diff --git a/documentation/administrators b/documentation/administrators index 50a60b7..f30563c 100644 --- a/documentation/administrators +++ b/documentation/administrators @@ -93,9 +93,9 @@ This section shows how to configure lighttpd as a reverse proxy for the web UI, with also a TLS certificate. apt-get install certbot - certbot certonly --webroot -w /var/www/html -d + certbot certonly --webroot -w /var/www/html -d example.org -The cert is created in /etc/letsencrypt/live// +The cert is created in /etc/letsencrypt/live/example.org/ Lighttpd requires the certificate and private key to be in a single file: cat privkey.pem cert.pem > privkey+cert.pem @@ -108,24 +108,30 @@ Add to lighttpd configuration: "mod_fastcgi", "mod_proxy", ) - - # Redirect HTTP to HTTPS + + # Redirect all HTTP requests to HTTPS by default, except /.well-known which is + # used by Let's Encrypt for renewing certificates. $HTTP["scheme"] == "http" { - url.redirect = ("" => "https://${url.authority}${url.path}${qsa}") - url.redirect-code = 308 + $HTTP["url"] !~ "^/.well-known/(.*)" { + url.redirect = ("" => "https://${url.authority}${url.path}${qsa}") + url.redirect-code = 308 + } } - $SERVER["socket"] == ":443" { - ssl.engine = "enable" - ssl.pemfile = "/etc/letsencrypt/live//privkey+cert.pem" - ssl.ca-file = "/etc/letsencrypt/live//chain.pem" + $HTTP["host"] == "example.org" { + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/example.org/privkey+cert.pem" + ssl.ca-file = "/etc/letsencrypt/live/example.org/chain.pem" - $HTTP["host"] == "" { proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 5000 ) ) ) + # server.document-root = "/var/www/html" + # server.errorlog = "/" + # accesslog.filename = "/" } } @@ -137,7 +143,7 @@ that will generate a new privkey+cert.pem file and reload lighttpd. # Content of "clif-letsencrypt" certbot renew - cd /etc/letsencrypt/live/ + cd /etc/letsencrypt/live/example.org cat privkey.pem cert.pem > privkey+cert.pem service lighttpd restart