aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-06-28 17:19:46 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-28 22:09:43 +0200
commit944407621f313c15f6cfd53267da1ddbdaceec9f (patch)
tree1602c3136d28ac54dafec995a7b6d0a6e83ff8e2 /config
parentf4af28d7e526bd56a78225daf84d11cdf96bd611 (diff)
webserver: allow listening to multiple addresses.
(Useful when dual-stack IPv4/IPv6 is not supported.) Also, change the default to listen to a UNIX-domain socket </var/run/lacme.socket>. Moreover temporary iptables rules are no longer installed. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes.
Diffstat (limited to 'config')
-rw-r--r--config/lacme.conf34
1 files changed, 16 insertions, 18 deletions
diff --git a/config/lacme.conf b/config/lacme.conf
index c5efb03..874bb1f 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -16,18 +16,16 @@
# since the two processes communicate through a socket pair. See the
# "accountd" section below for details.
#
-#socket = /run/user/1000/S.lacme
+#socket =
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty (not recommended).
-# Default: "nobody".
#
-#user = lacme
+#user = nobody
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
# Preserve root privileges if the value is empty (not recommended).
-# Default: "nogroup".
#
#group = nogroup
@@ -35,11 +33,11 @@
#
#command = /usr/lib/lacme/client
-# Root URI of the ACME server. NOTE: Use the staging server for testing
-# as it has relaxed rate-limiting.
+# Root URI of the ACME server. NOTE: Use the staging server
+# <https://acme-staging.api.letsencrypt.org/> for testing as it has
+# relaxed rate-limiting.
#
#server = https://acme-v01.api.letsencrypt.org/
-#server = https://acme-staging.api.letsencrypt.org/
# Timeout in seconds after which the client stops polling the ACME
# server and considers the request failed.
@@ -61,17 +59,17 @@
[webserver]
-# Specify the local address to listen on, in the form ADDRESS[:PORT].
+# Comma- or space-separated list of addresses to listen on, for instance
+# "0.0.0.0:80 [::]:80".
#
-#listen = 0.0.0.0:80
-#listen = [::]:80
+#listen = /var/run/lacme.socket
-# If a webserver is already running, specify a non-existent directory
-# under which the webserver is configured to serve GET requests for
-# challenge files under "/.well-known/acme-challenge/" (for each virtual
-# hosts requiring authorization) as static files.
+# Non-existent directory under which an external HTTP daemon is
+# configured to serve GET requests for challenge files under
+# "/.well-known/acme-challenge/" (for each virtual host requiring
+# authorization) as static files.
#
-#challenge-directory = /var/www/acme-challenge
+#challenge-directory =
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty (not recommended).
@@ -92,7 +90,7 @@
# ADDRESS[:PORT] specified with listen. Theses rules are automatically
# removed once lacme(1) exits.
#
-#iptables = Yes
+#iptables = No
[accountd]
@@ -103,13 +101,13 @@
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty.
#
-#user = root
+#user =
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
# Preserve root privileges if the value is empty.
#
-#group = root
+#group =
# Path to the lacme-accountd(1) executable.
#