diff options
author | Dave Nicponski <dave.nicponski@gmail.com> | 2022-10-12 19:47:36 -0400 |
---|---|---|
committer | Dave Nicponski <dave.nicponski@gmail.com> | 2022-10-20 10:59:28 -0400 |
commit | 1a73877305f32ff158173878dda6b86f378ff3c8 (patch) | |
tree | 0e4b532ed400429b26b03ecba89d103315e47074 /nixos/modules/services/web-servers/nginx/default.nix | |
parent | bbbaaa3e3530335bdefa5d4e682e3f1b4fbf218c (diff) | |
download | nixlib-1a73877305f32ff158173878dda6b86f378ff3c8.tar nixlib-1a73877305f32ff158173878dda6b86f378ff3c8.tar.gz nixlib-1a73877305f32ff158173878dda6b86f378ff3c8.tar.bz2 nixlib-1a73877305f32ff158173878dda6b86f378ff3c8.tar.lz nixlib-1a73877305f32ff158173878dda6b86f378ff3c8.tar.xz nixlib-1a73877305f32ff158173878dda6b86f378ff3c8.tar.zst nixlib-1a73877305f32ff158173878dda6b86f378ff3c8.zip |
Tweak nginx config for Let's Encrypt ACME challenges
Currently, this is using a "URI prefix match", but per nginx docs, ``` [...] the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used. ``` which means a config like this (from wordpress service) will override that ``` locations = { "~ /\\." = { priority = 800; extraConfig = "deny all;"; }; }; ``` 😱 Luckily, from nginx docs: ``` If the longest matching prefix location has the “^~” modifier then regular expressions are not checked. ``` Whew!
Diffstat (limited to 'nixos/modules/services/web-servers/nginx/default.nix')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index aa782b4267e8..9cbac370612f 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -275,7 +275,10 @@ let redirectListen = filter (x: !x.ssl) defaultListen; acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) '' - location /.well-known/acme-challenge { + # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) + # We use ^~ here, so that we don't check any regexes (which could + # otherwise easily override this intended match accidentally). + location ^~ /.well-known/acme-challenge/ { ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} ${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"} auth_basic off; |