From ea1bc211506508e875f1fd3de2ebb53b8bc7737c Mon Sep 17 00:00:00 2001 From: Evan Kaufman Date: Sat, 23 Jul 2016 22:32:58 -0700 Subject: [PATCH 1/3] Added pound role... * checks for a single cert: ./provision/files/ssl/*.pem * if found, installs and configures pound * same cert for _all_ domains + aliases on _all_ stages --- provisioning/provision.yml | 1 + provisioning/roles/pound/handlers/main.yml | 4 ++ provisioning/roles/pound/tasks/install.yml | 32 ++++++++++ provisioning/roles/pound/tasks/main.yml | 17 +++++ provisioning/roles/pound/templates/pound.cfg | 66 ++++++++++++++++++++ 5 files changed, 120 insertions(+) create mode 100644 provisioning/roles/pound/handlers/main.yml create mode 100644 provisioning/roles/pound/tasks/install.yml create mode 100644 provisioning/roles/pound/tasks/main.yml create mode 100644 provisioning/roles/pound/templates/pound.cfg diff --git a/provisioning/provision.yml b/provisioning/provision.yml index 8677385..6205a1a 100644 --- a/provisioning/provision.yml +++ b/provisioning/provision.yml @@ -5,3 +5,4 @@ - common - wordpress - varnish + - pound diff --git a/provisioning/roles/pound/handlers/main.yml b/provisioning/roles/pound/handlers/main.yml new file mode 100644 index 0000000..e1a41b2 --- /dev/null +++ b/provisioning/roles/pound/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: restart pound + service: name=pound state=restarted + sudo: true diff --git a/provisioning/roles/pound/tasks/install.yml b/provisioning/roles/pound/tasks/install.yml new file mode 100644 index 0000000..5b4bf66 --- /dev/null +++ b/provisioning/roles/pound/tasks/install.yml @@ -0,0 +1,32 @@ +# https://launchpad.net/~unleashedtech/+archive/ubuntu/pound-2.7 +- name: Register pound 2.7 ppa + apt_repository: repo='ppa:unleashedtech/pound-2.7' + sudo: true + +- name: Install pound packages + apt: pkg={{item}} state=latest update_cache=yes + with_items: + - ssl-cert + - pound + sudo: true + sudo_user: root + +- name: Copy pound configuration file + template: src=pound.cfg dest=/etc/pound/pound.cfg mode=0644 + notify: restart pound + sudo: true + +- name: Copy SSL certificate + copy: src={{ pound__cert_path }}/{{ pound__cert_name }} dest=/etc/pound/genesis-{{ domain }}.pem mode=0644 + notify: restart pound + sudo: true + +- name: Enable pound + lineinfile: regexp='^startup=0' line='startup=1' dest=/etc/default/pound backup=yes + notify: restart pound + sudo: yes + +- name: Configure HTTPS Forwarded Proto detection in Apache 2.2 + copy: content="SetEnvIf X-Forwarded-Proto ^https$ HTTPS=on\n" dest=/etc/apache2/conf.d/https-forwarded-proto.conf mode=0644 + notify: restart apache + sudo: true diff --git a/provisioning/roles/pound/tasks/main.yml b/provisioning/roles/pound/tasks/main.yml new file mode 100644 index 0000000..e25f00d --- /dev/null +++ b/provisioning/roles/pound/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: Find pem cert, if one exists (should include key) + local_action: shell ls -1 {{ inventory_dir }}/files/ssl/*.pem + ignore_errors: yes + register: pound__cert_exists + +- name: Set cert filename and path + set_fact: + pound__cert_name: "{{ pound__cert_exists.stdout_lines[0] | basename }}" + pound__cert_path: "{{ pound__cert_exists.stdout_lines[0] | dirname }}" + when: pound__cert_exists.stdout != "" + +- debug: var=pound__cert_name +- debug: var=pound__cert_path + +- include: install.yml + when: pound__cert_exists.stdout != "" diff --git a/provisioning/roles/pound/templates/pound.cfg b/provisioning/roles/pound/templates/pound.cfg new file mode 100644 index 0000000..a57abf9 --- /dev/null +++ b/provisioning/roles/pound/templates/pound.cfg @@ -0,0 +1,66 @@ +## Minimal sample pound.cfg +## +## see pound(8) for details + + +###################################################################### +## global options: + +User "www-data" +Group "www-data" +#RootJail "/chroot/pound" + +## Logging: (goes to syslog by