Auto renew for several domain by bypass proxy


#1

Hello Team,

Is there a way to renew several domain automatically by bypass the proxy on nginx environment.

My conf in sites-enabled

server {
listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/test1.abc.com-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/test1.abc.com-0001/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    location ~ /.well-known {
            allow all;
    }

}

server {
listen 443 ssl;
server_name test1.abc.com;

    location / {
    proxy_pass  http://10.10.1.32;
   add_header 'Access-Control-Allow-Origin' '*';
   add_header 'Access-Control-Allow-Methods' 'POST,GET,OPTIONS';

 #preflight request
 if ($request_method = 'OPTIONS') {
   add_header 'Access-Control-Max-Age' '1728000';
   add_header 'Content-Type' 'text/plain charset=UTF-8';
   add_header 'Content-Length' '0';

   add_header 'Access-Control-Allow-Origin' '*';
   add_header 'Access-Control-Allow-Methods' 'POST,GET,OPTIONS';
   return 204;
    }

server {
listen 443 ssl;
server_name services2.abc.com;

    location / {
    proxy_pass  http://10.10.1.34:19;
    add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Methods' 'POST,GET,OPTIONS';
    }

===================================


#2

I think I understand what you want to do here, and yes, it is very possible. Let’s Encrypt renewals for a web server will typically be done through use the “webroot” aka HTTP-01 challenge, in which a URL ending /.well-known/acme-challenge/someBunchOfCharacters is requested.

So you can use the location directive in nginx to set these requests aside, answering just those from local files, while everything else goes through your proxy_pass to another server. Then the Certbot (or similar software) can create the files in the right place on the filesystem to answer each challenge, and nginx will serve those up when requested by Let’s Encrypt.

I recommend setting aside specifically /.well-known/acme-challenge/ rather than the whole /.well-known/ directory as this “well known” part is used by several other special types of URL, and probably more to come in the future, so you might need it, if not today then on some future date, and be surprised if it doesn’t work because of the Let’s Encrypt stuff you installed now.


#3

yes. i use an nginx macro file for, and then include it on every domain.

the upstream proxy is running a custom client, and i use a filesystem check to enable/disable the route without restarting nginx.

nginx.conf
server {
server_name example.com;
include /path/to/macro.conf
}
server {
server_name alt.example.com;
include /path/to/macro.conf
}

macro.conf

  location  /.well-known/acme-challenge  {
    if (!-f /etc/nginx/_flags/peter_sslers-public) {
        rewrite ^.*$ @peter_sslers_public_503 last;
    }
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_set_header  Host  $host;
    proxy_pass  http://127.0.0.1:6543;
}

location = @peter_sslers_public_503 {
    internal;
    return 503;
}

#4

I am sorry guys, I am new in nginx, so need more understanding.

@jvanasco should I not change anything in my default (under nginx/sites-enabled) ? and I just change nginx.conf and create a macro.conf? Can I put macro.conf in etc/nginx? Thanks in advanced

@tialaramex, can you give me some sample? it will be great if the sample using my default.conf (above)

Once again, Thank you


#5

The common way to handle repetitive things in nginx is to use an include file.

If I were in your situation, I would create a new folder nginx/macros and then create a file called nginx/macros/letsencrypt_chellenge_proxy.conf that has the (shared) proxy information. eg, it looks like:

location  /.well-known/acme-challenge  {
    proxy_pass http://0.0.0.0:1234;
}

Then, in any server you want to enable that proxy pass in – whether it is in the main nginx.conf of something defined in a nginx/sites-available/*.conf file – you simply include /path/to/nginx/macros/letsencrypt_chellenge_proxy.conf;

This way you only define/edit the proxy in one place, but it is available in every server that includes it.

does that make more sense?


#6

Thank you team…I will try
@jvanasco so should I remove:
server {
listen 443 ssl;
server_name test1.abc.com;

location / {
proxy_pass  http://10.10.1.32;

add_header ‘Access-Control-Allow-Origin’ ‘*’;
add_header ‘Access-Control-Allow-Methods’ ‘POST,GET,OPTIONS’;

#preflight request
if ($request_method = ‘OPTIONS’) {
add_header ‘Access-Control-Max-Age’ ‘1728000’;
add_header ‘Content-Type’ ‘text/plain charset=UTF-8’;
add_header ‘Content-Length’ ‘0’;

add_header ‘Access-Control-Allow-Origin’ ‘*’;
add_header ‘Access-Control-Allow-Methods’ ‘POST,GET,OPTIONS’;
return 204;
}
server {
listen 443 ssl;
server_name services2.abc.com;

location / {
proxy_pass  http://10.10.1.34:19;
add_header 'Access-Control-Allow-Origin' '*';

#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.