add 'well-known/acme-challenge' file

add root snippets support
add http proxy config to allow ACME challenges
4 changed files with 45 additions and 6 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -17,6 +17,11 @@
  loop:
    - connection_upgrade.conf # fix some nginx bug

+- name: Ensure the cert directory exists
+  file:
+    path: /var/www/well-known/acme-challenge/.well-known/acme-challenge
+    state: directory
+
 - name: Ensure the cert directory exists
  file:
    path: /etc/nginx/certs
@ -63,10 +68,8 @@
    dest: /etc/nginx/nginx.conf
  notify: Reload nginx

-# TODO: << Manage SSL stream reverse proxy >>
-
 # Manage each http site
- name: Copy Http Servers
+- name: Copy HTTP Servers
  template:
    src: http_server.j2
    dest: "/etc/nginx/sites-available/{{ item.key }}"
@ -97,3 +100,11 @@
    force: yes
  loop: "{{ http_sites | dict2items}}"
  notify: Reload nginx
+
+# Add HTTP proxy to allow ACME challenges between LE and the SSL endpoints of proxy streams
+- name: Copy HTTP Servers allowing ACME challenges with proxy stream
+  template:
+    src: http_proxy_acme.j2
+    dest: "/etc/nginx/sites-available/acme_http_proxy_{{ item.key }}"
+  loop: "{{ ssl_reverse_proxy_upstream | dict2items}}"
+  notify: Reload nginx
--- a/templates/http_proxy_acme.j2
+++ b/templates/http_proxy_acme.j2
@ -0,0 +1,17 @@
+i{{ ansible_managed | comment }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ item.value.sni_server_name }};
+
+    location /.well-known/acme-challenge {
+        proxy_pass http://{{ item.value.to }}:80;
+        proxy_set_header Host $host;
+    }
+
+    # Redirect to https
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
--- a/templates/http_server.j2
+++ b/templates/http_server.j2
@ -9,6 +9,11 @@ server {
        return 302 https://$host$request_uri;
    }

+    # ACME directory, to limit interaction with certbot
+    location /.well-known/acme-challenge/ {
+        root /var/www/well-known/acme-challenge/;
+    }
+
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

@ -32,7 +37,7 @@ server {

    server_name {{ item.key }};

-    {# <- TODO: move this to defaut root snippets -> -#}
+    {# <- TODO: move this to defaut root snippets ? -> -#}
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

@ -43,7 +48,13 @@ server {
    # "A man is not dead while his name is still spoken." -- Going Postal
    add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
    {% endif -%}
-    {#  <- TODO: move this to defaut root snippets -> -#}
+    {#  <- TODO: move this to defaut root snippets ?-> -#}
+
+    {% filter indent(width=4) -%}
+    {%- for config in (item.value.root_snippets | default([])) -%}
+    {{ config }}
+    
+    {%- endfor -%}

    # Logs
    access_log /var/log/nginx/{{ item.key }}.log;
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@ -44,7 +44,7 @@ stream {
        r3.o.lencr.org                  r3;
        {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
        {{ rp.value.sni_server_name }}   {{ rp.key }};
-        {%- endfor %}
+        {% endfor %}
        default                         local;
    }
Author	SHA1	Message	Date
histausse	b1c93d6089	add 'well-known/acme-challenge' file	2 years ago
histausse	ceb8391c06	add root snippets support	2 years ago
histausse	888b4c0adb	add http proxy config to allow ACME challenges	2 years ago