Add support for RedHat 7.9 and document SELinux changes that are necessary.
This commit is contained in:
parent
ea3cad538e
commit
1e41e871cd
63
docs/selinux.md
Normal file
63
docs/selinux.md
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# selinux
|
||||||
|
|
||||||
|
tl;dr nginx wants
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo semanage fcontext -a -t httpd_sys_content_t "/var/acme(/.*)?"
|
||||||
|
sudo semanage fcontext -a -t httpd_var_run_t "/var/run/nginx.pid"
|
||||||
|
sudo restorecon -R /var/acme
|
||||||
|
sudo semanage port -a -t http_port_t -p tcp 4430-4439
|
||||||
|
```
|
||||||
|
|
||||||
|
## File system access
|
||||||
|
On RedHat 7.9, in order to permit nginx to read `/var/acme`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo semanage fcontext -a -t httpd_sys_content_t "/var/acme(/.*)?"
|
||||||
|
sudo restorecon -R /var/acme
|
||||||
|
```
|
||||||
|
|
||||||
|
This is because its in the `` context:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ ls -Z /usr/sbin/nginx
|
||||||
|
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
Also, it needs access to write a PID file:
|
||||||
|
|
||||||
|
```
|
||||||
|
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
|
||||||
|
```
|
||||||
|
|
||||||
|
That can be added as well:
|
||||||
|
|
||||||
|
```
|
||||||
|
semanage fcontext -a -t httpd_var_run_t "/var/run/nginx.pid"
|
||||||
|
restorecon -v /var/run/nginx.pid
|
||||||
|
```
|
||||||
|
|
||||||
|
## Network port utilization
|
||||||
|
|
||||||
|
```
|
||||||
|
nginx: [emerg] bind() to 10.100.102.100:4430 failed (13: Permission denied)
|
||||||
|
```
|
||||||
|
|
||||||
|
Another change that was necessary was to permit nginx to listen on an unpriveled port.
|
||||||
|
|
||||||
|
```
|
||||||
|
semanage port -l | grep http_port_t
|
||||||
|
sudo semanage port -a -t http_port_t -p tcp 4430-4439
|
||||||
|
```
|
||||||
|
|
||||||
|
And proxy_pass also gets blocked:
|
||||||
|
|
||||||
|
```
|
||||||
|
*126 connect() to 127.0.0.1:8083 failed (13: Permission denied) while connecting to upstream
|
||||||
|
```
|
||||||
|
|
||||||
|
Workaround:
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo setsebool -P httpd_can_network_connect 1
|
||||||
|
```
|
59
tasks/certificates-RedHat.yml
Normal file
59
tasks/certificates-RedHat.yml
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
---
|
||||||
|
- name: "Copy certificate files for {{ acme_domain.domain }}."
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.{{ file_extension }}"
|
||||||
|
dest: "{{ acme_path }}/certificates/"
|
||||||
|
owner: "{{ acme_system_user }}"
|
||||||
|
group: "{{ acme_system_group }}"
|
||||||
|
mode: '0640'
|
||||||
|
tags: lego
|
||||||
|
loop:
|
||||||
|
- crt
|
||||||
|
- key
|
||||||
|
- issuer.crt
|
||||||
|
loop_control:
|
||||||
|
loop_var: file_extension
|
||||||
|
|
||||||
|
- name: Configure nginx TLSv1.2 for {{ acme_domain.domain }}
|
||||||
|
ansible.builtin.import_role:
|
||||||
|
name: nginxinc.nginx_core.nginx_config
|
||||||
|
allow_duplicates: true
|
||||||
|
tags: nginx
|
||||||
|
vars:
|
||||||
|
nginx_config_http_template_enable: true
|
||||||
|
nginx_config_http_template:
|
||||||
|
- template_file: http/default.conf.j2
|
||||||
|
deployment_location: "/etc/nginx/acme_{{ acme_domain.domain }}.conf"
|
||||||
|
backup: false
|
||||||
|
config:
|
||||||
|
core:
|
||||||
|
server_name: "{{ acme_domain.domain }}"
|
||||||
|
ssl:
|
||||||
|
certificate: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.crt"
|
||||||
|
certificate_key: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.key"
|
||||||
|
trusted_certificate: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.issuer.crt"
|
||||||
|
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
dhparam: "{{ nginx_config_dhparam }}"
|
||||||
|
# ecdh_curve: X25519:secp521r1:secp384r1
|
||||||
|
prefer_server_ciphers: true
|
||||||
|
protocols:
|
||||||
|
- TLSv1.2
|
||||||
|
# - TLSv1.3
|
||||||
|
session_cache:
|
||||||
|
shared:
|
||||||
|
name: "{{ acme_domain.domain }}"
|
||||||
|
size: 1M
|
||||||
|
session_tickets: false
|
||||||
|
session_timeout: 1d
|
||||||
|
ocsp: true
|
||||||
|
ocsp_cache:
|
||||||
|
name: cache
|
||||||
|
size: 64k
|
||||||
|
stapling: true
|
||||||
|
stapling_verify: true
|
||||||
|
ocsp_responder: http://r3.o.lencr.org
|
||||||
|
headers:
|
||||||
|
add_headers:
|
||||||
|
- name: Strict-Transport-Security
|
||||||
|
value: '"max-age=7776000"'
|
||||||
|
always: true
|
@ -31,6 +31,18 @@
|
|||||||
loop_control:
|
loop_control:
|
||||||
loop_var: acme_domain
|
loop_var: acme_domain
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
when: os_family != 'RedHat'
|
||||||
|
|
||||||
|
- name: Loop through the domain list (again) to copy certs and configure nginx for each ACME domain
|
||||||
|
include_tasks:
|
||||||
|
file: certificates-RedHat.yml
|
||||||
|
apply:
|
||||||
|
become: true
|
||||||
|
loop: "{{ acme_domains }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: acme_domain
|
||||||
|
tags: nginx
|
||||||
|
when: os_family == 'RedHat'
|
||||||
|
|
||||||
- import_tasks: dhparams.yml
|
- import_tasks: dhparams.yml
|
||||||
become: true
|
become: true
|
||||||
|
Loading…
Reference in New Issue
Block a user