mirror of
https://github.com/schnidrig/openhab-ansible
synced 2026-01-12 00:48:46 +01:00
fix IPv6 no longer working.
use reverse proxy on NAS instead.
This commit is contained in:
Christian Schnidrig
@@ -12,4 +12,5 @@ dynv6_name: "schnidrig.dynv6.net"
|
|||||||
dynv6_device: "{{ vault_dynv6_device }}"
|
dynv6_device: "{{ vault_dynv6_device }}"
|
||||||
dynv6_token: "{{ vault_dynv6_token }}"
|
dynv6_token: "{{ vault_dynv6_token }}"
|
||||||
|
|
||||||
fqdn: "schnidrig.dynv6.net"
|
#fqdn: "schnidrig.dynv6.net"
|
||||||
|
fqdn: "open-hab.dynv6.net"
|
||||||
|
|||||||
@@ -10,7 +10,8 @@
|
|||||||
cache_valid_time: "{{apt_config.cache_valid_time}}"
|
cache_valid_time: "{{apt_config.cache_valid_time}}"
|
||||||
|
|
||||||
- name: get certificate
|
- name: get certificate
|
||||||
shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}}'
|
shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}} --server https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||||
|
#shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}}'
|
||||||
|
|
||||||
|
|
||||||
# - name: cron job
|
# - name: cron job
|
||||||
|
|||||||
@@ -16,14 +16,14 @@
|
|||||||
tags:
|
tags:
|
||||||
- nginx
|
- nginx
|
||||||
- openhab_all
|
- openhab_all
|
||||||
- include: dynv6.yml
|
# - include: dynv6.yml
|
||||||
tags:
|
# tags:
|
||||||
- dynv6
|
# - dynv6
|
||||||
- openhab_all
|
# - openhab_all
|
||||||
- include: letsencrypt.yml
|
# - include: letsencrypt.yml
|
||||||
tags:
|
# tags:
|
||||||
- letsencrypt
|
# - letsencrypt
|
||||||
- openhab_all
|
# - openhab_all
|
||||||
- include: scripts.yml
|
- include: scripts.yml
|
||||||
tags:
|
tags:
|
||||||
- scripts
|
- scripts
|
||||||
|
|||||||
@@ -17,7 +17,7 @@
|
|||||||
mode: "u=rwx,g=r,o=r"
|
mode: "u=rwx,g=r,o=r"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- stat: path=/etc/letsencrypt/live/schnidrig.dynv6.net/fullchain.pem
|
- stat: path=/etc/letsencrypt/live/{{fqdn}}/fullchain.pem
|
||||||
register: letsencrypt_cert
|
register: letsencrypt_cert
|
||||||
|
|
||||||
- name: overwrite nginx config for letsencrypt initialization
|
- name: overwrite nginx config for letsencrypt initialization
|
||||||
|
|||||||
@@ -3,12 +3,6 @@
|
|||||||
server {
|
server {
|
||||||
listen [::]:80 ipv6only=off;
|
listen [::]:80 ipv6only=off;
|
||||||
server_name {{fqdn}};
|
server_name {{fqdn}};
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen [::]:443 ipv6only=off ssl;
|
|
||||||
server_name {{fqdn}};
|
|
||||||
|
|
||||||
# Cross-Origin Resource Sharing
|
# Cross-Origin Resource Sharing
|
||||||
add_header 'Access-Control-Allow-Origin' '*' always;
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
||||||
@@ -16,16 +10,6 @@ server {
|
|||||||
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
|
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
|
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
|
||||||
|
|
||||||
# certificate
|
|
||||||
ssl_certificate /etc/letsencrypt/live/schnidrig.dynv6.net/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/schnidrig.dynv6.net/privkey.pem;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
|
|
||||||
ssl_ecdh_curve secp384r1;
|
|
||||||
# check settings with: https://www.ssllabs.com/ssltest/analyze.html?d={{fqdn}}
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://localhost:8080/;
|
proxy_pass http://localhost:8080/;
|
||||||
proxy_redirect http:// https://;
|
proxy_redirect http:// https://;
|
||||||
@@ -57,8 +41,4 @@ server {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location /.well-known/acme-challenge/ {
|
|
||||||
root /var/www/html;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
68
roles/openhab/templates/nginx.conf.letsencrypt.j2
Normal file
68
roles/openhab/templates/nginx.conf.letsencrypt.j2
Normal file
@@ -0,0 +1,68 @@
|
|||||||
|
|
||||||
|
# This is a config that can be used with letsencrypt and a DNS name with IPv6 pointing directly to raspi (no reverse-proxy on NAS)
|
||||||
|
# In order to use it, replace nginx.conf.j2 with this.
|
||||||
|
|
||||||
|
|
||||||
|
# redirect http to https
|
||||||
|
server {
|
||||||
|
listen [::]:80 ipv6only=off;
|
||||||
|
server_name {{fqdn}};
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen [::]:443 ipv6only=off ssl;
|
||||||
|
server_name {{fqdn}};
|
||||||
|
|
||||||
|
# Cross-Origin Resource Sharing
|
||||||
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
||||||
|
add_header 'Access-Control-Allow_Credentials' 'true' always;
|
||||||
|
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
|
||||||
|
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
|
||||||
|
|
||||||
|
# certificate
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{fqdn}}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{fqdn}}/privkey.pem;
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
|
||||||
|
ssl_ecdh_curve secp384r1;
|
||||||
|
# check settings with: https://www.ssllabs.com/ssltest/analyze.html?d={{fqdn}}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8080/;
|
||||||
|
proxy_redirect http:// https://;
|
||||||
|
proxy_buffering off; # openHAB supports non-buffering specifically for SSEs now
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_read_timeout 3600;
|
||||||
|
|
||||||
|
auth_basic "Openhab";
|
||||||
|
auth_basic_user_file /etc/nginx/htpasswd;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /logs/ {
|
||||||
|
proxy_pass http://localhost:9001/;
|
||||||
|
sub_filter_once off;
|
||||||
|
sub_filter_types text/html;
|
||||||
|
sub_filter 'href="/' 'href="/logs/';
|
||||||
|
sub_filter 'src="/' 'src="/logs/';
|
||||||
|
sub_filter "path: '/socket.io'" "path: '/logs/socket.io'";
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
|
||||||
|
auth_basic "Openhab";
|
||||||
|
auth_basic_user_file /etc/nginx/htpasswd;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@@ -1,7 +1,7 @@
|
|||||||
server {
|
server {
|
||||||
listen [::]:80 ipv6only=off;
|
listen [::]:80 ipv6only=off;
|
||||||
listen [::]:443 ipv6only=off ssl;
|
listen [::]:443 ipv6only=off ssl;
|
||||||
server_name schnidrig.dynv6.net;
|
server_name {{fqdn}};
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/nginx.crt;
|
ssl_certificate /etc/nginx/ssl/nginx.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/nginx.key;
|
ssl_certificate_key /etc/nginx/ssl/nginx.key;
|
||||||
|
|||||||
Reference in New Issue
Block a user