default) +## 0 no logging +## 1 normal +## 2 extended +## 3 Apache-style (common log format) +LogLevel 1 + +## check backend every X secs: +Alive 60 + +## use hardware-accelleration card supported by openssl(1): +#SSLEngine "" + +# poundctl control socket +Control "/var/run/pound/poundctl.socket" + + +###################################################################### +## listen, redirect and ... to: + +## redirect all requests on port 443 ("ListenHTTPS") to the local webserver (see "Service" below): +ListenHTTPS + Address 0.0.0.0 + Port 443 + + HeadRemove "X-Forwarded-Proto" + AddHeader "X-Forwarded-Proto: https" + +{% if aliases %} +{% set all_domains = [ domain|replace('.','\\.') ] %} +{% for alias in aliases %} +{% set foo = all_domains.append( alias|replace('.','\\.') ) %} +{% endfor %} +{% set all_domains = '(' + all_domains|join('|') + ')' %} +{% else %} +{% set all_domains = domain|replace('.','\\.') %} +{% endif %} + Cert "/etc/pound/genesis-{{ domain }}.pem" + + Service + HeadRequire "Host: .*{{ all_domains }}.*" + BackEnd + Address 127.0.0.1 + Port 80 + End + End + + ## https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers + Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" + SSLHonorCipherOrder 1 + Disable SSLv2 + Disable SSLv3 + +End From 373c02e90dbbeb4854b584e08375bb5e135158a6 Mon Sep 17 00:00:00 2001 From: Evan Kaufman Date: Sun, 24 Jul 2016 09:30:00 -0700 Subject: [PATCH 2/3] Rewrite urls properly with ssl proxying --- src/Genesis.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Genesis.php b/src/Genesis.php index 19eb63f..a951832 100644 --- a/src/Genesis.php +++ b/src/Genesis.php @@ -22,7 +22,7 @@ public static function rewriteUrls() update_option('upload_path', null); $old_url = site_url(); - $new_url = ($_SERVER['SERVER_PORT'] === '443' ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST']; + $new_url = ($_SERVER['HTTPS'] === 'on' ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST']; // Ensure internal WordPress functions map correctly to new url (but don't want to persist in the DB) add_filter('option_home', function($value) use ($old_url, $new_url) { return str_replace($old_url, $new_url, $value); }); From 33bf017e0fe668e6bddcc262fa1aedefd11a0aec Mon Sep 17 00:00:00 2001 From: Evan Kaufman Date: Sun, 24 Jul 2016 10:44:56 -0700 Subject: [PATCH 3/3] Disable existing pound install (if there is one), when pem cert is not found This is extra cleanup, only necessary when _removing_ a pem cert for a site already provisioned with pound --- provisioning/roles/pound/handlers/main.yml | 4 ++++ provisioning/roles/pound/tasks/disable.yml | 6 ++++++ provisioning/roles/pound/tasks/main.yml | 3 +++ 3 files changed, 13 insertions(+) create mode 100644 provisioning/roles/pound/tasks/disable.yml diff --git a/provisioning/roles/pound/handlers/main.yml b/provisioning/roles/pound/handlers/main.yml index e1a41b2..c82dd47 100644 --- a/provisioning/roles/pound/handlers/main.yml +++ b/provisioning/roles/pound/handlers/main.yml @@ -2,3 +2,7 @@ - name: restart pound service: name=pound state=restarted sudo: true + +- name: stop pound + service: name=pound state=stopped + sudo: true diff --git a/provisioning/roles/pound/tasks/disable.yml b/provisioning/roles/pound/tasks/disable.yml new file mode 100644 index 0000000..4f8ec40 --- /dev/null +++ b/provisioning/roles/pound/tasks/disable.yml @@ -0,0 +1,6 @@ +--- +- name: Disable pound + lineinfile: regexp='^startup=1' line='startup=0' dest=/etc/default/pound + notify: stop pound + ignore_errors: yes + sudo: yes diff --git a/provisioning/roles/pound/tasks/main.yml b/provisioning/roles/pound/tasks/main.yml index e25f00d..1ebfbd9 100644 --- a/provisioning/roles/pound/tasks/main.yml +++ b/provisioning/roles/pound/tasks/main.yml @@ -15,3 +15,6 @@ - include: install.yml when: pound__cert_exists.stdout != "" + +- include: disable.yml + when: pound__cert_exists.stdout == ""