Adds certbot deploy hook to reload nginx after renewal (#1688)
In testing the lets-encrypt role recently, I forced renewal for an existing cert (certbot --force-renewal renew) and realized nginx was still serving the old certificate, even though the renewal technically worked. This PR fixes that by using a deploy hook (documented here), which runs after successful certificate renewals (not each attempt). The deploy hook is simply a script that runs one command: systemctl reload nginx. Reloading nginx will cause it to start serving the new certificate, and gracefully shutdown old worker processes. For posterity's sake, if anyone already deployed the certbot changes in this PR, you can manually implement this fix if you don't want to destroy and recreate your existing Streisand server: [root@streisand]# cat > /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh << EOF #!/bin/sh systemctl reload nginx EOF Make sure the file is executable: chmod u+x /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh If your certificate was already auto-renewed by certbot, you'll also need to reload nginx manually since the deploy hook wasn't present during renewal: systemctl reload nginx
|3 days ago|
|.github||2 years ago|
|deploy||8 months ago|
|documentation||9 months ago|
|global_vars||2 months ago|
|inventories||1 year ago|
|library||3 months ago|
|playbooks||3 days ago|
|tests||2 months ago|
|util||3 months ago|
|.gitignore||1 year ago|
|.travis.yml||2 months ago|
|Advanced installation.md||9 months ago|
|CONTRIBUTING.md||1 year ago|
|Features.md||9 months ago|
|Installation.md||8 months ago|
|LICENSE||4 months ago|
|README-chs.md||3 months ago|
|README-fr.md||11 months ago|
|README-ru.md||3 months ago|
|README.md||6 months ago|
|Services.md||4 months ago|
|Vagrantfile||8 months ago|
|Vagrantfile.remotetest||2 years ago|
|ansible.cfg||3 months ago|
|logo.jpg||4 years ago|
|requirements.txt||3 months ago|
|streisand||8 months ago|
Silence censorship. Automate the effect.
The Internet can be a little unfair. It’s way too easy for ISPs, telecoms, politicians, and corporations to block access to the sites and information that you care about. But breaking through these restrictions is tough. Or is it?
If you have an account with a cloud computing provider, Streisand can set up a new node with many censorship-resistant VPN services nearly automatically. You’ll need a little experience with a Unix command-line. (But without Streisand, it could take days for a skilled Unix administrator to configure these services securely!) At the end, you’ll have a private website with software and instructions.
Here’s what a sample Streisand server looks like.
There’s a list of supported cloud providers; experts may be able to use Streisand to install on many other cloud providers.
One type of tool that people use to avoid network censorship is a Virtual Private Network (VPN). There are many kinds of VPNs.
Not all network censorship is alike; in some places, it changes from day to day. Streisand provides many different VPN services to try. (You don’t have to install them all, though.)
Some Streisand services include add-ons for further censorship and throttling resistance:
We recommend using one of the above providers. If you are an expert and can set up a fresh Ubuntu 16.04 server elsewhere, there are “localhost” and “existing remote server” installation methods. For more information, see the advanced installation instructions.
You need command-line access to a Unix system. You can use Linux, BSD, or macOS; on Windows 10, the Windows Subsystem for Linux (WSL) counts as Linux.
Once you’re ready, see the full installation instructions.
Aside from a good deal of cleanup, we could really use:
We’re looking for help with both.
If there is something that you think Streisand should do, or if you find a bug in its documentation or execution, please file a report on the Issue Tracker.
Jason A. Donenfeld deserves a lot of credit for being brave enough to reimagine what a modern VPN should look like and for coming up with something as good as WireGuard. He has our sincere thanks for all of his patient help and high-quality feedback.
We are grateful to Trevor Smith for his massive contributions. He suggested the Gateway approach, provided tons of invaluable feedback, made everything look better, and developed the HTML template that served as the inspiration to take things to the next level before Streisand’s public release.
Starcadian’s ‘Sunset Blood’ album was played on repeat approximately 300 times during the first few months of work on the project in early 2014.