From: Guo Xiang Tan Date: Wed, 10 Feb 2016 00:59:55 +0000 (+0800) Subject: Add Let's Encrypt SSL template. X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=a956d7ec7a06765f8c2c427f4cabbdbddccbd86a;p=discourse_docker.git Add Let's Encrypt SSL template. --- diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml new file mode 100644 index 0000000..404e257 --- /dev/null +++ b/templates/web.letsencrypt.ssl.template.yml @@ -0,0 +1,63 @@ +env: + LETSENCRYPT_DIR: "/shared/letsencrypt" + +run: + - exec: + cmd: + - cd /root && git clone https://github.com/Neilpang/le.git + - touch /var/spool/cron/crontabs/root + - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR + - cd /root/le && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./le.sh install + + - file: + path: /etc/runit/1.d/letsencrypt + chmod: "+x" + contents: | + #!/bin/bash + set -e + LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh issue no $$ENV_DISCOURSE_HOSTNAME no 4096 + LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh installcert $$ENV_DISCOURSE_HOSTNAME /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key no "sv reload nginx" + # After the initial install, switch to Webroot plugin + LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public" + + - exec: + cmd: + # Generate strong Diffie-Hellman parameters + - "mkdir -p /shared/ssl/" + - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 2048" + + - replace: + filename: "/etc/nginx/conf.d/discourse.conf" + from: /server.+{/ + to: | + server { + listen 80; + rewrite ^ https://$$ENV_DISCOURSE_HOSTNAME$request_uri? permanent; + } + server { + - replace: + filename: "/etc/nginx/conf.d/discourse.conf" + from: /listen 80;\s+gzip on;/m + to: | + listen 443 ssl http2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + # courtesy of https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer; + ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; + ssl_dhparam /shared/ssl/dhparams.pem; + + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:1m; + + # remember the certificate for 2 months and automatically connect to HTTPS for this domain + add_header Strict-Transport-Security 'max-age=5184000'; + + gzip on; + + if ($http_host != $$ENV_DISCOURSE_HOSTNAME) { + rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent; + }