Config for nginx proxy_pass to certbot standalone

I’m using certbot standalone. I want to proxy challenges to certbot (--http-01-port 1234).

I use this nginx config:

location ~ /.well-known/acme-challenge {
  proxy_pass http://localhost:1234;
 #proxy_pass http://localhost:1234/.well-known/acme-challenge/;  # or this?
}

Is that enough, or does certbot expect headers to be set?

Some examples on StackOverflow set X-Forwarded-For, X-Real-IP, and Host. But everyone uses different values, so I don’t want to blindly copy-paste.

Should I set them, and if so, what values should I use?

No, Certbot’s standalone server doesn’t care about the headers as long as it’s a well formed HTTP request. nginx already guarantees that by virtue of sitting in front.

It doesn’t look at anything except the request method and request path: https://github.com/certbot/certbot/blob/118cb3c9b1e62599b57082b71ab7313b2cdc1632/acme/acme/standalone.py#L218-L254

2 Likes

Thanks for confirming!

I hate blindly copy-pasting code, and SO is really bad in that regard! :laughing:

1 Like