Created
February 17, 2017 10:46
-
-
Save flusher/0e26595b81fac29740eadf3056ebb493 to your computer and use it in GitHub Desktop.
Nginx Letsencrypt perfect configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) | |
| # We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel | |
| # other regex checks, because in our other config files have regex rule that denies access to files with dotted names. | |
| location ^~ /.well-known/acme-challenge/ { | |
| # Prevent HTTP Auth | |
| auth_basic off; | |
| allow all; | |
| # Separate logs | |
| access_log /var/log/nginx/letsencrypt.access.log; | |
| error_log /var/log/nginx/letsencrypt.error.log; | |
| # Set correct content type. According to this: | |
| # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 | |
| # Current specification requires "text/plain" or no content header at all. | |
| # It seems that "text/plain" is a safe option. | |
| default_type "text/plain"; | |
| # This directory must be the same as in /etc/letsencrypt/cli.ini | |
| # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter | |
| # there to "webroot". | |
| # Do NOT use alias, use root! Target directory is located here: | |
| # /var/www/common/letsencrypt/.well-known/acme-challenge/ | |
| root /var/www/letsencrypt; | |
| } | |
| # Hide /acme-challenge subdirectory and return 404 on all requests. | |
| # It is somewhat more secure than letting Nginx return 403. | |
| # Ending slash is important! | |
| location = /.well-known/acme-challenge/ { | |
| return 404; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment