Welcome! Log In Create A New Profile

Advanced

Re: right config for letsencrypt

February 02, 2020 11:50AM
since i do this through haproxy, it will be a little different, but where
ever port 80 is open to you can have a block that does the following
so in the http block of haproxy i send it to a backend when it meets
these requirements.

acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
redirect scheme https code 301 unless letsencrypt-request
use_backend letsencrypt-backend if letsencrypt-request

Which sends the request to a local nginx instance (on the live haproxy
server) that can validate the cert b/c server_name = _; I generate these
regularly, so my setup is a little different, but

server {
listen 8888 proxy_protocol;
server_name _;
charset utf-8;
set_real_ip_from {{ servers.lb.master.ip }};
set_real_ip_from {{ servers.lb.slave.ip }};
real_ip_header proxy_protocol;
root /var/www/html;
location ~ /.well-known {
allow all;
}
deny all;
}

in a regular, single server nginx setup, i use the following block:

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
location ~ /.well-known {
allow all;
}
return 301 https://www.example.com$request_uri;
}

So it will only redirect if its not a lets encrypt request. HAProxy may
mean nothing to you, but it shows an alternate configuration. And of
course Francis is correct, you need 80 open.

HTH
Jeff
On Sun, Feb 2, 2020 at 5:49 AM Francis Daly <francis@daoine.org> wrote:

> On Fri, Jan 31, 2020 at 10:33:31PM +0100, bagagerek wrote:
>
> Hi there,
>
> > I followed the manual but I can't seem tot get it right. I've forwarded
> port
> > 8081 on my router.
>
> If you want letsencrypt to use the "http" challenge, you must let incoming
> traffic in on port 80 (and, presumably, send it to nginx).
>
> f
> --
> Francis Daly francis@daoine.org
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

right config for letsencrypt

bagagerek January 31, 2020 04:34PM

Re: right config for letsencrypt

Francis Daly February 02, 2020 05:50AM

Re: right config for letsencrypt

jeffdyke February 02, 2020 11:50AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 92
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready