add certificates for blue.user_content_domain

Author: Bryan Kendall

ansible/group_vars/alpha-proxy-socket-server.yml

@@ -15,5 +15,6 @@ docker_container_run_opts: >
   -v /etc/nginx/sites-available/:/etc/nginx/sites-enabled/:ro
   -v /etc/nginx/ssl/dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro
   -v /etc/ssl/certs/{{ domain }}:/etc/ssl/certs/{{ domain }}:ro
+  -v /etc/ssl/certs/{{ user_content_domain }}:/etc/ssl/certs/{{ user_content_domain }}:ro
   -v /etc/ssl/private:/etc/ssl/private:ro
   -v /var/log/nginx:/var/log/nginx

ansible/roles/user-content-pixel/templates/90-user-content-pixel.conf

@@ -1,6 +1,25 @@
 server {
-  listen 80;
+  listen 443 ssl;
   server_name blue.{{ user_content_domain }};
+  gzip off;
+
+  ssl on;
+  ssl_certificate /etc/ssl/certs/{{ user_content_domain }}/{{ user_content_domain }}.chained.crt;
+  ssl_certificate_key /etc/ssl/private/{{ user_content_domain }}.key;
+  ssl_trusted_certificate /etc/ssl/certs/{{ user_content_domain }}/ca.pem;
+
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+  ssl_prefer_server_ciphers on;
+  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  resolver 8.8.8.8 8.8.4.4 valid=300s;
+  resolver_timeout 5s;
 
   location = /pixel.gif {
     add_header Set-Cookie "isModerating=1; Domain=.{{ user_content_domain }}; Path=/; HttpOnly; Secure;";