home » zplus/clif.git
Author zPlus <zplus@peers.community> 2022-10-02 17:09:31
Committer zPlus <zplus@peers.community> 2022-10-02 17:09:31
Commit c8b05f1 (patch)
Tree 23af4f1
Parent(s)

[Documentation] Do not redirect .well-known to HTTPS. Change documentation by removing .well-known from the URLs that are redirected to HTTPS. This is necessary for Let's Encrypt to be able to renew its certificates.


commits diff: db2fb75..c8b05f1
1 file changed, 18 insertions, 12 deletionsdownload


Diffstat
-rw-r--r-- documentation/administrators 30

Diff options
View
Side
Whitespace
Context lines
Inter-hunk lines
+18/-12 M   documentation/administrators
index 50a60b7..f30563c
old size: 6K - new size: 6K
@@ -93,9 +93,9 @@ This section shows how to configure lighttpd as a reverse proxy for the web UI,
93 93 with also a TLS certificate.
94 94
95 95 apt-get install certbot
96 - certbot certonly --webroot -w /var/www/html -d <your-domain.tld>
96 + certbot certonly --webroot -w /var/www/html -d example.org
97 97
98 - The cert is created in /etc/letsencrypt/live/<your-domain.tld>/
98 + The cert is created in /etc/letsencrypt/live/example.org/
99 99 Lighttpd requires the certificate and private key to be in a single file:
100 100
101 101 cat privkey.pem cert.pem > privkey+cert.pem
@@ -108,24 +108,30 @@ Add to lighttpd configuration:
108 108 "mod_fastcgi",
109 109 "mod_proxy",
110 110 )
111 -
112 - # Redirect HTTP to HTTPS
111 +
112 + # Redirect all HTTP requests to HTTPS by default, except /.well-known which is
113 + # used by Let's Encrypt for renewing certificates.
113 114 $HTTP["scheme"] == "http" {
114 - url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
115 - url.redirect-code = 308
115 + $HTTP["url"] !~ "^/.well-known/(.*)" {
116 + url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
117 + url.redirect-code = 308
118 + }
116 119 }
117 120
118 - $SERVER["socket"] == ":443" {
119 - ssl.engine = "enable"
120 - ssl.pemfile = "/etc/letsencrypt/live/<your-domain.tld>/privkey+cert.pem"
121 - ssl.ca-file = "/etc/letsencrypt/live/<your-domain.tld>/chain.pem"
121 + $HTTP["host"] == "example.org" {
122 + $SERVER["socket"] == ":443" {
123 + ssl.engine = "enable"
124 + ssl.pemfile = "/etc/letsencrypt/live/example.org/privkey+cert.pem"
125 + ssl.ca-file = "/etc/letsencrypt/live/example.org/chain.pem"
122 126
123 - $HTTP["host"] == "<your-domain.tld>" {
124 127 proxy.server = (
125 128 "" => (
126 129 ( "host" => "127.0.0.1", "port" => 5000 )
127 130 )
128 131 )
132 + # server.document-root = "/var/www/html"
133 + # server.errorlog = "/"
134 + # accesslog.filename = "/"
129 135 }
130 136 }
131 137
@@ -137,7 +143,7 @@ that will generate a new privkey+cert.pem file and reload lighttpd.
137 143
138 144 # Content of "clif-letsencrypt"
139 145 certbot renew
140 - cd /etc/letsencrypt/live/<your-domain.tld>
146 + cd /etc/letsencrypt/live/example.org
141 147 cat privkey.pem cert.pem > privkey+cert.pem
142 148 service lighttpd restart
143 149