diff --git a/doc/ssl.md b/doc/ssl.md index 52a67c6..f7ee5bf 100644 --- a/doc/ssl.md +++ b/doc/ssl.md @@ -32,7 +32,8 @@ Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo Tips ---- -Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`! +- Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`! +- In `nginx_vhosts`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with vhost `name` (first in list if it's a list). Diffie-Hellman -------------- @@ -48,6 +49,9 @@ nginx_vhosts; proto: ['http', 'https'] template: '_base' ssl_name: 'mysuperkey' + - name: 'test-ssl2.local' + proto: ['http', 'https'] + template: '_base' nginx_ssl_pairs: - name: mysuperkey @@ -59,5 +63,15 @@ nginx_ssl_pairs: -----BEGIN CERTIFICATE----- ....(snip).... -----END CERTIFICATE----- + - name: test-ssl2.local + key: | + -----BEGIN RSA PRIVATE KEY----- + ....(snip).... + -----END RSA PRIVATE KEY----- + cert: | + -----BEGIN CERTIFICATE----- + ....(snip).... + -----END CERTIFICATE----- + ``` diff --git a/doc/vhost.md b/doc/vhost.md index f5c7185..ef17e76 100644 --- a/doc/vhost.md +++ b/doc/vhost.md @@ -24,7 +24,7 @@ Common - `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature. - `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost. - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support. -- `ssl_name`: (D) name of the key used when using TLS/SSL. Mandatory when `proto` contains "https" +- `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`. - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false". - `php_version` (O) Sepecify PHP version (5 or 7) diff --git a/templates/etc/nginx/sites-available/_base.j2 b/templates/etc/nginx/sites-available/_base.j2 index 8e064e0..633d070 100644 --- a/templates/etc/nginx/sites-available/_base.j2 +++ b/templates/etc/nginx/sites-available/_base.j2 @@ -4,6 +4,7 @@ {% set __listen_ssl = item.listen_ssl | default(['443']) %} {% set __location = item.location | default({}) %} {% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %} +{% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %} {% macro htpasswd(htpasswd_name, indent=1) -%} {% for ht in nginx_htpasswd if ht.name == htpasswd_name %} {{ "\t" * indent }}auth_basic "{{ ht.description }}"; @@ -33,7 +34,7 @@ server { {% for port in __listen_ssl %} listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}; {% endfor %} -{{ ssl(item.ssl_name) }} +{{ ssl(__ssl_name) }} {% if item.ssl_template is not defined or item.ssl_template != false %} include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }}; {% endif %} diff --git a/tests/test.yml b/tests/test.yml index 2929739..e2b755f 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -186,7 +186,6 @@ - name: 'test-ssl.local' proto: ['http', 'https'] template: '_base' - ssl_name: 'test-ssl.local' - name: 'test-ssl-predeployed.local' proto: ['http', 'https'] template: '_base'