Created
May 30, 2018 03:07
-
-
Save joshnabbott/cc18c93891b3f5a689833b01d24bf55a to your computer and use it in GitHub Desktop.
openresty + lua-resty-auto-ssl config settings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#this file must be included in per domain settings (/etc/nginx/sites.available) | |
# Dynamic handler for issuing or returning certs for SNI domains. | |
ssl_certificate_by_lua_block { | |
auto_ssl:ssl_certificate() | |
} | |
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt; | |
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# this file must be included in globab config file (/etc/nginx/nginx.conf) | |
# The "auto_ssl" shared dict should be defined with enough storage space to | |
# hold your certificate data. 1MB of storage holds certificates for | |
# approximately 100 separate domains. | |
lua_shared_dict auto_ssl 1m; | |
# The "auto_ssl" shared dict is used to temporarily store various settings | |
# like the secret used by the hook server on port 8999. Do not change or | |
# omit it. | |
lua_shared_dict auto_ssl_settings 64k; | |
# A DNS resolver must be defined for OCSP stapling to function. | |
# | |
# This example uses Google's DNS server. You may want to use your system's | |
# default DNS servers, which can be found in /etc/resolv.conf. If your network | |
# is not IPv6 compatible, you may wish to disable IPv6 results by using the | |
# "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off"). | |
resolver 8.8.8.8 ipv6=off; | |
# Initial setup tasks. | |
init_by_lua_block { | |
auto_ssl = (require "resty.auto-ssl").new() | |
-- Define a function to determine which SNI domains to automatically handle | |
-- and register new certificates for. Defaults to not allowing any domains, | |
-- so this must be configured. | |
auto_ssl:set("allow_domain", function(domain, auto_ssl) | |
return ngx.re.match(domain, "^(foobar.com|friends.hu)$", "ijo") | |
end) | |
auto_ssl:init() | |
} | |
init_worker_by_lua_block { | |
auto_ssl:init_worker() | |
} | |
# HTTPS server | |
server { | |
listen 443 ssl; | |
# Dynamic handler for issuing or returning certs for SNI domains. | |
ssl_certificate_by_lua_block { | |
auto_ssl:ssl_certificate() | |
} | |
# You must still define a static ssl_certificate file for nginx to start. | |
# | |
# You may generate a self-signed fallback with: | |
# | |
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ | |
# -subj '/CN=sni-support-required-for-valid-ssl' \ | |
# -keyout /etc/ssl/resty-auto-ssl-fallback.key \ | |
# -out /etc/ssl/resty-auto-ssl-fallback.crt | |
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt; | |
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key; | |
} | |
# HTTP server | |
server { | |
listen 80; | |
location /.well-known/acme-challenge/ { | |
content_by_lua_block { | |
auto_ssl:challenge_server() | |
} | |
break; | |
} | |
location / { | |
return 301 https://$host$request_uri; | |
} | |
access_log /var/log/openresty/access.80.log; | |
} | |
# Internal server running on port 8999 for handling certificate tasks. | |
server { | |
listen 127.0.0.1:8999; | |
# Increase the body buffer size, to ensure the internal POSTs can always | |
# parse the full POST contents into memory. | |
client_body_buffer_size 128k; | |
client_max_body_size 128k; | |
location / { | |
content_by_lua_block { | |
auto_ssl:hook_server() | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment