puddle: nginx configs for HTTPS

I'm adding HTTPS to our Puddle web server in order to support test Apt
repos over HTTPS.

The packages will be hosted under http://puddle.fqdn/ubuntu/

The key and certificate files are managed outside of Ansible.

diff --git a/roles/puddle/templates/nginx.conf b/roles/puddle/templates/nginx.conf
index 85ab525919d5de93c83935754b7967b56f34a392..1d1846d5b10ac9f182fbce7b48fb7a1233a91a83 100644 (file)
--- a/roles/puddle/templates/nginx.conf
+++ b/roles/puddle/templates/nginx.conf
@@ -51,9 +51,14 @@ http {
     server {
         listen       80 default_server;
         listen       [::]:80 default_server;
+        listen       443 default_server ssl;
         server_name  localhost;
         root         /var/www/{{ ansible_hostname }}/htdocs;
 
+        ssl_certificate     /etc/pki/tls/certs/{{ ansible_fqdn }}-bundled.crt;
+        ssl_certificate_key /etc/pki/tls/private/{{ ansible_fqdn }}.key;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
         location / {
             autoindex on;
             autoindex_exact_size off;
@@ -70,6 +75,15 @@ http {
             # More from distill:
             text/plain manifest MD5SUM SHA1SUM SHA256SUM;
         }
+
+        # Online Ubuntu repos
+        location /ubuntu/ {
+            autoindex on;
+            autoindex_exact_size off;
+            if ($scheme != "https") {
+                rewrite ^ https://$host$uri permanent;
+            }
+        }
     }
 
     server {