From 99902d8737cd01b2788ec51b06d314a36135be2c Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 28 Jun 2017 22:11:04 +0200
Subject: Provide nginx configuration snippet.

---
 Changelog         |  1 +
 config/nginx.conf | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 config/nginx.conf

diff --git a/Changelog b/Changelog
index 0619ffd..59d5153 100644
--- a/Changelog
+++ b/Changelog
@@ -12,6 +12,7 @@ lacme (0.3) upstream;
     'iptables' option to Yes.
   + Change 'min-days' default from 10 to 21, to avoid expiration notices
     from Let's Encrypt when auto-renewal is done by a cronjob.
+  + Provide nginx configuration snippet.
   - Ensure lacme's config file descriptor is not passed to the accountd
     or webserver components.
   - new-cert: sort section names if not passed explicitely.
diff --git a/config/nginx.conf b/config/nginx.conf
new file mode 100644
index 0000000..f842c12
--- /dev/null
+++ b/config/nginx.conf
@@ -0,0 +1,18 @@
+# Let nginx serve ACME requests directly, or pass them to lacme's
+# webserver component.
+#
+# This file needs to be sourced to the server directives (at least the
+# non-ssl one) of each virtual host requiring authorization.
+
+location /.well-known/acme-challenge/ {
+    # Pass ACME requests to lacme's webserver component
+    proxy_pass http://unix:/var/run/lacme.socket;
+
+    ## Alternatively, you can let nginx serve the requests by
+    ## setting 'challenge-directory' to '/var/www/acme-challenge' in
+    ## lacme's configuration file
+    # alias /var/www/acme-challenge/;
+    # default_type application/jose+json;
+    # disable_symlinks on from=$document_root;
+    # autoindex off;
+}
-- 
cgit v1.2.3