public
/
docker-service-nginx
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Merge pull request #5 from ShaneMcC/allow-http-01 

Serve /.well-known/acme-challenge/ for http-01 challenge.
master
Chris Smith 6 years ago
parent
f76e03eece 57063e311e
commit
f3073f9898
No account linked to committer's email address
2 changed files with 15 additions and 1 deletions
Split View Show Diff Stats
  1. 2
    1
      generate.py
  2. 13
    0
      nginx.tpl

+ 2
- 1
generate.py View File 

@@ -14,6 +14,7 @@ parser.add_argument('--etcd-prefix', help='Prefix to use when retrieving keys fr
14 14 
 parser.add_argument('--trusted-cert-path', help='Path to use for trusted CA certificate. Use "%s" for hostname', default='/letsencrypt/certs/%s/chain.pem')
15 15 
 parser.add_argument('--cert-path', help='Path to use for certificates. Use "%s" for hostname', default='/letsencrypt/certs/%s/fullchain.pem')
16 16 
 parser.add_argument('--cert-key-path', help='Path to use for certificate private keys. Use "%s" for hostname', default='/letsencrypt/certs/%s/privkey.pem')
17 
+parser.add_argument('--wellknown-path', help='Path to use for wellknown directory for http-01 challenge.', default='/letsencrypt/well-known/')
17 18 
 args = parser.parse_args()
18 19
19 20 
 jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'))
 
@@ -51,7 +52,7 @@ while True:
51 52 
   if wroteConfig or len(services) > 0 or not os.path.isfile('/nginx-config/vhosts.conf'):
52 53 
     with open('/nginx-config/vhosts.conf', 'w') as f:
53 54 
       print('Writing vhosts.conf...', flush=True)
54 
-      f.write(template.render(services=services))
55 
+      f.write(template.render(services=services, wellknown_path=args.wellknown_path))
55 56 
       wroteConfig = True;
56 57 
     print('Done writing config.', flush=True)
57 58 
   else:

+ 13
- 0
nginx.tpl View File 

@@ -16,6 +16,19 @@ server {
16 16
17 17 
     include /etc/nginx/conf.d/{{ service.vhosts[0] }}/*.conf;
18 18
19 
+    # From https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622
20 
+    location ^~ /.well-known/acme-challenge/ {
21 
+        default_type "text/plain";
22 
+        alias {{ wellknown_path }};
23 
+    }
24 
+
25 
+    # Hide /acme-challenge subdirectory and return 404 on all requests.
26 
+    # It is somewhat more secure than letting Nginx return 403.
27 
+    # Ending slash is important!
28 
+    location = /.well-known/acme-challenge/ {
29 
+        return 404;
30 
+    }
31 
+
19 32 
     location / {
20 33 
         proxy_pass {{ service.protocol }}://{{ service.upstream }};
21 34 
         proxy_set_header Host $host;

Write Preview
Loading…
Cancel
Save