ajout des fichiers certificat tls

roles/docker-nextcloud/files/config.php

@@ -27,6 +27,7 @@ $CONFIG = array (
     2 => 's-mess',
     3 => 's-mess.gsb.lan',
     4 => 'localhost:8080',
+    5 => 's-nxec.gsb.lan',
   ),
   'trusted_proxies' => ['172.16.0.7'],
   'overwriteprotocol' => 'http',

roles/docker-nextcloud/files/dhparam.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA9YcWlg90PgLB2PS31Tv8mxn6cyRZd4GvX6tkqwOfXhdBZYzgoEnJ
+17U+hDqpT5utQpUbfR0//uXr53mpu3ufxCNJ9gSsCIAbmhTIT3qwLwUis3Etb8PA
+4LCTbVHvua5W7/pdM0s8PIOAWK7ah09p+mzwZqx5tKZWtbdERQKIAGE6Xmd4845/
+9oBWTj2g5t83Gt/fZDy+NVRy5ePb/KGix4bEmfnZ5htC/16VFPVrSZUALoxn8HtC
+3nn4eqBrZeAxY6UHuW0ZPkRmpLs3GCILa+gze+wDlKlhC+RQU/f8Fijo6SsQPzNf
+6BzJdoyeeE9OyyhhWu4Mihr39RnShk1ABO2eZrA1TE7L5X3YuCeIO09j99hkEsPr
+mX1zh+v4sx2FFMZLebu+5KYf+ROOOYtMy6AJQq55avccTPrs0S+pxswypbzMD4ym
+BYtPO46XYkRhrX47TfVHLW9oonDmMxPKNidNMrFtKW0b6f09iOcN9iEA/EM0s+3n
+uQ2h+bQrwGqo5aMSUuJ3w8EjFySIqKgU5ZxJzPGSndsqS7zd2hUxNx7EZueHXX5N
+CJ7kWRhIFv8YHHx0J/VFJieyr7DAUATu7chu4aGhwf2AoGYzmI0tjSh+3rQiDh7O
+h+JtKr+wifr9P2vBqIWFQltOC2srRs+EB+5/qN1iIjYmq52MkUbFLfMCAQI=
+-----END DH PARAMETERS-----

roles/docker-nextcloud/files/nginx-selfsigned.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEAzCCAuugAwIBAgIUAr99SgfwQjW0wJSay5rL7I8V6G4wDQYJKoZIhvcNAQEL
+BQAwgZAxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlCb3VyZ29nbmUxDjAMBgNVBAcM
+BURpam9uMQwwCgYDVQQKDANHU0IxDjAMBgNVBAsMBWluZnJhMRcwFQYDVQQDDA5z
+LW54ZWMuZ3NiLmxhbjEmMCQGCSqGSIb3DQEJARYXYXhlbC5tcmwuc2NvbEBnbWFp
+bC5jb20wHhcNMjEwMzI5MDkzMTIxWhcNMjIwMzI5MDkzMTIxWjCBkDELMAkGA1UE
+BhMCRlIxEjAQBgNVBAgMCUJvdXJnb2duZTEOMAwGA1UEBwwFRGlqb24xDDAKBgNV
+BAoMA0dTQjEOMAwGA1UECwwFaW5mcmExFzAVBgNVBAMMDnMtbnhlYy5nc2IubGFu
+MSYwJAYJKoZIhvcNAQkBFhdheGVsLm1ybC5zY29sQGdtYWlsLmNvbTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+iB7H1clY8gwX6CQfBqU+V4gF4ZMmg
+HMbnoPvWV0WOJlgyODh5xdE11iJBBby8VNdiruGNJCeLeI4WWUUkJJXMyeWNTM6/
+JIZhVZI0UF042S/s8WdP+jls4aASkp0QH+XDs+758y5D9lRoX+At+bRZSC/Fz/tL
+Y16e15F1+BxZeSWUEajHZIJZ79gm0UQxA9HdHAHpoWR05P74Fy6rnOsQNtBW4Jkt
+xDb9CHRWNVjvbBuPsDwPTEOvMq94r5yWspHDhA3edvtAAJke5N9od4mN8KTJQouJ
+O0ZzvOYIofr8iQM3981p9MuBUwtDNT7+ns22lDXeORoliOCG1gE25DsCAwEAAaNT
+MFEwHQYDVR0OBBYEFJgtmIFxdyFe3vZ/a3UwxORCZiLiMB8GA1UdIwQYMBaAFJgt
+mIFxdyFe3vZ/a3UwxORCZiLiMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggEBAJm7oJOJev7hh/G1xCPPyASWn9s9C9sb5zbxyq1gF5P6Br8Xof9OJ1ZE
+XJaH1MwxxR+2Qhok6gERBSqpwe6jnreImOpqhHEQGdMWJvIRlvTPQmEj/mCoLGKf
+DsIvl3ug4OfNqMojwYlGhsfQH92Qz2pnE88pLIT13y85c8TJHti2+GOxOTSxYLrs
+lt3fYYjnSZ2mm9fLBcP/XgdCSTeN6XwpJr2b56sVh0uehFXnkgzjDd+PTGkIgnfT
+/eXtX8+VbQIOSEOrIt0GneBZ3n37FSgz/y9TR5HgNKyt74oxbLsYR0qWpbCcEjw+
+ex/v7vE3bXgPGE56NzhlM1Pjh90R9hI=
+-----END CERTIFICATE-----

roles/docker-nextcloud/files/nginx-selfsigned.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvogex9XJWPIMF
++gkHwalPleIBeGTJoBzG56D71ldFjiZYMjg4ecXRNdYiQQW8vFTXYq7hjSQni3iO
+FllFJCSVzMnljUzOvySGYVWSNFBdONkv7PFnT/o5bOGgEpKdEB/lw7Pu+fMuQ/ZU
+aF/gLfm0WUgvxc/7S2NenteRdfgcWXkllBGox2SCWe/YJtFEMQPR3RwB6aFkdOT+
++Bcuq5zrEDbQVuCZLcQ2/Qh0VjVY72wbj7A8D0xDrzKveK+clrKRw4QN3nb7QACZ
+HuTfaHeJjfCkyUKLiTtGc7zmCKH6/IkDN/fNafTLgVMLQzU+/p7NtpQ13jkaJYjg
+htYBNuQ7AgMBAAECggEAfyHLbi7cL74nnZjrFnlBpIE7EpNiaWyDyBr8ta7mh0up
+R+g6N+81mQXeVfc5PvAYfbxKGKyBAjr77eYRgnHyJZkSgB5y/ajwuHEWbvl9Pq2a
+0Q0zhPQojY7aF3O6OwTkAf5Sbebx94hsc5cF55GAEeMa1LHcpethJ6nVIs8A5QtP
+ZgGlfFkgGXp1GQPmeX1jQePSp8nqCftIwFPOuLcuQnisc282NCRHl3M+VlnUIZNL
+fgRxalurrnaKf5P9DRvxiGlUJzoH1h0tgYbfUMpoRXdYYK3wjVbWWPROrS1c1yrl
+17W004k8Fb++rUmQucQEtsiID/ymAMZPtiCG2IqvwQKBgQDjQGf8GFt04ypvoux/
+acOMtHXaA1k1Fa6Gtvr3dCfhlm4dCxvHfAqWawW2GXrSajhVRe+vcqBMyKAY5G3a
+O3nZNpFliMqbftzKkF6AThIgaDaGAzfr+I88urvX0od1+wzjzievOHOlbil3OriD
+HrGmfO/xnnXkgHCQK2YjmhFeoQKBgQDF2fEp5HZAZFWy55LVlS6DIDFfK2DShCNf
+ENcDp1YWz/PCbHTY0xXZ6T4TOX14YYmeZVZFCUcpWGQrfL+ogJhoM9iQFuzYrzMz
+iYjgICeTJPLGQawC6CKVFcE7i6kjNie66IjEIZj1rS2zG/+WVTl95M8JxJO2U7a/
+7JiYJiehWwKBgQCqxb6euisYJpHAPL3ebbtO5Fnf0D5cXwO9JopoJHjH1ITA/JUO
+jo9iQ+CR3Inoz3uv0RNyVABUUzvEGPzYT3OcoJ4Yn/gpa+c9rcnmP0Tt54J5qLeA
+c1QofeclI4c6SMOB+WznBtQZEDTG7XC0z/8OLrsdZkgPw9lS7doejOvaoQKBgGbV
+azp561h2jfBp2nC2lDFFN0Qe2LkyQuwzZX4ZqG488ZZZJrZXqGDVkRUO6X77Ozsf
+sqI5O0prDc1ojnk3NX/birEBqWLKVRNxZboQHGGnb6PKGGx+WRMh9ohLg8KwcB/+
+oq9GQylWNI2GfOaXL0WW+mE6UggPJMpGX92c3zZHAoGAMOFoxUjjzsB0oJLTuYax
+VKE7Jno24o5JeDRm69WS3E6boSZsIY/9r4jWtYiTbhwlTZpZMqad3h/zM/swHvVq
+hh1BaHXBik/9rpnyTMZ9vo6UNyYo/TJPH3yrKwZbF4Cn2uWQoJCfDeo9VXdIEbEn
+SwyeWd4Zkt/wvqmocF5KVqI=
+-----END PRIVATE KEY-----

roles/docker-nextcloud/files/proxy

@@ -21,16 +21,37 @@
 server {
 	listen 8080 default_server;
 	listen [::]:8080 default_server;
+	
+	server_name s-nxec.gsb.lan;
+
+	return 302 https://$server_name$request_uri;
+}
+#	location / {
+#		proxy_set_header Host $host;
+#		proxy_set_header X-Real-IP $remote_addr;
+#		proxy_pass http://localhost:5678;
+#		proxy_connect_timeout 900;
+#		proxy_send_timeout 900;
+#		proxy_read_timeout 900;
+
+server {
+	listen 443 ssl default_server;
+	listen [::]:443 ssl default_server;
+	server_name s-nxec.gsb.lan;
+
+	include snippets/self-signed.conf;
+	include snippets/ssl-params.conf;
 
 	location / {
-		proxy_set_header Host $host;
+                proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Real-IP $remote_addr;
-		proxy_pass http://localhost:5678;
+                proxy_pass http://localhost:5678;
-		proxy_connect_timeout 900;
+                proxy_connect_timeout 900;
-		proxy_send_timeout 900;
+                proxy_send_timeout 900;
-		proxy_read_timeout 900;
+                proxy_read_timeout 900;
 	}
 
+}
 	# SSL configuration
 	#
 	# listen 443 ssl default_server;
@@ -77,7 +98,7 @@ server {
 	#location ~ /\.ht {
 	#	deny all;
 	#}
-}
+
 
 
 # Virtual Host configuration for example.com

roles/docker-nextcloud/files/proxy.bak

@@ -0,0 +1,100 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 8080 default_server;
+	listen [::]:8080 default_server;
+
+	location / {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://localhost:5678;
+		proxy_connect_timeout 900;
+		proxy_send_timeout 900;
+		proxy_read_timeout 900;
+	}
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+#	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+#	index index.html index.htm index.nginx-debian.html;
+
+#	server_name _;
+
+#	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+#		try_files $uri $uri/ =404;
+#	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}

roles/docker-nextcloud/files/self-signed.conf

@@ -0,0 +1,2 @@
+ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

roles/docker-nextcloud/files/ssl-params.conf

@@ -0,0 +1,18 @@
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off; # Requires nginx >= 1.5.9
+ssl_stapling on; # Requires nginx >= 1.3.7
+ssl_stapling_verify on; # Requires nginx => 1.3.7
+resolver 172.16.0.1 valid=300s;
+resolver_timeout 5s;
+# Disable strict transport security for now. You can uncomment the following
+# line if you understand the implications.
+# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";

roles/docker-nextcloud/tasks/main.yml

@@ -40,7 +40,7 @@
     src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/proxy
     dest: /etc/nginx/sites-available
 
-- name: Supression de /etc/nginx/sites-enabled/default
+- name: Suppression de /etc/nginx/sites-enabled/default
   file:
     path: /etc/nginx/sites-enabled/default
     state: absent
@@ -53,7 +53,7 @@
     group: root
     state: link
 
-- name: Redemmarage de Nginx
+- name: Redemarage de Nginx
   service:
     name: nginx
     state: restarted
@@ -62,3 +62,28 @@
   copy:
     src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/config.php
     dest: /root/nextcloud/nextcloud/config 
+
+- name: Copie de nginx-selfsigned.key
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.key
+    dest: /etc/ssl/private
+
+- name: Copie nginx-selfsigned.crt
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.crt
+    dest: /etc/ssl/certs
+
+- name: Copie de dhparam.pem
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/dhparam.pem
+    dest: /etc/nginx
+
+- name: Copie de self-signed.conf
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/self-signed.conf
+    dest: /etc/nginx/snippets
+
+- name: Copie de ssl-params.conf
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/ssl-params.conf
+    dest: /etc/nginx/snippets