Open 4censord opened 4 months ago
Before this issue I was thinking of a different solution, but scoping the need for sudo only to those commands (which can then be added to the install tutorial as "copy this line into visudo, it will do X Y Z"), and running certbot/acme-python in-process, does make things a lot easier from the user-installation and management side, and allows pulling more statistics/data about certificate expiry, and renewal errors.
I like this, I think i'll take this option for v1, since it makes things relatively self-contained.
One other thought is that I'd have users run essy under www-data
, which can then reload nginx via nginx reload
itself, since then suddenly its under the same user. Do you have any thoughts about that?
One other thing, the current configuration will basically have every website pull from the same webroot, shouldnt it be this?
root {{webroot}}/$host;
One other thing, the current configuration will basically have every website pull from the same webroot, shouldnt it be this?
root {{webroot}}/$host;
My idea was that essy puts in something like /var/lib/essy/$ID
as webroot, and creates an nginx config file per site. That would allow essy to alias other domains to the same site with only adding them to the server_name directive.
So site 1 lives in /var/lib/essy/1/
, and listens on domains 1.example.com
and www.1.example.com
.
And has the config file /etc/nginx/essy.d/1.conf
Site 2 then lives in /var/lib/essy/2/
, and listens on domains my.domain
and my.other.domain
.
And has the config file /etc/nginx/essy.d/2.conf
One other thought is that I'd have users run essy under www-data, which can then reload nginx via nginx reload itself, since then suddenly its under the same user. Do you have any thoughts about that?
That might not work, though i'm not sure. If essy runs as a service with limited access, it's probably not able to access the nginx process to send a reload signal. Also, this would complicate installation, as one needs to make sure that nginx and essy run as the same uid, or one needs to set up groups etc.
Oh, and on systems with selinux/apparmor, it would be pain to configure without turning them off, which should be avoided imho
I don't want to have essy run as root, its both a security risk and an ask of trust for the user, so the visudo approach is better imo, and relatively simple ^^
Also; do join the Zulip via the link i gave you, so we can talk about this more. I don't know exactly your vision for the webroot, but i guess i'd have to tell you my idea first, since i dont see how it fits with what you're telling me.
I did some thinking, and thought I'd document that here.
Some definitions to prevent confusion:
General stuff
As the webserver I'd use nginx. For generating TLS certs, i'd use certbot with the webroot plugin.
For reloading the webserver configuration, i'd use sudo. Sudo allows you to restrict what an account can do, so i'd allow essy to exclusively issue reload commands to nginx, and not allow anything else.
Example:
For nginx, i'd template configuration with jinja. The main nginx config defines a folder thats writable by essy. Essy templates its nginx config snippets into that folder, and triggers a nginx reload. The Nginx configuration for a site should be secure by default.
For certbot, i'd run it as a subprocess. Alternative: Look into using acme-python. Advantage: No external dependency on certbot Disadvantage: More complicated Need to handle renewals ourselves
Certbot should be set up to automatically renew all certs on the machine. Certbot should reload nginx automatically upon renewal. Certbot is used with the
webroot
plugin. Certbot puts its challenge files into a folder outside of the users webroot, nginx is configured to server.well-known/acme-challenge
from this path.Adding a new Site
Removing a site
Configuration templates
HTTP only nginx config
```nginx # generated 2024-05-25, Mozilla Guideline v5.7, nginx 1.17.7, OpenSSL 1.1.1k, modern configuration # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.7 server { listen 80; listen [::]:80; server_name {% for name in server_names %} {{ name }}{% endfor %}; location ^~ /.well-known/acme-challenge/ { root {{certbot_webroot_path}}; } location / { return 301 https://$host$request_uri; } } ```HTTPS nginx config
```nginx # generated 2024-05-25, Mozilla Guideline v5.7, nginx 1.17.7, OpenSSL 1.1.1k, modern configuration # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.7 server { listen 80; listen [::]:80; server_name {% for name in server_names %} {{ name }}{% endfor %}; location ^~ /.well-known/acme-challenge/ { root {{certbot_webroot_path}}; } location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {% for name in server_names %} {{ name }}{% endfor %}; ssl_certificate {{ le_cert_fullchain }}; ssl_certificate_key {{ le_cert_privkey }}; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # modern configuration ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate {{ le_cert_chain }}; # Deny access to any hidden files (starting with .) # e.g. .htaccess and .htpasswords # or .git folders location ~ /\. { deny all; } # explicitly allow .well-known/ location ~ /\.well-known/ {} location ^~ /.well-known/acme-challenge/ { root {{certbot_webroot_path}}; } root {{webroot}}; } ```