2

I have a small Linux VPS instance set up with nginx to proxy requests as a load balancer to multiple application servers.

All traffic is coming into https://app.example.com proxied to those upstream servers. Example nginx configuration for the load balancer:

upstream app_servers {
    server app-1.example.com;
    server app-2.example.com;
}

server {
    listen 80;
    listen 443 ssl;
    include snippets/ssl-app.example.com.conf;
    include snippets/ssl-params.conf;

    server_name app.example.com;

    root /var/www/html;

    location / {
            # Set proxy headers
            proxy_set_header        Host $host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For 
            $proxy_add_x_forwarded_for;

            proxy_pass http://app_servers;
    }

    location ~ /.well-known {
            allow all;
    }

}

I set up letsencrypt and got certificate for app.example.com before setting up proxy and now I'm having trouble figure out how to configure nginx to proxy everything to the upstream app_servers except for anything to /.well-known so certbot can locally renew the SSL certificates on the server running this nginx load balancer. Any suggestions on how to route app.example.com/.well-known/ to a local path that letsencrypt certbot can use and hit successfully during renewal?

Update ensuring .well-known existed at /var/www/html (Debian) and setting root in conf allowed the certbot to renew properly. nginx conf snippet updated to reflect that.

beaorn
  • 131
  • 7
  • 1
    The obvious thing to do is to set a `root`. – Michael Hampton Apr 20 '18 at 18:51
  • Can you clarify please? When I had a root set it was unaffected since all traffic is being proxied at /. Seems like there might be a way to exclude traffic to a root path outside of that but unsure of how – beaorn Apr 20 '18 at 18:54
  • 1
    That's what the `location` is for. – Michael Hampton Apr 20 '18 at 18:56
  • nvm you were right setting root to proper path fixed it, I was confused about ramifications of setting root affecting proxy_pass. thx – beaorn Apr 20 '18 at 19:06
  • 1
    Can you please answer your own question, show the working configuration you used so others trying to do this have a good reference. – Tim Apr 20 '18 at 19:31

1 Answers1

1

Setting root to the default nginx webroot on Debian /var/www/html where certbot was originally configured to be pointed at for the .well-known folder resolved the issue.

upstream app_servers {
  server app-1.example.com;
  server app-2.example.com;
}

server {
  listen 80;
  listen 443 ssl;
  include snippets/ssl-app.example.com.conf;
  include snippets/ssl-params.conf;

  server_name app.example.com;

  root /var/www/html;

  location / {
    # Set proxy headers
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For 
    $proxy_add_x_forwarded_for;

    proxy_pass http://app_servers;
  }

  location ~ /.well-known {
    allow all;
  }
}
beaorn
  • 131
  • 7