Subject: [PATCH 14/16] ignore more SSH errors --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index ca4f728..db20d2d 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -88,7 +88,7 @@ error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user [\w_-]*|[\w_-]+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\] error: (kex_exchange_identification|send_error|kex_protocol_error|kex protocol error|Bad remote protocol version identification|Protocol major versions differ|beginning MaxStartups throttling).* fatal: ssh_packet_get_string: string is too large \[preauth\] -error: userauth_pubkey: (parse request failed:|could not parse key:|cannot decode key:) .* +(error|fatal): userauth_pubkey: (parse request failed:|could not parse key:|cannot decode key:) .* fatal: monitor_read: unpermitted request .* error: key_from_blob: invalid format \[preauth\] -- 2.30.2 From bb0f118049b0f9e85ff03d74eb81ab7d71bf97aa Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 24 Aug 2024 15:53:26 +0200 Subject: [PATCH 15/16] journalwatch: allow more TLS errors --- roles/journalwatch/templates/patterns | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index db20d2d..2079292 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -66,11 +66,12 @@ _SYSTEMD_UNIT = postfix@-.service warning: hostname [\w._-]+ does not resolve to address [\da-fA-F.:]+(: .*)? warning: [._\w-]+\[[\da-fA-F.:]+\]: SASL (LOGIN|PLAIN) authentication failed:.* warning: non-SMTP command from [._\w-]+\[[\da-fA-F.:]+\]: .* -warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:(no shared cipher|decryption failed or bad record mac|unknown protocol|version too low):[\w./]+:\d+: +warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:.* warning: dnsblog reply timeout \d+s for .* warning: dnsblog_query: lookup error for DNS query .*: Host or domain name not found. Name service error .* warning: ciphertext read/write timeout for \[[\da-fA-F.:]+\]:\d+ warning: getpeername: Transport endpoint is not connected -- dropping this connection + {% if journalwatch is defined and journalwatch.postfix_slow | default(False) %} warning: psc_cache_update: btree:/var/lib/postfix/[a-z_]+ (update|lookup) average delay is \d\d\d ms {% endif %} -- 2.30.2 From 34cf4db2749cb9993eb062f6f4a32c1f4067a6b3 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 2 Sep 2024 15:21:35 +0200 Subject: [PATCH 16/16] fix apache HTTP2HTTPS redirect config --- roles/apache/templates/ssl.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/apache/templates/ssl.conf b/roles/apache/templates/ssl.conf index 5fa87c3..6a0b99f 100644 --- a/roles/apache/templates/ssl.conf +++ b/roles/apache/templates/ssl.conf @@ -6,7 +6,14 @@ ServerName $domain - Redirect permanent / https://$domain/ + # Apparently you need the rewrite engine to implement + # a simple "redirect all except for..." policy. Amazing. + RewriteEngine on + # Do *not* redirect the acme-challenge dir to https, since otherwise the + # challenge cannot be fetched when there is no certificate yet for this domain. + RewriteRule ^/\.well-known/acme-challenge/(.*) /srv/acme-challenge/$1 [L] + # Make the upgrade to HTTPS a "permanent" redirect. + RewriteRule ^/(.*) https://$domain/$1 [R=301,L] -- 2.30.2