0

I want to perform the http validation for LetsEncrypt, which requires http only (port 80). I have a Rails Application running nginx, and has all traffic redirected to HTTPS via the following configuration:

server {
  listen 80;
  listen [::]:80;
  return 301 https://$host$request_uri;
}

my two questions:

  1. Is there a dynamic way (such as an API) to add the file path to my nginx file to serve the challenge file?
  2. Is it possible to serve this challenge file when all traffic is being redirected to https?
proximo
  • 45
  • 8
  • You could just add the `/.well-known/acme-challenge/` location to always direct to the location. Or if you're using `certbot`, you can use its nginx plugin via `certbot --nginx` which modifies the nginx config file dynamically for the duration of the challenge. – cbr Jan 17 '23 at 19:06
  • Dont you need to add the token to the end of that which would always change though? /.well-known/acme-challenge/{token} unfortunately I cannot use certbot for my project. I am using https://github.com/unixcharles/acme-client for reasons outside of my control. – proximo Jan 17 '23 at 19:10
  • Nginx will match the prefix `/.well-known/acme-challenge/` even if the token follows it (`location /.well-known/acme-challenge/ { }`. You could just add the same proxy_pass directives there to proxy the traffic to your Ruby app. If someone makes a request while you're not making a challenge, just return a 404 from your Ruby app. – cbr Jan 17 '23 at 19:13
  • Alternatively you could just modify the nginx config file from your Ruby app to enable the location block when necessary and reload nginx, but that would require the ruby app having write access to nginx's configs which sounds sketchy at best. – cbr Jan 17 '23 at 19:16
  • 1
    OpenResty (nginx + bunch of module, mainly lua) might contain something that would let you dynamically change upstreams or locations via Lua scripts, but just always having the .well-known location is probably the cleanest solution. – cbr Jan 17 '23 at 19:18

0 Answers0