TLS encryption is an important part of maintaining the security and privacy of your users. To serve your website over HTTPS, you’ll need a certificate that’s been signed by a certificate authority (eg, DigiCert).
Add something like this to group_vars/all/main.yml:
# You'll need a valid certificate if you want to enable TLS for your website,
# though the example certificate and key below can be used for testing.
tls_enabled: True
# Remember that Nginx requires the certificate file to contain both the server
# certificate as well as any intermediate certificates.
# http://nginx.org/en/docs/http/configuring_https_servers.html#chains
tls_domain_cert: "files/pki/discourse.example.com.cert.pem"
# Ideally, store this encrypted: http://docs.ansible.com/playbooks_vault.html
tls_domain_key: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDT0ZyEYG21FUow
aqDFrgWT3bpnPHG2chJar/as1+hP5JeTpoB972OOybzK/NDUNl4A7/QgaE6M/xip
Tr1xfB/gcPl8VlwA4zJV/I5Wps/2xG++7+fysNj1d2r8dTsAa/C3y5xlku3uB9sI
5/736rG4LHZK0dxykl5UJznD1blt4Cl0pY0GMwtDOdy4olANsNN2k+NfgwLQyh3G
qXxe+AAGbgtsI2Vbvur+FgGzfYZVqs556xpJ/MO1HOzjxc7vcj5YLmawBNBKOEv8
fl2DHi6i3lxezXMOTw5yisA46Uy07tQ4WRIGVBdXbkr55NP7KonhfRCp7QhTG3b+
pokRVwTdAgMBAAECggEAGLf9a/VU2C0D22KWIHuOaxMVDbcgDgqB2dNvFfycP7aN
ec2UcR3eoGsqfQXD2P//OFzIQH/rqsiaOCfYM8Yocii89KWfVvsshJxUgAg3fLSv
1bhpeQjqSLsG4S9NE1+FV+2K8s+StJR2GzP3rTbWRofpxhF3iGdMWsW5GAF5AjlQ
DktUpNBzgmzIwDFoXpCSmoh6WV0UR89lq9N3WQU28pVT4q5ibJQe0Lge1rqNx57g
ZZRRDtXrEcLOnsjt2q0X9DYf4GsgA10/jMRrut4e0H2D2A1R6RopmSq3kklhZboF
S2CAyK1R3wPGHlMQwZlmx3cKvCml2nSM8FBglgEwAQKBgQD+JmHoSRfRtDCWwz8y
GKj0P28T0o2MR5JOZ/aobxxIGaX6Vk/OUBicOYPD0a2rF1SpEgAtdpJvUZr3CoFn
10MxQcSmMfiosbJaMm7svkglMQncA+aF8yGWclhc1Z2Ph0LQoFjDdoNKe/6HJBnF
VJsFERD/t7AE1iuCE5eMigJ//QKBgQDVXFfliYWGDFk74k1oZs6HAtK0tfLdM2eP
QxQxx0U5zmEFkgBoFZs3Cn+DAirAZHk5m7WumEULS3pzHho0oXUfQMl7L3yb3SrN
CR/CMtUtX75l7RKCUFR5fvszSY6Pr26XOp5tUTfPqF50gFS6aSqNWqu5irpEsInz
rypFJt5+YQKBgQCJ+FhKe/O8Wi/OiKw0DAMcpZstja5eKzSX8ASNp9QYqCPc5SJq
BD14AhkwIxI+wWmqZyVFiQsx94FC/6cEsm29vdB90L8HBYCnSp3BVANifV623D83
FKh1PhoOO8FPe8Sf8Yx+gEYCF5Iz1ztOTwHhHES4LgYWehYghXZOS1XUGQKBgBcK
Kr+xswZ/rN8nl95PQ7wWlPRItZonY+Z3guXBM/uDCr0UQBD9TE6MRqq6AC3Ya7LJ
2ruo28PVebqWpJPMX55pW5h+z0DxiB6t/oz0+ko1DZVqHVaPICAikzO9nLRtaE7S
WKtLWvCEqPaBqSScGKk9AlA959FlEvCKmNDw2pPhAoGALNSLIrURXGfg9QzC73e5
0O3XArzaDzbosGA6KE/vP+dYH+QT4WtNLL6nuNt1A2Dam0p7MWaJUhIXVFIlxE2Z
Cbpk6p6Koq/lK+9UsvX0YRbd5IW+NzhKhLI3aLikzvjSX4vH8wd9M0oqvLEoY/y/
07EVWt1m48RIo6ZGKMa5HzQ=
-----END PRIVATE KEY-----Now re-run deploy-local.sh. If this is successful, login to your admin
dashboard and enable HTTPS.
You can use ansible-vault to store your private key in an encrypted file.
Place any variables you want to protect (eg, tls_domain_key) inside
group_vars/all/vault.yml:
$ ansible-vault create group_vars/all/vault.ymlRead the Ansible Vault documentation for more information.
HSTS protects your users against downgrade attacks. Only configure HSTS after you've deployed your site with HTTPS enabled and know it's working.
tls_response_headers:
- 'Strict-Transport-Security "max-age=15768000"'OCSP stapling improves both performance and users’ privacy.
# Concatenate the CA root and intermediate certificates to create the bundle.
# OCSP will not work without this.
tls_ocsp_stapling_enabled: True
tls_ca_bundle: "files/pki/ExampleCA.bundle.pem"
nginx_resolver: "127.0.0.1"By default, Unbound is installed as a local DNS resolver. If you aren't running
Unbound, you should change nginx_resolver to an available DNS resolver (eg,
8.8.8.8).
Only enable Public Key Pinning if you know what you're doing. It can make your website inaccessible, and returning visitors may be blocked until the HPKP header expires. It’s experimental and not yet recommended on production sites.
You can pass any headers you want for HTTPS connections using
the tls_response_headers variable, so simply append the HPKP header:
hpkp_header: 'pin-sha256="foo"; pin-sha256="bar"; max-age=5184000;'
tls_response_headers:
- 'Strict-Transport-Security "max-age=15768000"'
- "Public-Key-Pins '{{ hpkp_header }}'