Merge pull request #1414 from roots/simplify-nginx-no-default-site-ssl

swalkinshaw · web-flow · commit 31d51a32613a · 2022-07-27T15:37:37.000-04:00
Simplify Nginx no-default sites for HTTPS
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -20,6 +20,11 @@ jobs:
           sudo apt-get autoremove
           sudo apt-get autoclean
           sudo rm -rf /etc/apparmor.d/abstractions/mysql /etc/apparmor.d/cache/usr.sbin.mysqld /etc/mysql /var/lib/mysql /var/log/mysql* /var/log/upstart/mysql.log* /var/run/mysqld ~/.mysql_history
+      - name: Remove and cleanup Nginx
+        run: |
+          sudo apt-get remove --purge nginx*
+          sudo apt-get autoremove
+          sudo apt-get autoclean
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml
@@ -2,19 +2,8 @@ site_uses_local_db: "{{ site_env.db_host == 'localhost' }}"
 nginx_wordpress_site_conf: wordpress-site.conf.j2
 nginx_ssl_path: "{{ nginx_path }}/ssl"
 
-ssl_default_site:
-  no_default:
-    site_hosts:
-      - canonical: request.is.invalid
-    ssl:
-      enabled: true
-      provider: self-signed
-    multisite: {}
-
 nginx_sites_confs:
   - src: no-default.conf.j2
-  - src: ssl.no-default.conf.j2
-    enabled: "{{ sites_use_ssl }}"
 
 # HSTS defaults
 nginx_hsts_max_age: 31536000
diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml
@@ -10,7 +10,7 @@
     src: self-signed-openssl-config.j2
     dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf"
     mode: '0644'
-  with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}"
+  with_dict: "{{ wordpress_sites }}"
   when:
     - sites_use_ssl | bool
     - ssl_enabled | bool
@@ -24,7 +24,7 @@
   args:
     chdir: "{{ nginx_ssl_path }}"
     creates: "{{ item.key }}.*"
-  with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}"
+  with_dict: "{{ wordpress_sites }}"
   when:
     - sites_use_ssl | bool
     - ssl_enabled | bool
diff --git a/roles/wordpress-setup/templates/no-default.conf.j2 b/roles/wordpress-setup/templates/no-default.conf.j2
@@ -12,3 +12,12 @@ server {
   listen 80 default_server deferred;
   return 444;
 }
+
+{% if sites_use_ssl %}
+server {
+  listen [::]:443 ssl default_server deferred;
+  listen 443 ssl default_server deferred;
+
+  ssl_reject_handshake on;
+}
+{% endif %}
diff --git a/roles/wordpress-setup/templates/ssl.no-default.conf.j2 b/roles/wordpress-setup/templates/ssl.no-default.conf.j2
