[mod] role:authelia-and-nginx:tls mode

2024-07-03 22:02:06 +02:00 · 2024-07-03 22:02:06 +02:00 · fc03370b19
commit fc03370b19
parent dc28d22a90
3 changed files with 49 additions and 23 deletions
--- a/roles/authelia-and-nginx/defaults/main.json
+++ b/roles/authelia-and-nginx/defaults/main.json
@ -1,3 +1,4 @@
 {
-	"var_authelia_and_nginx_domain": "authelia.example.org"
+	"var_authelia_and_nginx_domain": "authelia.example.org",
+	"var_authelia_and_nginx_tls_mode": "enable"
 }
--- a/roles/authelia-and-nginx/templates/conf.j2
+++ b/roles/authelia-and-nginx/templates/conf.j2
@ -1,22 +1,4 @@
-server {
-	server_name {{var_authelia_and_nginx_domain}};
-	
-	listen [::]:80;
-	listen 80;
-	
-	return 301 https://$server_name$request_uri;
-}
-
-server {
-	server_name {{var_authelia_and_nginx_domain}};
-	
-	listen [::]:443 ssl http2;
-	listen 443 ssl http2;
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro authelia_common() %}
 	location / {
 		## Headers
 		proxy_set_header Host $host;
@ -28,7 +10,7 @@ server {
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header Connection "";
-
+		
 		## Basic Proxy Configuration
 		client_body_buffer_size 128k;
 		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
@ -37,7 +19,7 @@ server {
 		proxy_cache_bypass $cookie_session;
 		proxy_no_cache $cookie_session;
 		proxy_buffers 64 256k;
-
+		
 		## Trusted Proxies Configuration
 		## Please read the following documentation before configuring this:
 		##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
@ -47,7 +29,7 @@ server {
 		# set_real_ip_from fc00::/7;
 		real_ip_header X-Forwarded-For;
 		real_ip_recursive on;
-
+		
 		## Advanced Proxy Configuration
 		send_timeout 5m;
 		proxy_read_timeout 360;
@ -60,4 +42,32 @@ server {
 	location /api/verify {
 		proxy_pass http://localhost:9091;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_authelia_and_nginx_tls_mode == "force") %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+	{{ authelia_common() }}
+{% endif %}
 }
+
+{% if (var_element_and_nginx_tls_mode != "disable") %}
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+	{{ authelia_common() }}
+}
+{% endif %}
--- a/roles/authelia-and-nginx/vardef.json
+++ b/roles/authelia-and-nginx/vardef.json
@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	}
+}