diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2017-06-28 17:19:46 +0200 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2017-06-28 22:09:43 +0200 | 
| commit | 944407621f313c15f6cfd53267da1ddbdaceec9f (patch) | |
| tree | 1602c3136d28ac54dafec995a7b6d0a6e83ff8e2 /config | |
| parent | f4af28d7e526bd56a78225daf84d11cdf96bd611 (diff) | |
webserver: allow listening to multiple addresses.
(Useful when dual-stack IPv4/IPv6 is not supported.)  Also, change the
default to listen to a UNIX-domain socket </var/run/lacme.socket>.
Moreover temporary iptables rules are no longer installed.  Hosts
without a public HTTP daemon listening on port 80 need to set the
'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables'
option to Yes.
Diffstat (limited to 'config')
| -rw-r--r-- | config/lacme.conf | 34 | 
1 files changed, 16 insertions, 18 deletions
| diff --git a/config/lacme.conf b/config/lacme.conf index c5efb03..874bb1f 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -16,18 +16,16 @@  # since the two processes communicate through a socket pair.  See the  # "accountd" section below for details.  # -#socket = /run/user/1000/S.lacme +#socket =  # username to drop privileges to (setting both effective and real uid).  # Preserve root privileges if the value is empty (not recommended). -# Default: "nobody".  # -#user = lacme +#user = nobody  # groupname to drop privileges to (setting both effective and real gid,  # and also setting the list of supplementary gids to that single group).  # Preserve root privileges if the value is empty (not recommended). -# Default: "nogroup".  #  #group = nogroup @@ -35,11 +33,11 @@  #  #command = /usr/lib/lacme/client -# Root URI of the ACME server.  NOTE: Use the staging server for testing -# as it has relaxed rate-limiting. +# Root URI of the ACME server.  NOTE: Use the staging server +# <https://acme-staging.api.letsencrypt.org/> for testing as it has +# relaxed rate-limiting.  #  #server = https://acme-v01.api.letsencrypt.org/ -#server = https://acme-staging.api.letsencrypt.org/  # Timeout in seconds after which the client stops polling the ACME  # server and considers the request failed. @@ -61,17 +59,17 @@  [webserver] -# Specify the local address to listen on, in the form ADDRESS[:PORT]. +# Comma- or space-separated list of addresses to listen on, for instance +# "0.0.0.0:80 [::]:80".  # -#listen = 0.0.0.0:80 -#listen = [::]:80 +#listen = /var/run/lacme.socket -# If a webserver is already running, specify a non-existent directory -# under which the webserver is configured to serve GET requests for -# challenge files under "/.well-known/acme-challenge/" (for each virtual -# hosts requiring authorization) as static files. +# Non-existent directory under which an external HTTP daemon is +# configured to serve GET requests for challenge files under +# "/.well-known/acme-challenge/" (for each virtual host requiring +# authorization) as static files.  # -#challenge-directory = /var/www/acme-challenge +#challenge-directory =  # username to drop privileges to (setting both effective and real uid).  # Preserve root privileges if the value is empty (not recommended). @@ -92,7 +90,7 @@  # ADDRESS[:PORT] specified with listen.  Theses rules are automatically  # removed once lacme(1) exits.  # -#iptables = Yes +#iptables = No  [accountd] @@ -103,13 +101,13 @@  # username to drop privileges to (setting both effective and real uid).  # Preserve root privileges if the value is empty.  # -#user = root +#user =  # groupname to drop privileges to (setting both effective and real gid,  # and also setting the list of supplementary gids to that single group).  # Preserve root privileges if the value is empty.  # -#group = root +#group =  # Path to the lacme-accountd(1) executable.  # | 
