Merge pull request #117 from hic-infra/cran-cert

Add optional SSL cert to reverse_proxy
hic-infra · Aug 8, 2024 · 371209d · 371209d
2 parents 602028c + ea85324
commit 371209d
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 0 deletions.
diff --git a/reverse_proxy/defaults/main.yml b/reverse_proxy/defaults/main.yml
@@ -17,3 +17,10 @@ av_scanner_header_name: Avscanner
 
 # For Sophos use:
 # av_scanner: /opt/sophos-spl/plugins/av/bin/avscanner
+
+
+# For certificates:
+cran_cert: ""
+cran_cert_key: ""
+conda_cert: ""
+conda_cert_key: ""
diff --git a/reverse_proxy/tasks/conda.yml b/reverse_proxy/tasks/conda.yml
@@ -10,4 +10,6 @@
     upstream_endpoint: https://conda.anaconda.org/
     eicar_path: conda-forge/eicar/download/noarch/eicar.conda
     endpoint_regex: "({{ conda_pkg_regex }}|{{ conda_repo_regex }})"
+    certificate_file: "{{ conda_cert }}"
+    certificate_key_file: "{{ conda_cert_key }}"
   notify: restart nginx
diff --git a/reverse_proxy/tasks/cran.yml b/reverse_proxy/tasks/cran.yml
@@ -10,4 +10,6 @@
     upstream_endpoint: "{{ cran_mirror }}"
     eicar_path: src/contrib/eicar.tar.gz
     endpoint_regex: "{{ cran_regex }}"
+    certificate_file: "{{ cran_cert }}"
+    certificate_key_file: "{{ cran_cert_key }}"
   notify: restart nginx
diff --git a/reverse_proxy/templates/generic.conf.j2 b/reverse_proxy/templates/generic.conf.j2
@@ -2,6 +2,12 @@ server {
   listen 80;
   server_name {{ generic_name }}.{{zone}};
 
+  {% if certificate_file %}
+  listen 443 ssl;
+  ssl_certificate {{ certificate_file }};
+  ssl_certificate_key {{ certificate_key_file }};
+  {% endif %}
+
   # Internal only endpoint for performing a proxy pass to the cran mirror.
   location /{{ generic_name }}-fetch {
     internal;