foxundermoon/nginx.conf

## nginx.conf
events {
  worker_connections 1024;
}

http {
  # The "auto_ssl" shared dict should be defined with enough storage space to
  # hold your certificate data. 1MB of storage holds certificates for
  # approximately 100 separate domains.
  lua_shared_dict auto_ssl 1m;
  # The "auto_ssl" shared dict is used to temporarily store various settings
  # like the secret used by the hook server on port 8999. Do not change or
  # omit it.
  lua_shared_dict auto_ssl_settings 64k;

  # A DNS resolver must be defined for OCSP stapling to function.
  #
  # This example uses Google's DNS server. You may want to use your system's
  # default DNS servers, which can be found in /etc/resolv.conf. If your network
  # is not IPv6 compatible, you may wish to disable IPv6 results by using the
  # "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
  resolver 8.8.8.8;

  # Initial setup tasks.
  init_by_lua_block {
    auto_ssl = (require "resty.auto-ssl").new()

    -- Define a function to determine which SNI domains to automatically handle
    -- and register new certificates for. Defaults to not allowing any domains,
    -- so this must be configured.
    auto_ssl:set("allow_domain", function(domain)
      return true
    end)

    auto_ssl:init()
  }

  init_worker_by_lua_block {
    auto_ssl:init_worker()
  }

  # HTTPS server
  server {
    listen 443 ssl;

    # Dynamic handler for issuing or returning certs for SNI domains.
    ssl_certificate_by_lua_block {
      auto_ssl:ssl_certificate()
    }

    # You must still define a static ssl_certificate file for nginx to start.
    #
    # You may generate a self-signed fallback with:
    #
    # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
    #   -subj '/CN=sni-support-required-for-valid-ssl' \
    #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
    #   -out /etc/ssl/resty-auto-ssl-fallback.crt
    ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
    ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
  }

  # HTTP server
  server {
    listen 80;

    # Endpoint used for performing domain verification with Let's Encrypt.
    location /.well-known/acme-challenge/ {
      content_by_lua_block {
        auto_ssl:challenge_server()
      }
    }
  }

  # Internal server running on port 8999 for handling certificate tasks.
  server {
    listen 127.0.0.1:8999;

    # Increase the body buffer size, to ensure the internal POSTs can always
    # parse the full POST contents into memory.
    client_body_buffer_size 128k;
    client_max_body_size 128k;

    location / {
      content_by_lua_block {
        auto_ssl:hook_server()
      }
    }
  }
}
	events {
	worker_connections 1024;
	}

	http {
	# The "auto_ssl" shared dict should be defined with enough storage space to
	# hold your certificate data. 1MB of storage holds certificates for
	# approximately 100 separate domains.
	lua_shared_dict auto_ssl 1m;
	# The "auto_ssl" shared dict is used to temporarily store various settings
	# like the secret used by the hook server on port 8999. Do not change or
	# omit it.
	lua_shared_dict auto_ssl_settings 64k;

	# A DNS resolver must be defined for OCSP stapling to function.
	#
	# This example uses Google's DNS server. You may want to use your system's
	# default DNS servers, which can be found in /etc/resolv.conf. If your network
	# is not IPv6 compatible, you may wish to disable IPv6 results by using the
	# "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
	resolver 8.8.8.8;

	# Initial setup tasks.
	init_by_lua_block {
	auto_ssl = (require "resty.auto-ssl").new()

	-- Define a function to determine which SNI domains to automatically handle
	-- and register new certificates for. Defaults to not allowing any domains,
	-- so this must be configured.
	auto_ssl:set("allow_domain", function(domain)
	return true
	end)

	auto_ssl:init()
	}

	init_worker_by_lua_block {
	auto_ssl:init_worker()
	}

	# HTTPS server
	server {
	listen 443 ssl;

	# Dynamic handler for issuing or returning certs for SNI domains.
	ssl_certificate_by_lua_block {
	auto_ssl:ssl_certificate()
	}

	# You must still define a static ssl_certificate file for nginx to start.
	#
	# You may generate a self-signed fallback with:
	#
	# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
	# -subj '/CN=sni-support-required-for-valid-ssl' \
	# -keyout /etc/ssl/resty-auto-ssl-fallback.key \
	# -out /etc/ssl/resty-auto-ssl-fallback.crt
	ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
	ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
	}

	# HTTP server
	server {
	listen 80;

	# Endpoint used for performing domain verification with Let's Encrypt.
	location /.well-known/acme-challenge/ {
	content_by_lua_block {
	auto_ssl:challenge_server()
	}
	}
	}

	# Internal server running on port 8999 for handling certificate tasks.
	server {
	listen 127.0.0.1:8999;

	# Increase the body buffer size, to ensure the internal POSTs can always
	# parse the full POST contents into memory.
	client_body_buffer_size 128k;
	client_max_body_size 128k;

	location / {
	content_by_lua_block {
	auto_ssl:hook_server()
	}
	}
	}
	}