aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/nginx.conf6
-rw-r--r--lacme.md8
2 files changed, 10 insertions, 4 deletions
diff --git a/config/nginx.conf b/config/nginx.conf
index f842c12..e4ceb0c 100644
--- a/config/nginx.conf
+++ b/config/nginx.conf
@@ -1,10 +1,10 @@
-# Let nginx serve ACME requests directly, or pass them to lacme's
-# webserver component.
+# Use nginx to serve ACME requests; either directly, or by passing them
+# over to a locally-bound lacme webserver component.
#
# This file needs to be sourced to the server directives (at least the
# non-ssl one) of each virtual host requiring authorization.
-location /.well-known/acme-challenge/ {
+location ^~ /.well-known/acme-challenge/ {
# Pass ACME requests to lacme's webserver component
proxy_pass http://unix:/var/run/lacme.socket;
diff --git a/lacme.md b/lacme.md
index 7f2e616..3ba4a44 100644
--- a/lacme.md
+++ b/lacme.md
@@ -224,7 +224,7 @@ of [ACME] commands and dialogues with the remote [ACME] server).
---------------------
This section is used to configure how [ACME] challenge responses are
-served.
+served during certificate issuance.
*listen*
@@ -232,6 +232,12 @@ served.
addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the
`:PORT` suffix is optional and defaults to the HTTP port 80), or an
absolute path of a UNIX-domain socket (created with mode `0666`).
+ Since the webserver component listens to a UNIX-domain socket by
+ default, it is only suitable when an external HTTP daemon is
+ publicly reachable and passes all ACME challenge requests to that
+ socket; if that's not the case, one needs to set *listen* to `[::]`
+ (or `0.0.0.0 [::]` when dual stack IPv4/IPv6 is disabled or
+ unavailable), and possibly also set *iptables* to `Yes`.
Default: `/var/run/lacme.socket`.
*challenge-directory*