Browse Source

HTTP client certificate support. Switch to it for monitoring.torsion.org.

Dan Helfman 2 months ago
parent
commit
5186f5d97e

+ 32
- 0
public_keys/certificate-authority View File

@@ -0,0 +1,32 @@
1
+-----BEGIN CERTIFICATE-----
2
+MIIFjzCCA3egAwIBAgIUeMqUD2ikPl4bgoJvKFa963KjKckwDQYJKoZIhvcNAQEL
3
+BQAwVzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcM
4
+B1NlYXR0bGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0x
5
+ODExMDQyMTQzNTlaFw0xOTExMDQyMTQzNTlaMFcxCzAJBgNVBAYTAlVTMRMwEQYD
6
+VQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMSEwHwYDVQQKDBhJbnRl
7
+cm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
8
+AoICAQC+7HeY3GxFjvdVsYx6v793GfRpT2kio1QS3wSzvTzG62N761ecbfOILyhc
9
+mmV/mrD/Z8LzPQOxUSynkbbXPZUuRYX0O4y+nBU45HfGRTt+4ek9IFKZXPNyotSM
10
+QWakb6yxoJ/Mjjb+C6G9LAquVTbfj+t2JQ8ogIvElyyI0teYBq1kRmUieHwGHc+y
11
+nv4kwvApHlmIW1oJixNDdNrv7DrEo6qptPEbjGhzjMnDjw6rkjggP/JOxeqV5OGv
12
+vo7JGmxJxMv4VGamnkZmLpPfbcBN/W10mABRQS7TA61tgVtO6v5mMRaYzPdborcy
13
+C4okrt/mBqYP3e50jrzlXw6kzA/rX45npk1X6kamjkUJxC7/rCdDzJ/lRt6wIx6C
14
+JhSi1pLdHATUs3afDGPYOwQPdMlCX66ZkMUqT/4W7Cf6rl9YNXdqj5RcSnIvh59a
15
+SrDGdBduJEOq+JSkrKqYzBQwBtGqvEm5cr7BNW3FICixXWz3bRq9asAN1fHoEpfo
16
+vE1yQYf46pwntgc0PGlHJWI2Dm0U/TR98GRjpKQswBVqx6VIZOYrh1bNH8/BEX5h
17
+8/cbpMmBghxuVCND1QuhchcxCDnBa3Yt0stvVUeqr/MHegj6Saw1DEtNP103ogjF
18
+8E7//oIUGie/1LhVtq9IMilc4KlZGrTs7xowwRhIQo1r8VyzlwIDAQABo1MwUTAd
19
+BgNVHQ4EFgQUhjoh1+dZyYia4p9eXPCc/81gxWAwHwYDVR0jBBgwFoAUhjoh1+dZ
20
+yYia4p9eXPCc/81gxWAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
21
+AgEAFyne+C7S8KNMZ7Ce+pBQk7rnTT/2NLt70oXSKudwvJT85cuwUgPQd4JHm+k5
22
+I7i3XMLIswm2CKjyXpe9Ap/jGxIBDvFldUXkd6qcxAJSWUgPp8p4TnirlyLkkE6w
23
+Bk3h8JwBhpX17cu2J/KQiFp7XcEPBrE5Zb6uRnJWEh5FLaz26FNxGyO42YRX+VwD
24
+sWFHmU6O33tJNXTdd4hP46W8QgysXzO7bg4nWCU7N7MsgqBFbpXn7JYIw8vTxIs2
25
+U2LJVpdEbljC1ADdI424l4vMhTvesxIjK9r8G09yVgr2bL8DjPPqEQTv+BbNJqnc
26
+RdxPajXLDCcKNukcY4Rqs3OmwqstWHBTw9kmRBSZEFBwD/aBYpJHr5t9NZJEAh3a
27
+IZ6eDeVqI8JXLNG5QXwmxrBB09epgAPn10CvAGeu5F/qiemATsLm6NqLOJI50cZd
28
+wmH+jtoar502P88gDalK8NtZVJNCjjT0PDEI0OEsoDm+mFq5Kb62gu+uJMcFJDWO
29
+0fQNkS2e1Qjc/+/M8+YHFugOAitfAoDDjxnhb5V7iA4plnDyhNBB10qdfqdmjhVG
30
+K0+Mt6aVWZ7fgq7P/I6WlJq+v9+7iAO7S9TWesq4XTBquE3scZ6lWJYsPYoL1z20
31
+6UzvNZ2uJ0pX4Qfw4DQxSyGDgXlY1aF45/VYytYGKQAeZZ8=
32
+-----END CERTIFICATE-----

+ 2
- 0
roles/monitoring/files/client_certificate_nginx.conf View File

@@ -0,0 +1,2 @@
1
+ssl_client_certificate /etc/nginx/certs/ca.crt;
2
+ssl_verify_client on;

+ 4
- 13
roles/monitoring/tasks/main.yml View File

@@ -1,16 +1,7 @@
1
-- name: install ansible htpasswd module dependencies
2
-  apt: name=python-passlib
3
-  tags:
4
-    - monitoring
5
-
6
-- name: configure monitoring user credentials
7
-  htpasswd:
8
-    path: /etc/nginx/htpasswd/{{ monitoring_hostname }}
9
-    name: monitoring
10
-    password: "{{ monitoring_password }}"
11
-    owner: root
12
-    group: 101  # nginx user within nginx-proxy container
13
-    mode: 0640
1
+- name: add client certificate configuration
2
+  copy:
3
+    dest: "/etc/nginx/vhost.d/{{ monitoring_hostname }}"
4
+    src: client_certificate_nginx.conf
14 5
   tags:
15 6
     - monitoring
16 7
 

+ 7
- 0
roles/web_server/tasks/main.yml View File

@@ -21,6 +21,13 @@
21 21
   with_items:
22 22
     - 80
23 23
     - 443
24
+  tags:
25
+    - web_server
26
+
27
+- name: copy certificate authority for client certificates
28
+  copy: src=public_keys/certificate-authority dest=/etc/nginx/certs/ca.crt mode=0600
29
+  tags:
30
+    - web_server
24 31
 
25 32
 - name: run web server containers
26 33
   docker_service:

Loading…
Cancel
Save