Forráskód Böngészése

Improve acme-challenge handling

So that there is no need anymore for the Let's Encrypt companion to fiddle
with vhosts nginx configuration.

When `HTTPS_METHOD=nohttp` and the certificate is missing, enforce nohttp
instead of switching to `HTTPS_METHOD=redirect`.
Gilles Filippini 1 éve
szülő
commit
6c1b532ffb
2 módosított fájl, 13 hozzáadás és 3 törlés
  1. 11 1
      nginx.tmpl
  2. 2 2
      test/test_ssl/test_noredirect.py

+ 11 - 1
nginx.tmpl

@@ -762,6 +762,16 @@ server {
         {{- if $globals.enable_ipv6 }}
     listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
         {{- end }}
+
+        {{- if (eq $vhost.https_method "noredirect") }}
+    location /.well-known/acme-challenge/ {
+        auth_basic off;
+        allow all;
+        root /usr/share/nginx/html;
+        try_files $uri =404;
+        break;
+    }
+        {{- end }}
     {{- end }}
     {{- if ne $vhost.https_method "nohttps" }}
     listen {{ $globals.external_https_port }} ssl {{ $default_server }};
@@ -856,4 +866,4 @@ server {
     }
     {{- end }}
 }
-{{- end }}
+{{- end }}

+ 2 - 2
test/test_ssl/test_noredirect.py

@@ -19,9 +19,9 @@ def test_web2_HSTS_policy_is_inactive(docker_compose, nginxproxy):
     assert "Strict-Transport-Security" not in r.headers
 
 
-def test_web3_acme_challenge_does_not_work(docker_compose, nginxproxy, acme_challenge_path):
+def test_web3_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path):
     r = nginxproxy.get(
         f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
         allow_redirects=False
     )
-    assert r.status_code == 404
+    assert r.status_code == 200