From 68a11b1551a09b40a34b62ce8b8c3b6ef20e8ddf Mon Sep 17 00:00:00 2001 From: Peter Law Date: Sat, 30 Sep 2023 23:34:46 +0100 Subject: [PATCH] Further changes required to enable MTA-STS It turns out that we need to host the policy file on a specific subdomain, rather than the root domain. I don't think there can be any harm from serving it from the root domain too, so I'm going to leave that in place (it seems possible we'll want the .well-known directory at some point anyway). Note that we do actually need to respond on the subdomain too -- we can't just redirect (as was my first approach). These changes are actually already live, along with rotating the TLS certificate to account for the new domain this adds. --- host_vars/monty.studentrobotics.org.yml | 1 + roles/srobo-nginx/templates/nginx.conf | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/host_vars/monty.studentrobotics.org.yml b/host_vars/monty.studentrobotics.org.yml index 3e27bfa..397bd42 100644 --- a/host_vars/monty.studentrobotics.org.yml +++ b/host_vars/monty.studentrobotics.org.yml @@ -11,3 +11,4 @@ certbot_certs: - studentrobotics.org - www.studentrobotics.org - monty.studentrobotics.org + - mta-sts.studentrobotics.org diff --git a/roles/srobo-nginx/templates/nginx.conf b/roles/srobo-nginx/templates/nginx.conf index 5ce49ab..e7f1521 100644 --- a/roles/srobo-nginx/templates/nginx.conf +++ b/roles/srobo-nginx/templates/nginx.conf @@ -74,6 +74,20 @@ http { } } + server { + # Note: the listen options for these ports are configured by the above + # server block (nginx allows them to be specified exactly once even though + # several server blocks can listen to the same port). + listen 443 ssl; + listen [::]:443 ssl; + server_name mta-sts.studentrobotics.org; + + location /.well-known/ { + root /var/www; + error_page 403 404 =404 /404.html; + } + } + server { # Note: the listen options for these ports are configured by the above # server block (nginx allows them to be specified exactly once even though