magic_recipes_two 0.0.57 → 0.0.58
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/lib/capistrano/magic_recipes/lets_encrypt.rb +1 -0
- data/lib/capistrano/magic_recipes/version.rb +1 -1
- data/lib/capistrano/tasks/lets_encrypt.rake +59 -0
- data/lib/capistrano/tasks/nginx.rake +4 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx.conf.erb +25 -1
- metadata +3 -1
checksums.yaml
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
!binary "U0hBMQ==":
|
3
3
|
metadata.gz: !binary |-
|
4
|
-
|
4
|
+
ODhiNWIwYzJiODAwOGUyYmRlOTgzZGExZmE2ZWVhYzc0YWM4Y2Q0YQ==
|
5
5
|
data.tar.gz: !binary |-
|
6
|
-
|
6
|
+
MTU4MjY5MzBjZDNiMWI3NzUxOTc5Zjg3MWJmOTZhMzdmZTc0ZjM4Ng==
|
7
7
|
SHA512:
|
8
8
|
metadata.gz: !binary |-
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
YWNmNmM3ZTZhOGUyMDU4YmQzNmZjNzlmYWY4YjEwMjQyZjY3NDhlM2VkNGZm
|
10
|
+
ZWVkYmZmOTg5NzY4NmM0MWM5MWIxMmQ5Mjk2ZjM0ZmUxZDgzNmU1ZTRlZTE5
|
11
|
+
OTY0NjBlZTkyODcwM2EwOTk1N2IwNzQ3ZWRjMjExOWZiYWJkN2U=
|
12
12
|
data.tar.gz: !binary |-
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
NjNjNzY1NmFjMjAxMzM0ZWVkMDg1NzkzNWNjZTRmMmM5ODU2NjM5MzY1Y2M1
|
14
|
+
YzU5ZmMyODk5M2FkOGQ0MzAwZWU3MjdlZGY2MTlhOTQzZmMzZWJlYTllMWQw
|
15
|
+
NWJmN2Y0ZDhkNTdmN2Q0MDU1ZTg4YTBhYWE0OWE3NDQyYTY1NjY=
|
@@ -0,0 +1 @@
|
|
1
|
+
load File.expand_path("../../tasks/lets_encrypt.rake", __FILE__)
|
@@ -0,0 +1,59 @@
|
|
1
|
+
# require 'capistrano/magic_recipes/base_helpers'
|
2
|
+
# include Capistrano::MagicRecipes::BaseHelpers
|
3
|
+
|
4
|
+
namespace :load do
|
5
|
+
task :defaults do
|
6
|
+
set :lets_encrypt_roles, -> { :web }
|
7
|
+
set :lets_encrypt_path, -> { "~" }
|
8
|
+
end
|
9
|
+
end
|
10
|
+
|
11
|
+
namespace :lets_encrypt do
|
12
|
+
|
13
|
+
desc "Install certbot LetsEncrypt"
|
14
|
+
task :install do
|
15
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
16
|
+
execute "cd #{ fetch(:lets_encrypt_path) } ; wget https://dl.eff.org/certbot-auto"
|
17
|
+
execute "cd #{ fetch(:lets_encrypt_path) } ; chmod a+x certbot-auto"
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
|
22
|
+
desc "Install certbot LetsEncrypt"
|
23
|
+
task :certonly do
|
24
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
25
|
+
# execute "./certbot-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is"
|
26
|
+
execute "#{ fetch(:lets_encrypt_path) }/certbot-auto certonly --webroot -w #{current_path}/public#{ fetch(:nginx_major_domain, false) ? " -d #{fetch(:nginx_major_domain).to_s.gsub(/^\*?\./, "")} -d www.#{fetch(:nginx_major_domain).to_s.gsub(/^\*?\./, "")}" : ""} #{ Array(fetch(:nginx_domains)).map{ |d| "-d #{d.gsub(/^\*?\./, "")} -d www.#{d.gsub(/^\*?\./, "")}" }.join(" ") }"
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
|
31
|
+
desc "Install certbot LetsEncrypt"
|
32
|
+
## http://serverfault.com/a/825032
|
33
|
+
task :auto_renew do
|
34
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
35
|
+
execute "echo '42 0,12 * * * root #{ fetch(:lets_encrypt_path) }/certbot-auto renew --quiet' | cat > /etc/cron.d/lets_encrypt"
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
|
40
|
+
desc "Install certbot LetsEncrypt"
|
41
|
+
task :test_renew do
|
42
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
43
|
+
execute "#{ fetch(:lets_encrypt_path) }/certbot-auto renew --dry-run"
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
|
48
|
+
desc "Generate Strong Diffie-Hellman Group"
|
49
|
+
task :generate_dhparam do
|
50
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
51
|
+
execute :sudo, "openssl dhparam -out #{ fetch(:nginx_ssl_dh_path) }/#{ fetch(:nginx_ssl_dh_file) } 2048"
