From d2c994a8cfccdfb3aaa83c5eb894d3dd4d646f1a Mon Sep 17 00:00:00 2001 From: Christian Schnidrig Date: Thu, 24 Feb 2022 08:47:04 +0100 Subject: [PATCH] fix IPv6 no longer working. use reverse proxy on NAS instead. --- group_vars/raspberry | 3 +- roles/openhab/tasks/letsencrypt.yml | 3 +- roles/openhab/tasks/main.yml | 16 ++--- roles/openhab/tasks/nginx.yml | 2 +- roles/openhab/templates/nginx.conf.j2 | 20 ------ .../templates/nginx.conf.letsencrypt.j2 | 68 +++++++++++++++++++ roles/openhab/templates/nginx.init.conf.j2 | 2 +- 7 files changed, 82 insertions(+), 32 deletions(-) create mode 100644 roles/openhab/templates/nginx.conf.letsencrypt.j2 diff --git a/group_vars/raspberry b/group_vars/raspberry index 5bc2135..53da6c3 100644 --- a/group_vars/raspberry +++ b/group_vars/raspberry @@ -12,4 +12,5 @@ dynv6_name: "schnidrig.dynv6.net" dynv6_device: "{{ vault_dynv6_device }}" dynv6_token: "{{ vault_dynv6_token }}" -fqdn: "schnidrig.dynv6.net" +#fqdn: "schnidrig.dynv6.net" +fqdn: "open-hab.dynv6.net" diff --git a/roles/openhab/tasks/letsencrypt.yml b/roles/openhab/tasks/letsencrypt.yml index 2850c0b..f364494 100644 --- a/roles/openhab/tasks/letsencrypt.yml +++ b/roles/openhab/tasks/letsencrypt.yml @@ -10,7 +10,8 @@ cache_valid_time: "{{apt_config.cache_valid_time}}" - name: get certificate - shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}}' + shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}} --server https://acme-staging-v02.api.letsencrypt.org/directory' + #shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}}' # - name: cron job diff --git a/roles/openhab/tasks/main.yml b/roles/openhab/tasks/main.yml index a8ac0b2..a0c21ee 100644 --- a/roles/openhab/tasks/main.yml +++ b/roles/openhab/tasks/main.yml @@ -16,14 +16,14 @@ tags: - nginx - openhab_all -- include: dynv6.yml - tags: - - dynv6 - - openhab_all -- include: letsencrypt.yml - tags: - - letsencrypt - - openhab_all +# - include: dynv6.yml +# tags: +# - dynv6 +# - openhab_all +# - include: letsencrypt.yml +# tags: +# - letsencrypt +# - openhab_all - include: scripts.yml tags: - scripts diff --git a/roles/openhab/tasks/nginx.yml b/roles/openhab/tasks/nginx.yml index 074c8d4..8fa32f7 100644 --- a/roles/openhab/tasks/nginx.yml +++ b/roles/openhab/tasks/nginx.yml @@ -17,7 +17,7 @@ mode: "u=rwx,g=r,o=r" notify: restart nginx -- stat: path=/etc/letsencrypt/live/schnidrig.dynv6.net/fullchain.pem +- stat: path=/etc/letsencrypt/live/{{fqdn}}/fullchain.pem register: letsencrypt_cert - name: overwrite nginx config for letsencrypt initialization diff --git a/roles/openhab/templates/nginx.conf.j2 b/roles/openhab/templates/nginx.conf.j2 index 449d404..2cc3836 100644 --- a/roles/openhab/templates/nginx.conf.j2 +++ b/roles/openhab/templates/nginx.conf.j2 @@ -3,12 +3,6 @@ server { listen [::]:80 ipv6only=off; server_name {{fqdn}}; - return 301 https://$server_name$request_uri; -} - -server { - listen [::]:443 ipv6only=off ssl; - server_name {{fqdn}}; # Cross-Origin Resource Sharing add_header 'Access-Control-Allow-Origin' '*' always; @@ -16,16 +10,6 @@ server { add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always; add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always; - # certificate - ssl_certificate /etc/letsencrypt/live/schnidrig.dynv6.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/schnidrig.dynv6.net/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; - ssl_prefer_server_ciphers on; - ssl_dhparam /etc/nginx/ssl/dhparam2048.pem; - ssl_ecdh_curve secp384r1; - # check settings with: https://www.ssllabs.com/ssltest/analyze.html?d={{fqdn}} - location / { proxy_pass http://localhost:8080/; proxy_redirect http:// https://; @@ -57,8 +41,4 @@ server { } - location /.well-known/acme-challenge/ { - root /var/www/html; - } - } diff --git a/roles/openhab/templates/nginx.conf.letsencrypt.j2 b/roles/openhab/templates/nginx.conf.letsencrypt.j2 new file mode 100644 index 0000000..3110525 --- /dev/null +++ b/roles/openhab/templates/nginx.conf.letsencrypt.j2 @@ -0,0 +1,68 @@ + +# This is a config that can be used with letsencrypt and a DNS name with IPv6 pointing directly to raspi (no reverse-proxy on NAS) +# In order to use it, replace nginx.conf.j2 with this. + + +# redirect http to https +server { + listen [::]:80 ipv6only=off; + server_name {{fqdn}}; + return 301 https://$server_name$request_uri; +} + +server { + listen [::]:443 ipv6only=off ssl; + server_name {{fqdn}}; + + # Cross-Origin Resource Sharing + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow_Credentials' 'true' always; + add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always; + add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always; + + # certificate + ssl_certificate /etc/letsencrypt/live/{{fqdn}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{fqdn}}/privkey.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/nginx/ssl/dhparam2048.pem; + ssl_ecdh_curve secp384r1; + # check settings with: https://www.ssllabs.com/ssltest/analyze.html?d={{fqdn}} + + location / { + proxy_pass http://localhost:8080/; + proxy_redirect http:// https://; + proxy_buffering off; # openHAB supports non-buffering specifically for SSEs now + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 3600; + + auth_basic "Openhab"; + auth_basic_user_file /etc/nginx/htpasswd; + } + + location /logs/ { + proxy_pass http://localhost:9001/; + sub_filter_once off; + sub_filter_types text/html; + sub_filter 'href="/' 'href="/logs/'; + sub_filter 'src="/' 'src="/logs/'; + sub_filter "path: '/socket.io'" "path: '/logs/socket.io'"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + auth_basic "Openhab"; + auth_basic_user_file /etc/nginx/htpasswd; + + } + + location /.well-known/acme-challenge/ { + root /var/www/html; + } + +} diff --git a/roles/openhab/templates/nginx.init.conf.j2 b/roles/openhab/templates/nginx.init.conf.j2 index dd6c7b0..6909f85 100644 --- a/roles/openhab/templates/nginx.init.conf.j2 +++ b/roles/openhab/templates/nginx.init.conf.j2 @@ -1,7 +1,7 @@ server { listen [::]:80 ipv6only=off; listen [::]:443 ipv6only=off ssl; - server_name schnidrig.dynv6.net; + server_name {{fqdn}}; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key;