aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Changelog4
-rw-r--r--snippets/apache2-static.conf16
-rw-r--r--snippets/apache2.conf19
-rw-r--r--snippets/nginx-static.conf15
-rw-r--r--snippets/nginx.conf19
5 files changed, 40 insertions, 33 deletions
diff --git a/Changelog b/Changelog
index 019c076..35503e9 100644
--- a/Changelog
+++ b/Changelog
@@ -24,6 +24,10 @@ lacme (0.7.1) upstream;
configuration file.
+ Improve nginx/apache2 snippets for direct serving of challenge files
(with the new 'challenge-directory' logic symlinks can be disabled).
+ + Split Nginx and Apapche2 static configuration snippets into seperate
+ files. That way users prefering that over reverse-proxying can just
+ source/enable the relevant files without having to uncomment
+ anything.
+ Add support for TLS Feature extension from RFC 7633; this is mostly
useful for OCSP Must-Staple.
+ client: use "lacme-client/$VERSION" as User-Agent header.
diff --git a/snippets/apache2-static.conf b/snippets/apache2-static.conf
new file mode 100644
index 0000000..9262179
--- /dev/null
+++ b/snippets/apache2-static.conf
@@ -0,0 +1,16 @@
+# Use Apache2 to serve ACME requests directly.
+# This snippet requires setting challenge-directory = /var/www/acme-challenge
+# in /etc/lacme/lacme.config, and creating this file with write
+# permissions for the lacme client user.
+#
+# This file needs to be sourced to the server directives (at least the
+# non-ssl one) of each virtual host requiring authorization.
+
+<IfModule mod_alias.c>
+ Alias /.well-known/acme-challenge/ /var/www/acme-challenge/
+ <Directory /var/www/acme-challenge/>
+ Options none
+ AllowOverride none
+ Require all granted
+ </Directory>
+</IfModule>
diff --git a/snippets/apache2.conf b/snippets/apache2.conf
index 69d80a7..31dd95a 100644
--- a/snippets/apache2.conf
+++ b/snippets/apache2.conf
@@ -1,29 +1,12 @@
-# Use Apache2 to serve ACME requests; either directly, or by passing
-# them over to a locally-bound lacme webserver component.
+# Use Apache2 to proxy ACME requests to a locally-bound lacme webserver.
#
# This file needs to be sourced to the server directives (at least the
# non-ssl one) of each virtual host requiring authorization.
# Alternatively, run `a2enconf lacme` and reload apache2.
-
-# Pass ACME requests to lacme's webserver component
<IfModule mod_proxy_http.c>
<Location /.well-known/acme-challenge/>
ProxyPass unix://@@runstatedir@@/lacme-www.socket|http://localhost/.well-known/acme-challenge/
Require all granted
</Location>
</IfModule>
-
-
-## Alternatively, you can let Apache2 serve the requests by
-## setting 'challenge-directory' to '/var/www/acme-challenge' in
-## lacme's configuration file and uncomment the following:
-
-#<IfModule mod_alias.c>
-# Alias /.well-known/acme-challenge/ /var/www/acme-challenge/
-# <Directory /var/www/acme-challenge/>
-# Options none
-# AllowOverride none
-# Require all granted
-# </Directory>
-#</IfModule>
diff --git a/snippets/nginx-static.conf b/snippets/nginx-static.conf
new file mode 100644
index 0000000..febe4dc
--- /dev/null
+++ b/snippets/nginx-static.conf
@@ -0,0 +1,15 @@
+# Use Nginx to serve ACME requests directly.
+# This snippet requires setting challenge-directory = /var/www/acme-challenge
+# in /etc/lacme/lacme.config, and creating this file with write
+# permissions for the lacme client user.
+#
+# One of the nginx*.conf file needs to be sourced to the server
+# directives (at least the non-ssl one) of each virtual host requiring
+# authorization.
+
+location ^~ /.well-known/acme-challenge/ {
+ alias /var/www/acme-challenge/;
+ default_type application/jose+json;
+ disable_symlinks on;
+ autoindex off;
+}
diff --git a/snippets/nginx.conf b/snippets/nginx.conf
index 76309f0..891a834 100644
--- a/snippets/nginx.conf
+++ b/snippets/nginx.conf
@@ -1,20 +1,9 @@
-# Use Nginx to serve ACME requests; either directly, or by passing them
-# over to a locally-bound lacme webserver component.
+# Use Nginx to proxy ACME requests to a locally-bound lacme webserver.
#
-# This file needs to be sourced to the server directives (at least the
-# non-ssl one) of each virtual host requiring authorization.
+# One of the nginx*.conf file needs to be sourced to the server
+# directives (at least the non-ssl one) of each virtual host requiring
+# authorization.
location ^~ /.well-known/acme-challenge/ {
- # Pass ACME requests to lacme's webserver component
proxy_pass http://unix:@@runstatedir@@/lacme-www.socket;
-
-
- ## Alternatively, you can let nginx serve the requests by
- ## setting 'challenge-directory' to '/var/www/acme-challenge' in
- ## lacme's configuration file and uncomment the following:
-
- # alias /var/www/acme-challenge/;
- # default_type application/jose+json;
- # disable_symlinks on;
- # autoindex off;
}