API tools faq
paste
Advertisement
obunda

Untitled

obunda
Jul 13th, 2019
343
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.99 KB | None | 0 0
raw download clone embed print report
  1. Resources:
  2.     sslSecurityGroupIngress:
  3.         Type: AWS::EC2::SecurityGroupIngress
  4.         Properties:
  5.             GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
  6.             IpProtocol: tcp
  7.             ToPort: 443
  8.             FromPort: 443
  9.             CidrIp: 0.0.0.0/0
  10.  
  11. files:
  12.     /etc/httpd/conf.d/ssl.pre:
  13.         mode: "000644"
  14.         owner: root
  15.         group: root
  16.         content: |
  17.             LoadModule ssl_module modules/mod_ssl.so
  18.             Listen 443
  19.  
  20.             <VirtualHost *:443>
  21.                 <Directory /opt/python/current/app/build/static>
  22.                     Order deny,allow
  23.                     Allow from all
  24.                 </Directory>
  25.                
  26.                 SSLEngine on
  27.                 SSLCertificateFile "/etc/letsencrypt/live/teahrm.id/fullchain.pem"
  28.                 SSLCertificateKeyFile "/etc/letsencrypt/live/teahrm.id/privkey.pem"
  29.                 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  30.                 SSLProtocol All -SSLv2 -SSLv3
  31.                 SSLHonorCipherOrder On
  32.                 SSLSessionTickets Off
  33.                
  34.                 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
  35.                 Header always set X-Frame-Options DENY
  36.                 Header always set X-Content-Type-Options nosniff
  37.                
  38.                 ProxyPass / http://localhost:80/ retry=0
  39.                 ProxyPassReverse / http://localhost:80/
  40.                 ProxyPreserveHost on
  41.                 RequestHeader set X-Forwarded-Proto "https" early
  42.                 # If you have pages that may take awhile to
  43.                 # respond, add a ProxyTimeout:
  44.                 # ProxyTimeout seconds
  45.             </VirtualHost>
  46.  
  47.     /tmp/renew_cert_cron:
  48.         mode: "000777"
  49.         owner: root
  50.         group: root
  51.         content: |
  52.             # renew Lets encrypt cert with certbot command
  53.             0 1,13 * * * /tmp/certbot-auto renew
  54.  
  55. packages:
  56.     yum:
  57.         epel-release: []
  58.         mod24_ssl : []
  59.  
  60. # Steps here
  61. # 1. Install certbot
  62. # 2. Get cert (stop apache before grabbing)
  63. # 3. Link certs where Apache can grab
  64. # 4. Get the Apache config in place
  65. # 5. Move certbot-auto into tmp folder
  66. container_commands:
  67.     10_installcertbot:
  68.         command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
  69.     20_getcert:
  70.         command: "sudo ./certbot-auto certonly --debug --non-interactive --email [email protected] --agree-tos --debug --apache --domains teahrm.id --keep-until-expiring"
  71.     30_link:
  72.         command: "sudo ln -sf /etc/letsencrypt/live/teahrm.id /etc/letsencrypt/live/ebcert"
  73.     40_config:
  74.         command: "sudo mv /etc/httpd/conf.d/ssl.pre /etc/httpd/conf.d/ssl.conf"
  75.     50_mv_certbot_to_temp_for_cron_renew:
  76.         command: "sudo mv ./certbot-auto /tmp"
  77.     60_create_cert_crontab:
  78.         command: "sudo crontab /tmp/renew_cert_cron"
  79.     70_delete_cronjob_file:
  80.         command: "sudo  rm /tmp/renew_cert_cron"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!