From a903ea92dd736c560d21fe45063d4914765fa173 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 17:01:17 +0100 Subject: challenge-directory now needs to be set to an *existing* directory. Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale. --- snippets/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'snippets/nginx.conf') diff --git a/snippets/nginx.conf b/snippets/nginx.conf index 6775489..af2e92e 100644 --- a/snippets/nginx.conf +++ b/snippets/nginx.conf @@ -13,6 +13,6 @@ location ^~ /.well-known/acme-challenge/ { ## lacme's configuration file # alias /var/www/acme-challenge/; # default_type application/jose+json; - # disable_symlinks on from=$document_root; + # disable_symlinks on; # autoindex off; } -- cgit v1.2.3 From 956764d11c9445c835f992a782d90d8de90fe565 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 20:40:29 +0100 Subject: Improve nginx/apache2 snippets for direct serving of challenge files. With the new 'challenge-directory' logic symlinks can be disabled. --- snippets/nginx.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'snippets/nginx.conf') diff --git a/snippets/nginx.conf b/snippets/nginx.conf index af2e92e..76309f0 100644 --- a/snippets/nginx.conf +++ b/snippets/nginx.conf @@ -8,9 +8,11 @@ location ^~ /.well-known/acme-challenge/ { # Pass ACME requests to lacme's webserver component proxy_pass http://unix:@@runstatedir@@/lacme-www.socket; + ## Alternatively, you can let nginx serve the requests by ## setting 'challenge-directory' to '/var/www/acme-challenge' in - ## lacme's configuration file + ## lacme's configuration file and uncomment the following: + # alias /var/www/acme-challenge/; # default_type application/jose+json; # disable_symlinks on; -- cgit v1.2.3 From d6f008f8a3a9724e5acbcb8b9df29304279f4106 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 20:54:19 +0100 Subject: Split Nginx and Apapche2 static configuration snippets into seperate files. That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything. --- snippets/nginx.conf | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) (limited to 'snippets/nginx.conf') diff --git a/snippets/nginx.conf b/snippets/nginx.conf index 76309f0..891a834 100644 --- a/snippets/nginx.conf +++ b/snippets/nginx.conf @@ -1,20 +1,9 @@ -# Use Nginx to serve ACME requests; either directly, or by passing them -# over to a locally-bound lacme webserver component. +# Use Nginx to proxy ACME requests to a locally-bound lacme webserver. # -# This file needs to be sourced to the server directives (at least the -# non-ssl one) of each virtual host requiring authorization. +# One of the nginx*.conf file needs to be sourced to the server +# directives (at least the non-ssl one) of each virtual host requiring +# authorization. location ^~ /.well-known/acme-challenge/ { - # Pass ACME requests to lacme's webserver component proxy_pass http://unix:@@runstatedir@@/lacme-www.socket; - - - ## Alternatively, you can let nginx serve the requests by - ## setting 'challenge-directory' to '/var/www/acme-challenge' in - ## lacme's configuration file and uncomment the following: - - # alias /var/www/acme-challenge/; - # default_type application/jose+json; - # disable_symlinks on; - # autoindex off; } -- cgit v1.2.3