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
|
59
|
+
|
@@ -27,6 +27,10 @@ namespace :load do
|
|
27
27
|
set :nginx_hooks, -> { true }
|
28
28
|
## Lets Encrypt - Challenge Path
|
29
29
|
set :allow_well_known, -> { false }
|
30
|
+
# Diffie-Hellman settings
|
31
|
+
set :nginx_ssl_dh_path, -> { "/etc/ssl/certs" }
|
32
|
+
set :nginx_ssl_dh_file, -> { "dhparam.pem" }
|
33
|
+
set :nginx_ssl_diffie_hellman, -> { false }
|
30
34
|
## NginX Proxy-Caching
|
31
35
|
# Cache Rails
|
32
36
|
set :proxy_cache_rails, -> { false }
|
@@ -156,12 +156,36 @@ server {
|
|
156
156
|
|
157
157
|
server {
|
158
158
|
<% if fetch(:nginx_use_ssl) %>
|
159
|
-
listen 443<%= ' default_server
|
159
|
+
listen 443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
|
160
|
+
listen [::]:443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
|
160
161
|
ssl on;
|
161
162
|
ssl_certificate <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_ssl_certificate) %>;
|
162
163
|
ssl_certificate_key <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_ssl_certificate_key) %>;
|
164
|
+
<% if fetch(:nginx_ssl_diffie_hellman, false) %>
|
165
|
+
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
|
166
|
+
# from https://cipherli.st/
|
167
|
+
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
168
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
169
|
+
ssl_prefer_server_ciphers on;
|
170
|
+
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
171
|
+
ssl_ecdh_curve secp384r1;
|
172
|
+
ssl_session_cache shared:SSL:10m;
|
173
|
+
ssl_session_tickets off;
|
174
|
+
ssl_stapling on;
|
175
|
+
ssl_stapling_verify on;
|
176
|
+
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
177
|
+
resolver_timeout 5s;
|
178
|
+
## Disable preloading HSTS for now. You can use the commented out header line that includes
|
179
|
+
## the "preload" directive if you understand the implications.
|
180
|
+
# => add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
181
|
+
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
182
|
+
add_header X-Frame-Options DENY;
|
183
|
+
add_header X-Content-Type-Options nosniff;
|
184
|
+
ssl_dhparam <%= fetch(:nginx_ssl_dh_path) %>/<%= fetch(:nginx_ssl_dh_file) %>;
|
185
|
+
<% end %>
|
163
186
|
<% else %>
|
164
187
|
listen 80<%= ' default deferred' if fetch(:default_site) %>;
|
188
|
+
listen [::]:80<%= ' default deferred' if fetch(:default_site) %>;
|
165
189
|
<% end %>
|
166
190
|
<% if fetch(:nginx_major_domain) %>
|
167
191
|
server_name <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>;
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: magic_recipes_two
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.58
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Torsten Wetzel
|
@@ -137,6 +137,7 @@ files:
|
|
137
137
|
- lib/capistrano/magic_recipes/db.rb
|
138
138
|
- lib/capistrano/magic_recipes/exception_pages.rb
|
139
139
|
- lib/capistrano/magic_recipes/inform_slack.rb
|
140
|
+
- lib/capistrano/magic_recipes/lets_encrypt.rb
|
140
141
|
- lib/capistrano/magic_recipes/monit.rb
|
141
142
|
- lib/capistrano/magic_recipes/nginx.rb
|
142
143
|
- lib/capistrano/magic_recipes/redis.rb
|
@@ -148,6 +149,7 @@ files:
|
|
148
149
|
- lib/capistrano/tasks/db.rake
|
149
150
|
- lib/capistrano/tasks/exception_pages.rake
|
150
151
|
- lib/capistrano/tasks/inform_slack.rake
|
152
|
+
- lib/capistrano/tasks/lets_encrypt.rake
|
151
153
|
- lib/capistrano/tasks/monit.rake
|
152
154
|
- lib/capistrano/tasks/monit_sidekiq.rake
|
153
155
|
- lib/capistrano/tasks/nginx.rake
|