Add support for RedHat 7.9 and document SELinux changes that are necessary.
This commit is contained in:
parent
ea3cad538e
commit
1e41e871cd
63
docs/selinux.md
Normal file
63
docs/selinux.md
Normal file
@ -0,0 +1,63 @@
|
||||
# selinux
|
||||
|
||||
tl;dr nginx wants
|
||||
|
||||
```
|
||||
sudo semanage fcontext -a -t httpd_sys_content_t "/var/acme(/.*)?"
|
||||
sudo semanage fcontext -a -t httpd_var_run_t "/var/run/nginx.pid"
|
||||
sudo restorecon -R /var/acme
|
||||
sudo semanage port -a -t http_port_t -p tcp 4430-4439
|
||||
```
|
||||
|
||||
## File system access
|
||||
On RedHat 7.9, in order to permit nginx to read `/var/acme`:
|
||||
|
||||
```bash
|
||||
sudo semanage fcontext -a -t httpd_sys_content_t "/var/acme(/.*)?"
|
||||
sudo restorecon -R /var/acme
|
||||
```
|
||||
|
||||
This is because its in the `` context:
|
||||
|
||||
```bash
|
||||
$ ls -Z /usr/sbin/nginx
|
||||
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/nginx
|
||||
```
|
||||
|
||||
Also, it needs access to write a PID file:
|
||||
|
||||
```
|
||||
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
|
||||
```
|
||||
|
||||
That can be added as well:
|
||||
|
||||
```
|
||||
semanage fcontext -a -t httpd_var_run_t "/var/run/nginx.pid"
|
||||
restorecon -v /var/run/nginx.pid
|
||||
```
|
||||
|
||||
## Network port utilization
|
||||
|
||||
```
|
||||
nginx: [emerg] bind() to 10.100.102.100:4430 failed (13: Permission denied)
|
||||
```
|
||||
|
||||
Another change that was necessary was to permit nginx to listen on an unpriveled port.
|
||||
|
||||
```
|
||||
semanage port -l | grep http_port_t
|
||||
sudo semanage port -a -t http_port_t -p tcp 4430-4439
|
||||
```
|
||||
|
||||
And proxy_pass also gets blocked:
|
||||
|
||||
```
|
||||
*126 connect() to 127.0.0.1:8083 failed (13: Permission denied) while connecting to upstream
|
||||
```
|
||||
|
||||
Workaround:
|
||||
|
||||
```
|
||||
sudo setsebool -P httpd_can_network_connect 1
|
||||
```
|
59
tasks/certificates-RedHat.yml
Normal file
59
tasks/certificates-RedHat.yml
Normal file
@ -0,0 +1,59 @@
|
||||
---
|
||||
- name: "Copy certificate files for {{ acme_domain.domain }}."
|
||||
ansible.builtin.copy:
|
||||
src: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.{{ file_extension }}"
|
||||
dest: "{{ acme_path }}/certificates/"
|
||||
owner: "{{ acme_system_user }}"
|
||||
group: "{{ acme_system_group }}"
|
||||
mode: '0640'
|
||||
tags: lego
|
||||
loop:
|
||||
- crt
|
||||
- key
|
||||
- issuer.crt
|
||||
loop_control:
|
||||
loop_var: file_extension
|
||||
|
||||
- name: Configure nginx TLSv1.2 for {{ acme_domain.domain }}
|
||||
ansible.builtin.import_role:
|
||||
name: nginxinc.nginx_core.nginx_config
|
||||
allow_duplicates: true
|
||||
tags: nginx
|
||||
vars:
|
||||
nginx_config_http_template_enable: true
|
||||
nginx_config_http_template:
|
||||
- template_file: http/default.conf.j2
|
||||
deployment_location: "/etc/nginx/acme_{{ acme_domain.domain }}.conf"
|
||||
backup: false
|
||||
config:
|
||||
core:
|
||||
server_name: "{{ acme_domain.domain }}"
|
||||
ssl:
|
||||
certificate: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.crt"
|
||||
certificate_key: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.key"
|
||||
trusted_certificate: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.issuer.crt"
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
dhparam: "{{ nginx_config_dhparam }}"
|
||||
# ecdh_curve: X25519:secp521r1:secp384r1
|
||||
prefer_server_ciphers: true
|
||||
protocols:
|
||||
- TLSv1.2
|
||||
# - TLSv1.3
|
||||
session_cache:
|
||||
shared:
|
||||
name: "{{ acme_domain.domain }}"
|
||||
size: 1M
|
||||
session_tickets: false
|
||||
session_timeout: 1d
|
||||
ocsp: true
|
||||
ocsp_cache:
|
||||
name: cache
|
||||
size: 64k
|
||||
stapling: true
|
||||
stapling_verify: true
|
||||
ocsp_responder: http://r3.o.lencr.org
|
||||
headers:
|
||||
add_headers:
|
||||
- name: Strict-Transport-Security
|
||||
value: '"max-age=7776000"'
|
||||
always: true
|
@ -31,6 +31,18 @@
|
||||
loop_control:
|
||||
loop_var: acme_domain
|
||||
tags: nginx
|
||||
when: os_family != 'RedHat'
|
||||
|
||||
- name: Loop through the domain list (again) to copy certs and configure nginx for each ACME domain
|
||||
include_tasks:
|
||||
file: certificates-RedHat.yml
|
||||
apply:
|
||||
become: true
|
||||
loop: "{{ acme_domains }}"
|
||||
loop_control:
|
||||
loop_var: acme_domain
|
||||
tags: nginx
|
||||
when: os_family == 'RedHat'
|
||||
|
||||
- import_tasks: dhparams.yml
|
||||
become: true
|
||||
|
Loading…
Reference in New Issue
Block a user