search

auto-ssl / lua-resty-auto-ssl

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let's Encrypt.
MIT License
1.94k stars 182 forks source link

infinite loop for allow_domain #218

Closed Sinequanonh closed 4 years ago

Sinequanonh commented 4 years ago

Facing a little issue. For some domains, the allow_domain function is still being called despite the fact that there is already an existing certificate for those domains.

Isn't it auto_ssl:ssl_certificate() role to prevent this?

I am saving files locally, could it be the reason? If so why?

Here's how my whole nginx config looks like:

error_log /var/log/nginx/nginx_error.log debug;

events {
  worker_connections 1024;
}

http {
  include mime.types;
  # The "auto_ssl" shared dict should be defined with enough storage space to
  # hold your certificate data. 1MB of storage holds certificates for
  # approximately 100 separate domains.
  lua_shared_dict auto_ssl 1m;
  # The "auto_ssl_settings" shared dict is used to temporarily store various settings
  # like the secret used by the hook server on port 8999. Do not change or
  # omit it.
  lua_shared_dict auto_ssl_settings 64k;

  # A DNS resolver must be defined for OCSP stapling to function.
  #
  # This example uses Google's DNS server. You may want to use your system's
  # default DNS servers, which can be found in /etc/resolv.conf. If your network
  # is not IPv6 compatible, you may wish to disable IPv6 results by using the
  lua_shared_dict tmp 12k;
  lua_ssl_verify_depth 2;
  lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.pem;
  # "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
  lua_package_path "/root/lua-resty-http/lib/?.lua;;";
  resolver 8.8.8.8;

  # Initial setup tasks.
  init_by_lua_block {
    auto_ssl = (require "resty.auto-ssl").new()
    auto_ssl:set("allow_domain", function(domain)
      local http = require("resty.http")
      local httpc = http.new()
      local uri = "https://api.hyperping.io/v1/approveDomain/"..domain
      local res, err = httpc:request_uri(uri, {
        method = "GET"
      })
    )

    if not res then
    print("failed to request: ", err)
    return false
    end

    if res.status == 200 then
    return true
    end

    if res.status == 404 then
    return false
    end

    return false
    end)

    auto_ssl:init()
  }

  init_worker_by_lua_block {
    auto_ssl:init_worker()
  }

  # HTTPS server

  server {
    listen 443 ssl;
    ssl on;
    gzip on;

    gzip_disable "msie6";
    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    # Dynamic handler for issuing or returning certs for SNI domains.
    ssl_certificate_by_lua_block {
      auto_ssl:ssl_certificate()
    }

    ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
    ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

    root /var/www/statuspage;
    index index.html;
    location / {
      try_files $uri $uri/ /index.html;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection 'upgrade';
      proxy_set_header Host $host;
      proxy_cache_bypass $http_upgrade;
    }

    location ~ ^/public/[0-9]+ {
      root /var/www/statuspage;
      try_files /index.html =404;
    }

    location ~ ^/static/* {
      root /var/www/statuspage;
      try_files $uri $uri/ =404;
      expires 30d;
      add_header Vary Accept-Encoding;
      access_log off;
    }
  }

  server {
    listen 443 ssl;
    server_name *.hyperping.io;
    ssl_certificate /etc/letsencrypt/live/hyperping.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hyperping.io/privkey.pem;

    root /var/www/statuspage;
    index index.html;
    location / {
      try_files $uri $uri/ /index.html;
    }

    location ~ ^/public/[0-9]+ {
      root /var/www/statuspage;
      try_files /index.html =404;
    }

    location ~ ^/static/* {
      root /var/www/statuspage;
      try_files $uri $uri/ =404;
      expires 30d;
      add_header Vary Accept-Encoding;
      access_log off;
    }
  }

  # HTTP server

  server {
    listen 80;

    # Endpoint used for performing domain verification with Let's Encrypt.
    location /.well-known/acme-challenge/ {
      content_by_lua_block {
        auto_ssl:challenge_server()
      }
    }

    location / {
      return 301 https://$host$request_uri;
    }
  }

  # Internal server running on port 8999 for handling certificate tasks.
  server {
    listen 127.0.0.1:8999;

    # Increase the body buffer size, to ensure the internal POSTs can always
    # parse the full POST contents into memory.
    client_body_buffer_size 128k;
    client_max_body_size 128k;

    location / {
      content_by_lua_block {
        auto_ssl:hook_server()
      }
    }
  }
}

What am I doing wrong 😬