commit b48788d52d9099965b206c54954bd6a865b459a2 parent 5033ad04c2a81b2aaff91f0f9147a141bc9b26df Author: Christian Grothoff <christian@grothoff.org> Date: Sat, 23 Nov 2024 23:18:14 +0100 do Diffstat:
| M | TODO | | | 14 | ++++++++++---- |
| M | roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 | | | 3 | ++- |
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/TODO b/TODO @@ -1,4 +1,10 @@ -- certbot was not finished!? -- deploy custom challenger systemd service files (=> SMS done, postal+email to do!) -- auditor-nginx setup missing -- setup postfix (!) => can wait! (needed for email-challenger) +@DVN: +- certbot was not finished: + => setup *all* nginx configs to use 443 with certbot, + => always redirect from port 80 to port 443 + => make sure certs are up-to-date during playbook + => probably use separate certs for each domain +- auditor-nginx access control setup missing + => see FIXME +- setup postfix role (needed for email-challenger) + => https://github.com/FoxyRoles/ansible-dkim seems about right! diff --git a/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 b/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 @@ -10,7 +10,8 @@ server { keepalive_requests 1000000; keepalive_timeout 6500s; -# TODO: setup access control! +# FIXME: setup access control! +# Use HTTP basic auth to deny all accesses without username+password location / { proxy_pass http://unix:/var/run/taler/auditor-httpd/auditor-http.sock;