Improve nginx/apache2 snippets for direct serving of challenge files.

With the new 'challenge-directory' logic symlinks can be disabled.

3 files changed, 29 insertions, 7 deletions

diff --git a/Changelog b/Changelog
index 39249b4..72e4be6 100644
--- a/Changelog
+++ b/Changelog
@@ -12,6 +12,8 @@ lacme (0.7.1) upstream;
  * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e.,
    forces renewal regardless of the expiration date of existing
    certificates.
+ + Improve nginx/apache2 snippets for direct serving of challenge files
+   (with the new 'challenge-directory' logic symlinks can be disabled).
  - lacme: delay webserver socket shutdown to after the process has
    terminated.
  - documentation: suggest to generate private key material with
diff --git a/snippets/apache2.conf b/snippets/apache2.conf
index 45d7c7f..69d80a7 100644
--- a/snippets/apache2.conf
+++ b/snippets/apache2.conf
@@ -1,11 +1,29 @@
-# Use Apache2 to serve ACME requests by passing them over to a
-# locally-bound lacme webserver component.
+# Use Apache2 to serve ACME requests; either directly, or by passing
+# them over to a locally-bound lacme webserver component.
 #
 # This file needs to be sourced to the server directives (at least the
 # non-ssl one) of each virtual host requiring authorization.
+# Alternatively, run `a2enconf lacme` and reload apache2.
 
-<Location /.well-known/acme-challenge/>
-  ProxyPass unix://@@runstatedir@@/lacme-www.socket|http://localhost/.well-known/acme-challenge/
-  Require all granted
-</Location>
 
+# Pass ACME requests to lacme's webserver component
+<IfModule mod_proxy_http.c>
+  <Location /.well-known/acme-challenge/>
+    ProxyPass unix://@@runstatedir@@/lacme-www.socket|http://localhost/.well-known/acme-challenge/
+    Require all granted
+  </Location>
+</IfModule>
+
+
+## Alternatively, you can let Apache2 serve the requests by
+## setting 'challenge-directory' to '/var/www/acme-challenge' in
+## lacme's configuration file and uncomment the following:
+
+#<IfModule mod_alias.c>
+#  Alias /.well-known/acme-challenge/ /var/www/acme-challenge/
+#  <Directory /var/www/acme-challenge/>
+#    Options none
+#    AllowOverride none
+#    Require all granted
+#  </Directory>
+#</IfModule>
diff --git a/snippets/nginx.conf b/snippets/nginx.conf
index af2e92e..76309f0 100644
--- a/snippets/nginx.conf
+++ b/snippets/nginx.conf
@@ -8,9 +8,11 @@ location ^~ /.well-known/acme-challenge/ {
     # Pass ACME requests to lacme's webserver component
     proxy_pass http://unix:@@runstatedir@@/lacme-www.socket;
 
+
     ## Alternatively, you can let nginx serve the requests by
     ## setting 'challenge-directory' to '/var/www/acme-challenge' in
-    ## lacme's configuration file
+    ## lacme's configuration file and uncomment the following:
+
     # alias /var/www/acme-challenge/;
     # default_type application/jose+json;
     # disable_symlinks on;