ddbfdf6f6e
Since Lets Encrypt don't publish IP ranges that their acme challenge service will be sourced from, we need to allow free access to this location special to override any IP ACLs added by Advanced Custom Nginx Configuration. Due to the way Nginx config is applied, this only applies to the regex and below, keeping the IP ACLs working for the rest of the website.
30 lines
1.4 KiB
Plaintext
30 lines
1.4 KiB
Plaintext
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
|
|
# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
|
|
# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
# Since this is for letsencrypt authentication of a domain and they do not give IP ranges of their infrastructure
|
|
# we need to open up access by turning off auth and IP ACL for this location.
|
|
auth_basic off;
|
|
allow all;
|
|
|
|
# Set correct content type. According to this:
|
|
# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
|
|
# Current specification requires "text/plain" or no content header at all.
|
|
# It seems that "text/plain" is a safe option.
|
|
default_type "text/plain";
|
|
|
|
# This directory must be the same as in /etc/letsencrypt/cli.ini
|
|
# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
|
|
# there to "webroot".
|
|
# Do NOT use alias, use root! Target directory is located here:
|
|
# /var/www/common/letsencrypt/.well-known/acme-challenge/
|
|
root /data/letsencrypt-acme-challenge;
|
|
}
|
|
|
|
# Hide /acme-challenge subdirectory and return 404 on all requests.
|
|
# It is somewhat more secure than letting Nginx return 403.
|
|
# Ending slash is important!
|
|
location = /.well-known/acme-challenge/ {
|
|
return 404;
|
|
}
|