diff --git a/group_vars/all.yml b/group_vars/all.yml index 8f4e27d..e30f478 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,4 +1,8 @@ --- +# Hostnames which are accepted as valid for this host (and not redirected away +# from) even though they are not the canonical name. +secondary_hostnames: [] + certbot_auto_renew: true certbot_auto_renew_user: root certbot_auto_renew_hour: "3" diff --git a/host_vars/competitorsvcs.studentrobotics.org.yml b/host_vars/competitorsvcs.studentrobotics.org.yml index f156525..e586f5a 100644 --- a/host_vars/competitorsvcs.studentrobotics.org.yml +++ b/host_vars/competitorsvcs.studentrobotics.org.yml @@ -1,6 +1,10 @@ --- canonical_hostname: competitorsvcs.studentrobotics.org secondary_hostnames: + # Include our primary canonical hostname so that requests via the proxy there + # aren't redirected. This is needed (rather than overriding the Host header + # with the actual domain) so that urls generated by services hosted services + # include the right domain. - studentrobotics.org add_hsts_header: true diff --git a/host_vars/monty.studentrobotics.org.yml b/host_vars/monty.studentrobotics.org.yml index 397bd42..a95eff5 100644 --- a/host_vars/monty.studentrobotics.org.yml +++ b/host_vars/monty.studentrobotics.org.yml @@ -1,6 +1,5 @@ --- canonical_hostname: studentrobotics.org -secondary_hostnames: add_hsts_header: true certbot_create_if_missing: true diff --git a/host_vars/sr-compsvc.yml b/host_vars/sr-compsvc.yml index 4b0738d..e4d2f18 100644 --- a/host_vars/sr-compsvc.yml +++ b/host_vars/sr-compsvc.yml @@ -3,6 +3,9 @@ canonical_hostname: sr-compsvc secondary_hostnames: + # See explanation in host_vars/competitorsvcs.studentrobotics.org.yml for why + # we include the proxy hostname here. + - sr-proxy add_hsts_header: false certbot_create_if_missing: false diff --git a/host_vars/sr-proxy.yml b/host_vars/sr-proxy.yml index e0ee6a1..0ee3d6c 100644 --- a/host_vars/sr-proxy.yml +++ b/host_vars/sr-proxy.yml @@ -2,7 +2,6 @@ # This is a dev VM created by Vagrant. canonical_hostname: sr-proxy -secondary_hostnames: add_hsts_header: false certbot_testmode: true diff --git a/roles/competitor-services-nginx/templates/nginx.conf b/roles/competitor-services-nginx/templates/nginx.conf index 1678d07..8c2ea27 100644 --- a/roles/competitor-services-nginx/templates/nginx.conf +++ b/roles/competitor-services-nginx/templates/nginx.conf @@ -70,7 +70,7 @@ http { # several server blocks can listen to the same port). listen 443 ssl; listen [::]:443 ssl; - server_name {{ canonical_hostname }} {{ secondary_hostnames }}; + server_name {{ canonical_hostname }} {% for name in secondary_hostnames %}{{ name }} {% endfor %}; root /var/www; proxy_pass_request_headers on; diff --git a/roles/srobo-nginx/templates/nginx.conf b/roles/srobo-nginx/templates/nginx.conf index badee8b..9006a71 100644 --- a/roles/srobo-nginx/templates/nginx.conf +++ b/roles/srobo-nginx/templates/nginx.conf @@ -94,7 +94,7 @@ http { # several server blocks can listen to the same port). listen 443 ssl; listen [::]:443 ssl; - server_name {{ canonical_hostname }} {{ secondary_hostnames }}; + server_name {{ canonical_hostname }} {% for name in secondary_hostnames %}{{ name }} {% endfor %}; root /var/www; proxy_pass_request_headers on; @@ -123,7 +123,8 @@ http { # starting up, even if in a degraded mode. set $competitorsvcs 'competitorsvcs.studentrobotics.org'; proxy_pass https://$competitorsvcs/code-submitter/; - proxy_set_header Host $competitorsvcs; + # Note: don't set a Host header as we want the code-submitter to use our + # public hostname, not the hostname of the underlying machine. } {% endif %}