From: Matt Birkholz Date: Wed, 13 Nov 2024 03:40:51 +0000 (-0700) Subject: Enable HTTPS on Core, mainly for Nextcloud's satisfaction. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=030f23be1cf1a4736dc1727ad992ea2a1d68cc2e;p=Institute Enable HTTPS on Core, mainly for Nextcloud's satisfaction. Firefox will warn about the institute certificate, even if said certificate is installed as a trusted CA. --- diff --git a/README.org b/README.org index cfdabbe..fe8fa11 100644 --- a/README.org +++ b/README.org @@ -342,7 +342,7 @@ will automatically wipe it within 15 minutes. ** The Cloud Service Core runs Nextcloud to provide a private institute cloud at -~http://core.small.private/nextcloud/~. It is managed manually per +~https://core.small.private/nextcloud/~. It is managed manually per [[https://docs.nextcloud.com/server/latest/admin_manual/][The Nextcloud Server Administration Guide]]. The code /and/ data, including especially database dumps, are stored in =/Nextcloud/= which is included in Core's backup procedure as described in [[*Backups][Backups]]. The @@ -3510,7 +3510,19 @@ The tasks below install Apache2 and edit its default configuration. become: yes apache2_module: name: "{{ item }}" - loop: [ userdir, cgid ] + loop: [ userdir, cgid, ssl ] + notify: Restart Apache2. + +- name: Configure Apache2 SSL certificate. + become: yes + lineinfile: + path: /etc/apache2/sites-available/default-ssl.conf + regexp: "^([\t ]*){{ item.p }}" + line: "\\1{{ item.p }}\t{{ item.v }}" + backrefs: yes + loop: + - { p: SSLCertificateFile, v: "/etc/server.crt" } + - { p: SSLCertificateKeyFile, v: "/etc/server.key" } notify: Restart Apache2. #+END_SRC @@ -3553,7 +3565,7 @@ The ~a2ensite~ command enables them. command: cmd: a2ensite -q {{ item }} creates: /etc/apache2/sites-enabled/{{ item }}.conf - loop: [ live, test, www ] + loop: [ live, test, www, default-ssl ] notify: Restart Apache2. - name: Enable/Start Apache2. @@ -4503,9 +4515,8 @@ should be corrected by hand for immediate testing, but the Core is next checked (or updated) e.g. with ~./inst config -n core~. Before calling Nextcloud "configured", the administrator runs ~./inst -config core~, surfs to ~http://core.small.private/nextcloud/~, -logins in as ~sysadm~, and follows any reasonable -instructions (reasonable for a small organization) on the +config core~, surfs to ~https://core.small.private/nextcloud/~, logins +in as ~sysadm~, and follows any reasonable instructions on the Administration > Overview page. *** Afterwards @@ -7319,7 +7330,7 @@ the following tests on ~dick~'s desktop. - Use a web browser to get ~http://core/nextcloud/~. It should be a warning about accessing Nextcloud by an untrusted name. -- Get ~http://core.small.private/nextcloud/~. It should be a +- Get ~https://core.small.private/nextcloud/~. It should be a login web page. - Login as ~sysadm~ with password ~fubar~. @@ -7338,7 +7349,7 @@ the following tests on ~dick~'s desktop. - Use the Nextcloud app to sync =~/nextCloud/= with the cloud. In the Nextcloud app's Connection Wizard (the initial dialog), choose to "Log in to your Nextcloud" with the URL - ~http://core.small.private/nextcloud~. The web browser should pop + ~https://core.small.private/nextcloud~. The web browser should pop up with a new tab: "Connect to your account". Press "Log in" and "Grant access". The Nextcloud Connection Wizard then prompts for sync parameters. The defaults are fine. Presumably the Local @@ -7366,7 +7377,7 @@ the following tests on ~dick~'s desktop. - Create a CardDAV account in Evolution. Choose Edit, Accounts, Add, Address Book, Type CardDAV, name Small Institute, and user ~dick~. - The URL starts with ~http://core.small.private/nextcloud/~ and + The URL starts with ~https://core.small.private/nextcloud/~ and ends with ~remote.php/dav/addressbooks/users/dick/contacts/~ (yeah, 88 characters!). Create a contact in the new address book and see it in the Contacts web page. At some point Evolution will need @@ -7531,14 +7542,6 @@ include the essential ~verify-x509-name~. Use the same name on separate certificates for Gate and Front? Use the same certificate and key on Gate and Front? -Nextcloud should really be found at ~https://CLOUD.small.private/~ -rather than ~https://core.small.private/nextcloud/~, to ease -future expansion (moving services to additional machines). - -HTTPS could be used for Nextcloud transactions even though they are -carried on encrypted VPNs. This would eliminate a big warning on the -Nextcloud Administration Overview page. - ** More Tests The testing process described in the previous chapter is far from diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index 8053102..c44a9b3 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -453,7 +453,19 @@ become: yes apache2_module: name: "{{ item }}" - loop: [ userdir, cgid ] + loop: [ userdir, cgid, ssl ] + notify: Restart Apache2. + +- name: Configure Apache2 SSL certificate. + become: yes + lineinfile: + path: /etc/apache2/sites-available/default-ssl.conf + regexp: "^([\t ]*){{ item.p }}" + line: "\\1{{ item.p }}\t{{ item.v }}" + backrefs: yes + loop: + - { p: SSLCertificateFile, v: "/etc/server.crt" } + - { p: SSLCertificateKeyFile, v: "/etc/server.key" } notify: Restart Apache2. - name: Install live web site. @@ -553,7 +565,7 @@ command: cmd: a2ensite -q {{ item }} creates: /etc/apache2/sites-enabled/{{ item }}.conf - loop: [ live, test, www ] + loop: [ live, test, www, default-ssl ] notify: Restart Apache2. - name: Enable/Start Apache2.