From 944407621f313c15f6cfd53267da1ddbdaceec9f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 28 Jun 2017 17:19:46 +0200 Subject: webserver: allow listening to multiple addresses. (Useful when dual-stack IPv4/IPv6 is not supported.) Also, change the default to listen to a UNIX-domain socket . Moreover temporary iptables rules are no longer installed. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. --- config/lacme.conf | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index c5efb03..874bb1f 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -16,18 +16,16 @@ # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -#socket = /run/user/1000/S.lacme +#socket = # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). -# Default: "nobody". # -#user = lacme +#user = nobody # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty (not recommended). -# Default: "nogroup". # #group = nogroup @@ -35,11 +33,11 @@ # #command = /usr/lib/lacme/client -# Root URI of the ACME server. NOTE: Use the staging server for testing -# as it has relaxed rate-limiting. +# Root URI of the ACME server. NOTE: Use the staging server +# for testing as it has +# relaxed rate-limiting. # #server = https://acme-v01.api.letsencrypt.org/ -#server = https://acme-staging.api.letsencrypt.org/ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. @@ -61,17 +59,17 @@ [webserver] -# Specify the local address to listen on, in the form ADDRESS[:PORT]. +# Comma- or space-separated list of addresses to listen on, for instance +# "0.0.0.0:80 [::]:80". # -#listen = 0.0.0.0:80 -#listen = [::]:80 +#listen = /var/run/lacme.socket -# If a webserver is already running, specify a non-existent directory -# under which the webserver is configured to serve GET requests for -# challenge files under "/.well-known/acme-challenge/" (for each virtual -# hosts requiring authorization) as static files. +# Non-existent directory under which an external HTTP daemon is +# configured to serve GET requests for challenge files under +# "/.well-known/acme-challenge/" (for each virtual host requiring +# authorization) as static files. # -#challenge-directory = /var/www/acme-challenge +#challenge-directory = # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). @@ -92,7 +90,7 @@ # ADDRESS[:PORT] specified with listen. Theses rules are automatically # removed once lacme(1) exits. # -#iptables = Yes +#iptables = No [accountd] @@ -103,13 +101,13 @@ # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty. # -#user = root +#user = # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty. # -#group = root +#group = # Path to the lacme-accountd(1) executable. # -- cgit v1.2.3