thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-06-30 22:05:46 +00:00
Code Issues Releases Wiki Activity

feat: variable ACME_HTTP_CHALLENGE_LOCATION (#2468)

Browse Source 
Values:
* `legacy` (default): generate location blocks for ACME HTP Challenge
  excepted when `HTTPS_METHOD=noredirect` or there is no certificate for
  the domain
* `true`: generate location blocks for ACME HTP Challenge in all cases
* `false`: do not generate location blocks for ACME HTP Challenge

This feature is currently needed because acme-companion may generate
the HTTP Challenge configuration while it was done already by nginx-proxy
(see #2465#issuecomment-2136361373).

Also sometimes a hardcoded ACME challenge location is not wanted because
the challenge validation is not done with acme-companion / Let's Encrypt,
and with a challenge location setup differently.
This commit is contained in:
pini-gh
2024-05-31 00:10:44 +02:00
committed by GitHub
parent e904471cd3
commit 9cf736f1f8
12 changed files with 312 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
nginx.tmpl
View File

@ -596,6 +596,12 @@ proxy_set_header Proxy "";
{{- end }}
{{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
{{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
{{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "legacy" }}
{{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
{{- $acme_http_challenge_enabled := false }}
{{- if (not $acme_http_challenge_legacy) }}
{{- $acme_http_challenge_enabled = parseBool $acme_http_challenge }}
{{- end }}
{{- /* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "". */}}
{{- $server_tokens := trim (or (first (groupByKeys $vhost_containers "Env.SERVER_TOKENS")) "") }}
@ -617,6 +623,8 @@ proxy_set_header Proxy "";
"https_method" $https_method
"http2_enabled" $http2_enabled
"http3_enabled" $http3_enabled
"acme_http_challenge_legacy" $acme_http_challenge_legacy
"acme_http_challenge_enabled" $acme_http_challenge_enabled
"server_tokens" $server_tokens
"ssl_policy" $ssl_policy
"vhost_root" $vhost_root
@ -741,6 +749,7 @@ server {
listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
{{- end }}
{{- if (or $vhost.acme_http_challenge_legacy $vhost.acme_http_challenge_enabled) }}
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
@ -750,6 +759,7 @@ server {
try_files $uri =404;
break;
}
{{- end }}
location / {
{{- if eq $globals.external_https_port "443" }}
@ -776,7 +786,7 @@ server {
listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
{{- end }}
{{- if (eq $vhost.https_method "noredirect") }}
{{- if (and (eq $vhost.https_method "noredirect") $vhost.acme_http_challenge_enabled) }}
location /.well-known/acme-challenge/ {
auth_basic off;
allow all;