From 6c1b532ffb4cd732d99a59f753e4f77deac4a157 Mon Sep 17 00:00:00 2001 From: Gilles Filippini Date: Thu, 9 May 2024 23:28:34 +0200 Subject: [PATCH] Improve acme-challenge handling So that there is no need anymore for the Let's Encrypt companion to fiddle with vhosts nginx configuration. When `HTTPS_METHOD=nohttp` and the certificate is missing, enforce nohttp instead of switching to `HTTPS_METHOD=redirect`. --- nginx.tmpl | 12 +++++++++++- test/test_ssl/test_noredirect.py | 4 ++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 2b73158b0..b50997c67 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -762,6 +762,16 @@ server { {{- if $globals.enable_ipv6 }} listen [::]:{{ $globals.external_http_port }} {{ $default_server }}; {{- end }} + + {{- if (eq $vhost.https_method "noredirect") }} + location /.well-known/acme-challenge/ { + auth_basic off; + allow all; + root /usr/share/nginx/html; + try_files $uri =404; + break; + } + {{- end }} {{- end }} {{- if ne $vhost.https_method "nohttps" }} listen {{ $globals.external_https_port }} ssl {{ $default_server }}; @@ -856,4 +866,4 @@ server { } {{- end }} } -{{- end }} \ No newline at end of file +{{- end }} diff --git a/test/test_ssl/test_noredirect.py b/test/test_ssl/test_noredirect.py index 0f50063df..1d956d198 100644 --- a/test/test_ssl/test_noredirect.py +++ b/test/test_ssl/test_noredirect.py @@ -19,9 +19,9 @@ def test_web2_HSTS_policy_is_inactive(docker_compose, nginxproxy): assert "Strict-Transport-Security" not in r.headers -def test_web3_acme_challenge_does_not_work(docker_compose, nginxproxy, acme_challenge_path): +def test_web3_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path): r = nginxproxy.get( f"http://web3.nginx-proxy.tld/{acme_challenge_path}", allow_redirects=False ) - assert r.status_code == 404 + assert r.status_code == 200