From 36896bcfc9d1863d2ec759c1d63afd750df3e296 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Fri, 16 Mar 2018 10:53:50 +1000 Subject: [PATCH] Bypass basic auth for letsencrypt acme requests, reload nginx after ssl renewals --- manager/src/backend/internal/ssl.js | 6 +++++- manager/src/backend/templates/proxy.conf.ejs | 9 ++++----- .../nginx/conf.d/include/letsencrypt-acme-challenge.conf | 3 ++- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/manager/src/backend/internal/ssl.js b/manager/src/backend/internal/ssl.js index b9f42be..fa70f52 100644 --- a/manager/src/backend/internal/ssl.js +++ b/manager/src/backend/internal/ssl.js @@ -30,7 +30,11 @@ const internalSsl = { .then(result => { logger.info(result); internalSsl.interval_processing = false; - return result; + + return internalNginx.reload() + .then(() => { + return result; + }); }) .catch(err => { logger.error(err); diff --git a/manager/src/backend/templates/proxy.conf.ejs b/manager/src/backend/templates/proxy.conf.ejs index ae328ad..4f32036 100644 --- a/manager/src/backend/templates/proxy.conf.ejs +++ b/manager/src/backend/templates/proxy.conf.ejs @@ -20,14 +20,13 @@ server { ssl_certificate_key /etc/letsencrypt/live/<%- hostname %>/privkey.pem; <% } -%> -<% if (typeof access_list_id !== 'undefined' && access_list_id) { -%> - auth_basic "Authorization required"; - auth_basic_user_file /config/access/<%- access_list_id %>; -<% } -%> - <%- typeof advanced !== 'undefined' && advanced ? advanced : '' %> location / { + <% if (typeof access_list_id !== 'undefined' && access_list_id) { -%> + auth_basic "Authorization required"; + auth_basic_user_file /config/access/<%- access_list_id %>; + <% } -%> <%- typeof force_ssl !== 'undefined' && force_ssl ? 'include conf.d/include/force-ssl.conf;' : '' %> include conf.d/include/proxy.conf; } diff --git a/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf b/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf index cd91d3f..c2c21b5 100644 --- a/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf +++ b/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf @@ -2,6 +2,7 @@ # We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel # other regex checks, because in our other config files have regex rule that denies access to files with dotted names. location ^~ /.well-known/acme-challenge/ { + auth_basic off; # Set correct content type. According to this: # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 @@ -14,7 +15,7 @@ location ^~ /.well-known/acme-challenge/ { # there to "webroot". # Do NOT use alias, use root! Target directory is located here: # /var/www/common/letsencrypt/.well-known/acme-challenge/ - root /config/letsencrypt-acme-challenge; + root /config/letsencrypt-acme-challenge; } # Hide /acme-challenge subdirectory and return 404 on all requests.