5bf96b27d6
This patch introduces a reverse proxy that terminates an HTTPS connection and forwards it to the redfish emulator behind that is running HTTP. Also the reverse proxy presents a self-signed certificate. Closes: #136 Relates-To: #136 Change-Id: If6ee705247ae8866d2674bff1ff034277f9c9177
104 lines
2.8 KiB
YAML
104 lines
2.8 KiB
YAML
- name: Install dependencies
|
|
include_tasks: dependencies.yaml
|
|
|
|
- name: Install apache2 package
|
|
apt:
|
|
name: apache2
|
|
state: present
|
|
become: true
|
|
|
|
- name: Disable default virtualhost
|
|
file:
|
|
path: /etc/apache2/sites-enabled/000-default.conf
|
|
state: absent
|
|
become: true
|
|
|
|
- name: Enable proxy related modules
|
|
apache2_module:
|
|
name: "{{ item }}"
|
|
state: present
|
|
with_items:
|
|
- headers
|
|
- proxy
|
|
- proxy_http
|
|
- rewrite
|
|
- ssl
|
|
become: true
|
|
|
|
- name: Generate private key for "{{ reverse_proxy_hostname }}"
|
|
openssl_privatekey:
|
|
path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem
|
|
become: true
|
|
|
|
- name: Generate CSR for "{{ reverse_proxy_hostname }}"
|
|
openssl_csr:
|
|
path: /tmp/{{ reverse_proxy_hostname }}.csr
|
|
privatekey_path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem
|
|
common_name: "{{ reverse_proxy_hostname }}"
|
|
subject_alt_name: "IP:{{ reverse_proxy_frontend_ip }}"
|
|
become: true
|
|
|
|
- name: Generate the self signed certificate for "{{ reverse_proxy_hostname }}"
|
|
openssl_certificate:
|
|
path: /etc/ssl/certs/{{ reverse_proxy_hostname }}-cert.pem
|
|
privatekey_path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem
|
|
csr_path: /tmp/{{ reverse_proxy_hostname }}.csr
|
|
provider: selfsigned
|
|
become: true
|
|
|
|
# TODO: Using dhparam can be good to have for HTTPS virtual host
|
|
# But it takes too much time to generate for each run.
|
|
# It can be enabled if necessary at a later point.
|
|
#- name: Generate Diffie-Hellman parameters with the default size (4096 bits)
|
|
# openssl_dhparam:
|
|
# path: /etc/ssl/certs/{{ reverse_proxy_hostname }}-dhparams.pem
|
|
|
|
- name: Remove older htpasswd file
|
|
file:
|
|
path: /etc/apache2/{{ reverse_proxy_hostname }}-passwd
|
|
state: absent
|
|
become: true
|
|
|
|
- name: Create username and password for basic authentication
|
|
htpasswd:
|
|
path: /etc/apache2/{{ reverse_proxy_hostname }}-passwd
|
|
name: "{{ reverse_proxy_username }}"
|
|
password: "{{ reverse_proxy_password }}"
|
|
become: true
|
|
|
|
- name: Add default virtual host
|
|
template:
|
|
src: etc/apache2/sites-available/000-default.conf.j2
|
|
dest: /etc/apache2/sites-available/000-default.conf
|
|
become: true
|
|
|
|
- name: Add ssl virtual host
|
|
template:
|
|
src: etc/apache2/sites-available/default-ssl.conf.j2
|
|
dest: /etc/apache2/sites-available/default-ssl.conf
|
|
become: true
|
|
|
|
- name: Add ssl configuration
|
|
template:
|
|
src: etc/apache2/conf-available/ssl-params.conf.j2
|
|
dest: /etc/apache2/conf-available/ssl-params.conf
|
|
become: true
|
|
|
|
- name: Enable default virtual host
|
|
command: a2ensite 000-default
|
|
become: true
|
|
|
|
- name: Enable ssl virtual host
|
|
command: a2ensite default-ssl
|
|
become: true
|
|
|
|
- name: Enable ssl configuration
|
|
command: a2enconf ssl-params
|
|
become: true
|
|
|
|
- name: Reload apache2 service
|
|
service:
|
|
name: apache2
|
|
state: reloaded
|
|
become: true
|