diff options
| -rw-r--r-- | config/nginx.conf | 6 | ||||
| -rw-r--r-- | lacme.md | 8 |
2 files changed, 10 insertions, 4 deletions
diff --git a/config/nginx.conf b/config/nginx.conf index f842c12..e4ceb0c 100644 --- a/config/nginx.conf +++ b/config/nginx.conf @@ -1,10 +1,10 @@ -# Let nginx serve ACME requests directly, or pass them to lacme's -# webserver component. +# Use nginx to serve ACME requests; either directly, or by passing them +# over to a locally-bound lacme webserver component. # # This file needs to be sourced to the server directives (at least the # non-ssl one) of each virtual host requiring authorization. -location /.well-known/acme-challenge/ { +location ^~ /.well-known/acme-challenge/ { # Pass ACME requests to lacme's webserver component proxy_pass http://unix:/var/run/lacme.socket; @@ -224,7 +224,7 @@ of [ACME] commands and dialogues with the remote [ACME] server). --------------------- This section is used to configure how [ACME] challenge responses are -served. +served during certificate issuance. *listen* @@ -232,6 +232,12 @@ served. addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the `:PORT` suffix is optional and defaults to the HTTP port 80), or an absolute path of a UNIX-domain socket (created with mode `0666`). + Since the webserver component listens to a UNIX-domain socket by + default, it is only suitable when an external HTTP daemon is + publicly reachable and passes all ACME challenge requests to that + socket; if that's not the case, one needs to set *listen* to `[::]` + (or `0.0.0.0 [::]` when dual stack IPv4/IPv6 is disabled or + unavailable), and possibly also set *iptables* to `Yes`. Default: `/var/run/lacme.socket`. *challenge-directory* |