generated from nginxinc/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use
js_content
to respond to challenge requests (#14)
* serve challenge responses with js_content to simplify config * ensure challenge token is only base64url chars * remove duplicate content * fix README.md section that mentioned the deleted config var and outdated location block syntax * enforce a length limit on the challenge token value; enforce only GET requests * improve security with a regex match on the acme-challenge location * update location example in readme
- Loading branch information
1 parent
a9342d8
commit ddbd04e
Showing
5 changed files
with
89 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,12 +25,6 @@ You can use environment variables or NGINX configuration variables to control th | |
value: Space-separated list of hostnames, e.g. `www1.mydomain.com www2.mydomain.com`\ | ||
default: none (you must specify this!) | ||
|
||
### NGINX Variables Only (not allowed as environment variable) | ||
- `njs_acme_challenge_dir`\ | ||
NGINX variable with the path to where store HTTP-01 challenges.\ | ||
value: Any valid system path writable by the `nginx` user.\ | ||
default: none (you must specify this!) | ||
|
||
### Optional Variables | ||
- `NJS_ACME_VERIFY_PROVIDER_HTTPS`\ | ||
Verifies the ACME provider SSL certificate when connecting.\ | ||
|
@@ -47,6 +41,11 @@ You can use environment variables or NGINX configuration variables to control th | |
value: Any valid system path writable by the `nginx` user. \ | ||
default: `/etc/nginx/njs-acme/` | ||
|
||
- `NJS_ACME_CHALLENGE_DIR`\ | ||
Path to store ACME-related challenge responses.\ | ||
value: Any valid system path writable by the `nginx` user. \ | ||
default: `${NJS_ACME_DIR}/challenge/` | ||
|
||
- `NJS_ACME_ACCOUNT_PRIVATE_JWK`\ | ||
Path to fetch/store the account private JWK.\ | ||
value: Path to the private JWK\ | ||
|
@@ -83,17 +82,15 @@ There are a few pieces that are required to be present in your `nginx.conf` file | |
|
||
### `server` Section | ||
* Set the hostname or hostnames (space-separated) to generate the certificate. | ||
This may also be the environment variable `NJS_ACME_SERVER_NAMES`. | ||
```nginx | ||
set $njs_acme_server_names proxy.nginx.com; | ||
``` | ||
* Set your email address to use to configure your ACME account. | ||
* Set your email address to use to configure your ACME account. This may also | ||
be the environment variable `NJS_ACME_ACCOUNT_EMAIL`. | ||
```nginx | ||
set $njs_acme_account_email [email protected]; | ||
``` | ||
* Set the directory to store challenges. This is also used in a `location{}` block below. | ||
```nginx | ||
set $njs_acme_challenge_dir /etc/nginx/njs-acme/challenge; | ||
``` | ||
* Set and use variables to hold the certificate and key paths using Javascript. | ||
```nginx | ||
js_set $dynamic_ssl_cert acme.js_cert; | ||
|
@@ -103,11 +100,10 @@ There are a few pieces that are required to be present in your `nginx.conf` file | |
ssl_certificate_key $dynamic_ssl_key; | ||
``` | ||
### `location` Blocks | ||
* Location to handle ACME challenge requests. `$njs_acme_challenge_dir` is used here. | ||
* Location to handle ACME challenge requests. | ||
```nginx | ||
location ^~ /.well-known/acme-challenge/ { | ||
default_type "text/plain"; | ||
root $njs_acme_challenge_dir; | ||
location ~ "^/\.well-known/acme-challenge/[-_A-Za-z0-9]{22,128}$" { | ||
js_content acme.challengeResponse; | ||
} | ||
``` | ||
* Location, that when requested, inspects the stored certificate (if present) and will request a new certificate if necessary. The included `docker-compose.yml` shows how to use a `healthcheck:` configuration for the NGINX service to periodically request this endpoint. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,4 @@ | ||
daemon off; | ||
#master_process off; | ||
user nginx; | ||
|
||
load_module modules/ngx_http_js_module.so; | ||
|
@@ -24,7 +23,6 @@ http { | |
resolver_timeout 5s; | ||
|
||
server { | ||
|
||
listen 0.0.0.0:8000; # testing with 8000 should be 80 in prod, pebble usees httpPort in integration-tests/pebble/config.json | ||
listen 443 ssl http2; | ||
server_name proxy.nginx.com; | ||
|
@@ -34,7 +32,6 @@ http { | |
## Mandatory Variables | ||
set $njs_acme_server_names proxy.nginx.com; | ||
set $njs_acme_account_email [email protected]; | ||
set $njs_acme_challenge_dir /etc/nginx/njs-acme/challenge; # must be an nginx variable, not an environment variable | ||
## Optional Variables | ||
#set $njs_acme_dir /etc/nginx/njs-acme; | ||
#set $njs_acme_account_private_jwk /etc/nginx/njs-acme/account_private_key.json; | ||
|
@@ -51,16 +48,14 @@ http { | |
return 200 "hello server_name:$server_name\nssl_session_id:$ssl_session_id\n"; | ||
} | ||
|
||
location ^~ /.well-known/acme-challenge/ { | ||
default_type "text/plain"; | ||
root $njs_acme_challenge_dir; | ||
location ~ "^/\.well-known/acme-challenge/[-_A-Za-z0-9]{22,128}$" { | ||
js_content acme.challengeResponse; | ||
} | ||
|
||
location = /acme/auto { | ||
js_content acme.clientAutoMode; | ||
} | ||
|
||
|
||
location = /csr/new { | ||
js_content acme.createCsrHandler; | ||
} | ||
|
@@ -69,3 +64,4 @@ http { | |
js_content acme.acmeNewAccount; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters