Skip to content

Commit

Permalink
Further changes required to enable MTA-STS
Browse files Browse the repository at this point in the history
It turns out that we need to host the policy file on a specific
subdomain, rather than the root domain. I don't think there can
be any harm from serving it from the root domain too, so I'm going
to leave that in place (it seems possible we'll want the .well-known
directory at some point anyway). Note that we do actually need to
respond on the subdomain too -- we can't just redirect (as was
my first approach).

These changes are actually already live, along with rotating the
TLS certificate to account for the new domain this adds.
  • Loading branch information
PeterJCLaw committed Sep 30, 2023
1 parent e722f56 commit 68a11b1
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
1 change: 1 addition & 0 deletions host_vars/monty.studentrobotics.org.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,4 @@ certbot_certs:
- studentrobotics.org
- www.studentrobotics.org
- monty.studentrobotics.org
- mta-sts.studentrobotics.org
14 changes: 14 additions & 0 deletions roles/srobo-nginx/templates/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,20 @@ http {
}
}

server {
# Note: the listen options for these ports are configured by the above
# server block (nginx allows them to be specified exactly once even though
# several server blocks can listen to the same port).
listen 443 ssl;
listen [::]:443 ssl;
server_name mta-sts.studentrobotics.org;

location /.well-known/ {
root /var/www;
error_page 403 404 =404 /404.html;
}
}

server {
# Note: the listen options for these ports are configured by the above
# server block (nginx allows them to be specified exactly once even though
Expand Down

0 comments on commit 68a11b1

Please sign in to comment.