chore/doc: explicit policy on missing certificate #2465

pini-gh · 2024-05-27T10:26:26Z

This doesn't change the current nginx-proxy behavior, but makes explicit the current HTTPS_METHOD policy on missing certificate.

docs/README.md

Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com>

docs/README.md

ConnorNelson · 2024-05-29T01:37:42Z

I use nginx-proxy, and acme-companion. In my production setup, both run successfully. In my development setup, I allow acme-companion to fail to generate a certificate (DNS isn't pointed at CI). This worked great, my development setup would just stick to HTTP, and I didn't need to support any special-case logic.

Now, I get 503s. This seems to be coming from:

# nginx -s reload
2024/05/28 23:40:30 [emerg] 305#305: duplicate location "/.well-known/acme-challenge/" in /etc/nginx/vhost.d/default:2
nginx: [emerg] duplicate location "/.well-known/acme-challenge/" in /etc/nginx/vhost.d/default:2

Inside /etc/nginx/conf.d/default.conf:

...
server {
    server_name localhost.pwn.college;
    access_log /var/log/nginx/access.log vhost;
    http2 on;
    listen 80 default_server;
    location /.well-known/acme-challenge/ {
        auth_basic off;
        allow all;
        root /usr/share/nginx/html;
        try_files $uri =404;
        break;
    }
    listen 443 ssl default_server;
    # No certificate found for this vhost, so use the default certificate and
    # return an error code if the user connects via https.
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    if ($https) {
        return 500;
    }
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://localhost.pwn.college;
        set $upstream_keepalive false;
        include /etc/nginx/vhost.d/default_location;
    }
}

Inside /etc/nginx/vhost.d/default:

## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
    auth_request off;
    allow all;
    root /usr/share/nginx/html;
    try_files $uri =404;
    break;
}
## End of configuration add by letsencrypt container

It seems like this (coupled with #2446) has broken my use-case.
Pinning from :latest to 1.5 has resolved this issue.

pini-gh · 2024-05-29T07:57:20Z

It seems like this (coupled with #2446) has broken my use-case.

Now that nginx-proxy handles ACME HTTP challenge correctly I guess acme-companion should be updated so it doesn't add this configuration when it already exists.

In the meantime - as it seems to be a requested feature - I'd like to guard nginx-proxy ACME HTTP Challenge configuration by an environment variable. I'll propose a PR on this topic soon.

Enable / disable ACME HTTP Challenge blocks generation by nginx-proxy. Default: true. This feature is currently needed because acme-companion may generate the HTTP Challenge configuration while it was done already by nginx-proxy (see nginx-proxy#2465#issuecomment-2136361373). Also sometimes a hardcoded ACME challenge location is not wanted because the challenge validation is not done with acme-companion / Let's Encrypt, and with a challenge location setup differently.

Values: * `legacy` (default): generate location blocks for ACME HTP Challenge excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain * `true`: generate location blocks for ACME HTP Challenge in all cases * `false`: do not generate location blocks for ACME HTP Challenge This feature is currently needed because acme-companion may generate the HTTP Challenge configuration while it was done already by nginx-proxy (see nginx-proxy#2465#issuecomment-2136361373). Also sometimes a hardcoded ACME challenge location is not wanted because the challenge validation is not done with acme-companion / Let's Encrypt, and with a challenge location setup differently.

Values: * `legacy` (default): generate location blocks for ACME HTP Challenge excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain * `true`: generate location blocks for ACME HTP Challenge in all cases * `false`: do not generate location blocks for ACME HTP Challenge This feature is currently needed because acme-companion may generate the HTTP Challenge configuration while it was done already by nginx-proxy (see #2465#issuecomment-2136361373). Also sometimes a hardcoded ACME challenge location is not wanted because the challenge validation is not done with acme-companion / Let's Encrypt, and with a challenge location setup differently.

* chore/doc: explicit policy on missing certificate This doesn't change the current nginx-proxy behavior, but makes explicit the current HTTPS_METHOD policy on missing certificate. * fix: bad wording about missing certificate Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com> * docs: typo in suggestion --------- Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com>

Values: * `legacy` (default): generate location blocks for ACME HTP Challenge excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain * `true`: generate location blocks for ACME HTP Challenge in all cases * `false`: do not generate location blocks for ACME HTP Challenge This feature is currently needed because acme-companion may generate the HTTP Challenge configuration while it was done already by nginx-proxy (see nginx-proxy#2465#issuecomment-2136361373). Also sometimes a hardcoded ACME challenge location is not wanted because the challenge validation is not done with acme-companion / Let's Encrypt, and with a challenge location setup differently.

chore/doc: explicit policy on missing certificate

3ef2afb

This doesn't change the current nginx-proxy behavior, but makes explicit the current HTTPS_METHOD policy on missing certificate.

pini-gh mentioned this pull request May 27, 2024

fix: enforce HTTPS_METHOD on missing cert as well #2452

Merged

buchdag reviewed May 27, 2024

View reviewed changes

docs/README.md Outdated Show resolved Hide resolved

fix: bad wording about missing certificate

4729220

Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com>

buchdag reviewed May 27, 2024

View reviewed changes

docs/README.md Outdated Show resolved Hide resolved

docs: typo in suggestion

00096e7

buchdag approved these changes May 27, 2024

View reviewed changes

buchdag merged commit 5f3ec18 into nginx-proxy:main May 27, 2024
0 of 2 checks passed

pini-gh deleted the pini-explicit-https-method-policy branch May 27, 2024 20:23

pini-gh mentioned this pull request May 29, 2024

feat: boolean variable ACME_HTTP_CHALLENGE_LOCATION #2468

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore/doc: explicit policy on missing certificate #2465

chore/doc: explicit policy on missing certificate #2465

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore/doc: explicit policy on missing certificate #2465

chore/doc: explicit policy on missing certificate #2465

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!