diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2017-06-28 17:19:46 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2017-06-28 22:09:43 +0200 |
commit | 944407621f313c15f6cfd53267da1ddbdaceec9f (patch) | |
tree | 1602c3136d28ac54dafec995a7b6d0a6e83ff8e2 /config | |
parent | f4af28d7e526bd56a78225daf84d11cdf96bd611 (diff) |
webserver: allow listening to multiple addresses.
(Useful when dual-stack IPv4/IPv6 is not supported.) Also, change the
default to listen to a UNIX-domain socket </var/run/lacme.socket>.
Moreover temporary iptables rules are no longer installed. Hosts
without a public HTTP daemon listening on port 80 need to set the
'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables'
option to Yes.
Diffstat (limited to 'config')
-rw-r--r-- | config/lacme.conf | 34 |
1 files changed, 16 insertions, 18 deletions
diff --git a/config/lacme.conf b/config/lacme.conf index c5efb03..874bb1f 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -16,18 +16,16 @@ # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -#socket = /run/user/1000/S.lacme +#socket = # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). -# Default: "nobody". # -#user = lacme +#user = nobody # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty (not recommended). -# Default: "nogroup". # #group = nogroup @@ -35,11 +33,11 @@ # #command = /usr/lib/lacme/client -# Root URI of the ACME server. NOTE: Use the staging server for testing -# as it has relaxed rate-limiting. +# Root URI of the ACME server. NOTE: Use the staging server +# <https://acme-staging.api.letsencrypt.org/> for testing as it has +# relaxed rate-limiting. # #server = https://acme-v01.api.letsencrypt.org/ -#server = https://acme-staging.api.letsencrypt.org/ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. @@ -61,17 +59,17 @@ [webserver] -# Specify the local address to listen on, in the form ADDRESS[:PORT]. +# Comma- or space-separated list of addresses to listen on, for instance +# "0.0.0.0:80 [::]:80". # -#listen = 0.0.0.0:80 -#listen = [::]:80 +#listen = /var/run/lacme.socket -# If a webserver is already running, specify a non-existent directory -# under which the webserver is configured to serve GET requests for -# challenge files under "/.well-known/acme-challenge/" (for each virtual -# hosts requiring authorization) as static files. +# Non-existent directory under which an external HTTP daemon is +# configured to serve GET requests for challenge files under +# "/.well-known/acme-challenge/" (for each virtual host requiring +# authorization) as static files. # -#challenge-directory = /var/www/acme-challenge +#challenge-directory = # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). @@ -92,7 +90,7 @@ # ADDRESS[:PORT] specified with listen. Theses rules are automatically # removed once lacme(1) exits. # -#iptables = Yes +#iptables = No [accountd] @@ -103,13 +101,13 @@ # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty. # -#user = root +#user = # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty. # -#group = root +#group = # Path to the lacme-accountd(1) executable. # |