Bypass basic auth for letsencrypt acme requests, reload nginx after ssl renewals

2018-03-16 10:53:50 +10:00 · 2018-03-16 10:53:50 +10:00 · 36896bcfc9
commit 36896bcfc9
parent b324110c49
3 changed files with 11 additions and 7 deletions
--- a/manager/src/backend/internal/ssl.js
+++ b/manager/src/backend/internal/ssl.js
@ -30,7 +30,11 @@ const internalSsl = {
                .then(result => {
                    logger.info(result);
                    internalSsl.interval_processing = false;
-                    return result;
+
+                    return internalNginx.reload()
+                        .then(() => {
+                            return result;
+                        });
                })
                .catch(err => {
                    logger.error(err);
--- a/manager/src/backend/templates/proxy.conf.ejs
+++ b/manager/src/backend/templates/proxy.conf.ejs
@ -20,14 +20,13 @@ server {
  ssl_certificate_key /etc/letsencrypt/live/<%- hostname %>/privkey.pem;
 <% } -%>

-<% if (typeof access_list_id !== 'undefined' && access_list_id) { -%>
-  auth_basic            "Authorization required";
-  auth_basic_user_file  /config/access/<%- access_list_id %>;
-<% } -%>
-
 <%- typeof advanced !== 'undefined' && advanced ? advanced : '' %>

  location / {
+    <% if (typeof access_list_id !== 'undefined' && access_list_id) { -%>
+    auth_basic            "Authorization required";
+    auth_basic_user_file  /config/access/<%- access_list_id %>;
+    <% } -%>
    <%- typeof force_ssl !== 'undefined' && force_ssl ? 'include conf.d/include/force-ssl.conf;' : '' %>
    include conf.d/include/proxy.conf;
  }
--- a/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
+++ b/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
@ -2,6 +2,7 @@
 # We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
 # other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
 location ^~ /.well-known/acme-challenge/ {
+    auth_basic off;

    # Set correct content type. According to this:
    # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
@ -14,7 +15,7 @@ location ^~ /.well-known/acme-challenge/ {
    # there to "webroot".
    # Do NOT use alias, use root! Target directory is located here:
    # /var/www/common/letsencrypt/.well-known/acme-challenge/
-    root         /config/letsencrypt-acme-challenge;
+    root /config/letsencrypt-acme-challenge;
 }

 # Hide /acme-challenge subdirectory and return 404 on all requests.