Skip to content
This repository has been archived by the owner on Feb 13, 2023. It is now read-only.

Using https on nginx #754

Closed
mark-casias opened this issue Jun 24, 2016 · 8 comments
Closed

Using https on nginx #754

mark-casias opened this issue Jun 24, 2016 · 8 comments

Comments

@mark-casias
Copy link

Hi there,
We are trying to use nginx locally to properly mirror the Pantheon environment, but don't see a way to configure HTTPS in the config.yml. I looked at the playbook and don't see anything there. Am I just missing it?

@geerlingguy
Copy link
Owner

See: https://github.com/geerlingguy/ansible-role-nginx#role-variables

You can basically configure the server using whatever server block directives you need (setting up ciphers, cert paths, using port 443, http2, etc.).

We should probably add an example in the docs for Nginx, like we have currently for Apache: http://docs.drupalvm.com/en/latest/extras/ssl/

@joestewart
Copy link
Contributor

Looked like the provisioning/templates/nginx-vhost.conf.j2 template did not support the extra_parameters as in the template for ansible-role-nginx. So created #761

@geerlingguy
Copy link
Owner

D'oh... disadvantages of diverging from the upstream for a feature :P

@mchelen
Copy link
Contributor

mchelen commented Aug 24, 2016

Yeah I think some more documentation here would be nice, or include it commented out in config.yml. Setting an Apache server to use SSL is pretty clear from looking at the config, it would be nice to say the same for Nginx.

@mattelkins
Copy link

mattelkins commented Aug 26, 2016

Just thought I'd share my findings as I've been having a look in to this today. Here's the host definition I added to nginx_hosts in my config.yml:

- listen: "443 ssl default_server"
  server_name: "{{ drupal_domain }} www.{{ drupal_domain }}"
  ssl_certificate: "/vagrant/ssl/my.crt"
  ssl_certificate_key: "/vagrant/ssl/my.key"
  root: "{{ drupal_core_path }}"
  is_php: true

This definition is in addition to the default:

- server_name: "{{ drupal_domain }} www.{{ drupal_domain }}"
  root: "{{ drupal_core_path }}"
  is_php: true

vagrant up completed successfully, but I had to change a few configuration things.

In the server block within /etc/nginx/conf.d/{{ drupal_domain }}.conf (where drupal_domain is the domain I specified in the vagrant_hostname variable in my config.yml), only listen 443 ssl default_server was specified. The default listen 80 host configuration was nowhere to be found, so I added it to the server block:

server {
    listen 80 default_server;
    listen 443 ssl default_server;

    ...
}

I'm guessing I needed to do this because both the default host definition and my SSL host definition share the same server_name. Would this have caused the host configuration to be overwritten?

It seems as though both ssl_certificate and ssl_certificate_key were ignored during vagrant up, so I had to add them manually to the server block:

server {
    listen 80 default_server;
    listen 443 ssl default_server;

    ssl_certificate /vagrant/ssl/my.crt;
    ssl_certificate_key /vagrant/ssl/my.key;

    ...
}

I believe this is a bug and I'm happy to create a separate issue for it. However, I'm not 100% sure if this is an issue with Drupal VM or the Nginx Ansible role. Does anyone have any ideas?

After restarting Nginx, I can now access my site over HTTP or HTTPS.

@joestewart
Copy link
Contributor

Try adding extra_parameters similar to:

    extra_parameters: |
      listen 443 ssl;
          ssl_certificate         /etc/ssl/certs/ssl-cert-snakeoil.pem;
          ssl_certificate_key     /etc/ssl/private/ssl-cert-snakeoil.key;
          ssl_protocols       TLSv1.1 TLSv1.2;
          ssl_ciphers         HIGH:!aNULL:!MD5;

@mattelkins
Copy link

mattelkins commented Aug 26, 2016

Thanks for the tip, @joestewart!

The host definition for my Drupal site now looks like this:

- listen: "80 default_server"
  server_name: "{{ drupal_domain }} www.{{ drupal_domain }}"
  root: "{{ drupal_core_path }}"
  is_php: true
  extra_parameters: |
    listen 443 ssl default_server;

I've also removed the default host definition as the one above handles both HTTP and HTTPS thanks to the extra_parameters.

I still had to manually add ssl_certificate and ssl_certificate_key to the configuration file as vagrant up failed due to the two files not existing when Nginx was restarted. I think this must be because the Vagrant folder wasn't available in the VM at that point.

@geerlingguy
Copy link
Owner

Added to the docs. At some point I'll also make the upstream Nginx role a little less obtuse in this regard. Right now, for my own projects, I supply my own Nginx server templates for these things, but it would be nice if it were managed by the role itself.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants