4f2fd6df32
Virtual media images can potentially contain sensitive data, such as password hashes or private keys. This change adds TLS to this traffic. A new HTTP server is now started with Nginx, serving the same /httpboot directory as the old one. If vmedia_enable_tls is true, the /redfish and /ilo directories are only accessible through it. One of the redfish-vmedia CI jobs has been switched to using TLS. Change-Id: I024b81efdbebe08ddb5a20cd0d5e7ae61a180f1b
27 lines
733 B
Django/Jinja
27 lines
733 B
Django/Jinja
server {
|
|
listen {{ file_url_port }};
|
|
server_name {{ ansible_hostname }};
|
|
root {{ http_boot_folder }};
|
|
|
|
location {{ http_boot_folder }}/ {
|
|
alias {{ http_boot_folder }}/;
|
|
}
|
|
{% if vmedia_enable_tls | bool %}
|
|
# Served only through TLS
|
|
location ~ ^/(redfish|ilo)/ {
|
|
deny all;
|
|
return 404;
|
|
}
|
|
{% endif %}
|
|
}
|
|
{% if vmedia_enable_tls | bool %}
|
|
server {
|
|
listen {{ file_url_port_tls }} ssl http2;
|
|
server_name {{ ansible_hostname }};
|
|
root {{ http_boot_folder }};
|
|
|
|
ssl_certificate {{ tls_certificate_path }};
|
|
ssl_certificate_key {{ httpboot_private_key_path }};
|
|
}
|
|
{% endif %}
|