joshnabbott · May 30, 2018 03:07 · Feb 16, 2018 · Feb 15, 2018 · Feb 15, 2018 · Feb 15, 2018
diff --git a/lua-resty-auto-ssl.conf b/lua-resty-auto-ssl.conf
@@ -16,7 +16,7 @@
   # default DNS servers, which can be found in /etc/resolv.conf. If your network
   # is not IPv6 compatible, you may wish to disable IPv6 results by using the
   # "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
-  resolver 8.8.8.8;
+  resolver 8.8.8.8 ipv6=off;
 
   # Initial setup tasks.
   init_by_lua_block {
@@ -25,9 +25,9 @@
     -- Define a function to determine which SNI domains to automatically handle
     -- and register new certificates for. Defaults to not allowing any domains,
     -- so this must be configured.
-    auto_ssl:set("allow_domain", function(domain)
-      return true
-    end)
+      auto_ssl:set("allow_domain", function(domain, auto_ssl)
+           return ngx.re.match(domain, "^(foobar.com|friends.hu)$", "ijo")
+           end)
 
     auto_ssl:init()
   }
@@ -61,14 +61,20 @@
   server {
     listen 80;
 
-    # Endpoint used for performing domain verification with Let's Encrypt.
-    location /.well-known/acme-challenge/ {
+   location /.well-known/acme-challenge/ {
       content_by_lua_block {
         auto_ssl:challenge_server()
       }
+    break;
     }
-  }
 
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    access_log /var/log/openresty/access.80.log;
+
+  }
   # Internal server running on port 8999 for handling certificate tasks.
   server {
     listen 127.0.0.1:8999;

diff --git a/simple openresty + lua-resty-auto-ssl conf → lua-resty-auto-ssl.conf b/simple openresty + lua-resty-auto-ssl conf → lua-resty-auto-ssl.conf
@@ -1,3 +1,5 @@
+  # this file must be included in globab config file (/etc/nginx/nginx.conf)
+
 
   # The "auto_ssl" shared dict should be defined with enough storage space to
   # hold your certificate data. 1MB of storage holds certificates for

diff --git a/lua-resty-auto-ssl-perdomain.conf b/lua-resty-auto-ssl-perdomain.conf
@@ -1,4 +1,4 @@
-  #this file must be included in per domain settings
+  #this file must be included in per domain settings (/etc/nginx/sites.available)
 
   # Dynamic handler for issuing or returning certs for SNI domains.
     ssl_certificate_by_lua_block {

diff --git a/lua-resty-auto-ssl-perdomain.conf b/lua-resty-auto-ssl-perdomain.conf
@@ -1,3 +1,5 @@
+  #this file must be included in per domain settings
+
   # Dynamic handler for issuing or returning certs for SNI domains.
     ssl_certificate_by_lua_block {
       auto_ssl:ssl_certificate()

diff --git a/lua-resty-auto-ssl-perdomain.conf b/lua-resty-auto-ssl-perdomain.conf
@@ -0,0 +1,7 @@
+  # Dynamic handler for issuing or returning certs for SNI domains.
+    ssl_certificate_by_lua_block {
+      auto_ssl:ssl_certificate()
+    }
+
+    ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
+    ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
diff --git a/simple openresty + lua-resty-auto-ssl conf b/simple openresty + lua-resty-auto-ssl conf
@@ -1,5 +1,5 @@
 
-# The "auto_ssl" shared dict should be defined with enough storage space to
+  # The "auto_ssl" shared dict should be defined with enough storage space to
   # hold your certificate data. 1MB of storage holds certificates for
   # approximately 100 separate domains.
   lua_shared_dict auto_ssl 1m;

diff --git a/simple openresty + lua-resty-auto-ssl conf b/simple openresty + lua-resty-auto-ssl conf
@@ -1,9 +1,5 @@
-events {
-  worker_connections 1024;
-}
 
-http {
-  # The "auto_ssl" shared dict should be defined with enough storage space to
+# The "auto_ssl" shared dict should be defined with enough storage space to
   # hold your certificate data. 1MB of storage holds certificates for
   # approximately 100 separate domains.
   lua_shared_dict auto_ssl 1m;
@@ -85,5 +81,4 @@ http {
         auto_ssl:hook_server()
       }
     }
-  }
-}
+  }
diff --git a/simple openresty + lua-resty-auto-ssl conf b/simple openresty + lua-resty-auto-ssl conf
@@ -0,0 +1,89 @@
+events {
+  worker_connections 1024;
+}
+
+http {
+  # The "auto_ssl" shared dict should be defined with enough storage space to
+  # hold your certificate data. 1MB of storage holds certificates for
+  # approximately 100 separate domains.
+  lua_shared_dict auto_ssl 1m;
+  # The "auto_ssl" shared dict is used to temporarily store various settings
+  # like the secret used by the hook server on port 8999. Do not change or
+  # omit it.
+  lua_shared_dict auto_ssl_settings 64k;
+
+  # A DNS resolver must be defined for OCSP stapling to function.
+  #
+  # This example uses Google's DNS server. You may want to use your system's
+  # default DNS servers, which can be found in /etc/resolv.conf. If your network
+  # is not IPv6 compatible, you may wish to disable IPv6 results by using the
+  # "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
+  resolver 8.8.8.8;
+
+  # Initial setup tasks.
+  init_by_lua_block {
+    auto_ssl = (require "resty.auto-ssl").new()
+
+    -- Define a function to determine which SNI domains to automatically handle
+    -- and register new certificates for. Defaults to not allowing any domains,
+    -- so this must be configured.
+    auto_ssl:set("allow_domain", function(domain)
+      return true
+    end)
+
+    auto_ssl:init()
+  }
+
+  init_worker_by_lua_block {
+    auto_ssl:init_worker()
+  }
+
+  # HTTPS server
+  server {
+    listen 443 ssl;
+
+    # Dynamic handler for issuing or returning certs for SNI domains.
+    ssl_certificate_by_lua_block {
+      auto_ssl:ssl_certificate()
+    }
+
+    # You must still define a static ssl_certificate file for nginx to start.
+    #
+    # You may generate a self-signed fallback with:
+    #
+    # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    #   -subj '/CN=sni-support-required-for-valid-ssl' \
+    #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
+    #   -out /etc/ssl/resty-auto-ssl-fallback.crt
+    ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
+    ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
+  }
+
+  # HTTP server
+  server {
+    listen 80;
+
+    # Endpoint used for performing domain verification with Let's Encrypt.
+    location /.well-known/acme-challenge/ {
+      content_by_lua_block {
+        auto_ssl:challenge_server()
+      }
+    }
+  }
+
+  # Internal server running on port 8999 for handling certificate tasks.
+  server {
+    listen 127.0.0.1:8999;
+
+    # Increase the body buffer size, to ensure the internal POSTs can always
+    # parse the full POST contents into memory.
+    client_body_buffer_size 128k;
+    client_max_body_size 128k;
+
+    location / {
+      content_by_lua_block {
+        auto_ssl:hook_server()
+      }
+    }
+  }
+}
No results found