ansible: nginx configs for HTTPS

Add HTTPS to the jenkins web server to protect authentication.

The key and certificate files are managed outside of Ansible.

diff --git a/ansible/roles/ansible-jenkins/templates/jenkins.conf b/ansible/roles/ansible-jenkins/templates/jenkins.conf
index 5f498e525f0138bd627f1cc8698f711d584d6f2c..b60b07ade3cfc6dfa8a24649b7e957019235f622 100644 (file)
--- a/ansible/roles/ansible-jenkins/templates/jenkins.conf
+++ b/ansible/roles/ansible-jenkins/templates/jenkins.conf
@@ -2,9 +2,14 @@
 
 server {
     listen       80 default_server;
+    listen       443 default_server ssl;
 
     server_name  localhost {{ ansible_fqdn }};
 
+    ssl_certificate     /etc/ssl/certs/{{ ansible_fqdn }}-bundled.crt;
+    ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}.key;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
     access_log  /var/log/nginx/jenkins_access.log;
     error_log  /var/log/nginx/jenkins_error.log;
 
@@ -17,5 +22,9 @@ server {
       proxy_pass          http://127.0.0.1:8080;
       proxy_read_timeout  90;
 
+      # Redirect all plaintext HTTP to HTTPS
+      if ($scheme != "https") {
+         rewrite ^ https://$host$uri permanent;
+      }
     }
 }