From fc8c95b0c6c0a03026cabd3de6be5925c7e2940a Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 25 Aug 2017 21:56:05 +0800 Subject: [PATCH] WordPress Setup: Add Nginx ssl_client_certificate --- roles/wordpress-setup/tasks/main.yml | 2 ++ roles/wordpress-setup/tasks/nginx-client-cert.yml | 8 ++++++++ roles/wordpress-setup/templates/wordpress-site.conf.j2 | 5 +++++ 3 files changed, 15 insertions(+) create mode 100644 roles/wordpress-setup/tasks/nginx-client-cert.yml diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index de589d20ba..0e5c9f1c0b 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -3,6 +3,8 @@ tags: wordpress-setup-database - include: self-signed-certificate.yml tags: wordpress-setup-self-signed-certificate +- include: nginx-client-cert.yml + tags: wordpress-setup-nginx-client-cert - name: Create web root file: diff --git a/roles/wordpress-setup/tasks/nginx-client-cert.yml b/roles/wordpress-setup/tasks/nginx-client-cert.yml new file mode 100644 index 0000000000..49d810eee5 --- /dev/null +++ b/roles/wordpress-setup/tasks/nginx-client-cert.yml @@ -0,0 +1,8 @@ +--- +- name: Download client cert + get_url: + url: "{{ item.value.ssl.client_cert_url }}" + dest: "{{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt" + mode: 0640 + with_dict: "{{ wordpress_sites }}" + when: ssl_enabled and item.value.ssl.client_cert_url is defined diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 236aaa2752..8b16cc8229 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -80,6 +80,11 @@ server { add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}"; + {% if item.value.ssl.client_cert_url is defined -%} + ssl_verify_client on; + ssl_client_certificate {{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt; + {% endif -%} + {% if item.value.ssl.provider | default('manual') == 'manual' and item.value.ssl.cert is defined and item.value.ssl.key is defined -%} ssl_certificate {{ nginx_path }}/ssl/{{ item.value.ssl.cert | basename }}; ssl_certificate_key {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }};