[ansible] Avoid override ssl.conf in distgit

commit 0c8fcc05ab52068926f16419fbc73139066c9b76 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Fri Jul 22 17:20:00 2016 +0200 Avoid override ssl.conf in distgit playbooks/include/proxies-reverseproxy.yml | 8 ++-- roles/distgit/files/ssl.conf | 50 -------------------------- roles/distgit/tasks/main.yml | 5 --- roles/httpd/mod_ssl/files/ssl.conf | 52 ++++++++++++++++++++++++++- 4 files changed, 54 insertions(+), 61 deletions(-) --- diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 2a239e5..d428703 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -13,8 +13,8 @@ roles: - - role: httpd/reverseproxy - website: id.rpmfusion.org - destname: id - proxyurl: http://localhost:10020 +# - role: httpd/reverseproxy +# website: id.rpmfusion.org +# destname: id +# proxyurl: http://localhost:10020 diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index f7745f9..f8eedb9 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -24,11 +24,6 @@ notify: - reload httpd -- name: install the mod_ssl configuration - copy: src=ssl.conf dest=/etc/httpd/conf.d/ssl.conf - notify: - - reload httpd - - name: allow httpd to access the files on NFS seboolean: name=httpd_use_nfs state=yes persistent=yes diff --git a/roles/httpd/mod_ssl/files/ssl.conf b/roles/httpd/mod_ssl/files/ssl.conf index f0eadd7..9bb59bc 100644 --- a/roles/httpd/mod_ssl/files/ssl.conf +++ b/roles/httpd/mod_ssl/files/ssl.conf @@ -1,2 +1,50 @@ -LoadModule ssl_module modules/mod_ssl.so -SSLRandomSeed connect "file:/dev/random" 1024 +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 https + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(1024000) +SSLSessionCacheTimeout 600 + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect file:/dev/random 1024 +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec