search

fititnt / ap-application-load-balancer

AP Application Load Balancer (AP-ALB). Sophisticated monolithic Ansible role to manage standalone and clusters of cross-platform and multicloud load balancers. Abstract HAProxy + OpenResty + On-the-fly auto HTTPS. Dedicated to Public Domain.
https://ap-application-load-balancer.etica.ai/
The Unlicense
1 stars 0 forks source link

Use `acme` instead of `letsencrypt` for variable conventions #26

Closed fititnt closed 4 years ago

fititnt commented 4 years ago

This issue is mostly about rename (or not create new variables) using hardcoded naming of letsencrypt.

fititnt commented 4 years ago

Related https://github.com/lukas2511/dehydrated/issues/653

The gui/lua-resty-autossl uses dehydrated to obtain the certificates. So in theory that issue is something to watch for.

Anyway, the new naming conventions could still be more flexible. And this may even help a lot if someone get in trouble with letsencrypt limits and need to quick obtain other certificates

fititnt commented 4 years ago

The old rule was this one

        -- Fail first if domain seems to be an IP.
        -- @see https://github.com/GUI/lua-resty-auto-ssl/issues/26#issuecomment-366919522
        if string.match(domain, "(%d+).(%d+).(%d+).(%d+)") or string.find(domain, ":", 1, true) then
            -- These domains can be used for testing. Comment out this if to not allow even these ones
            -- https://nip.io/
            -- https://xip.io/
            -- https://sslip.io/
            if not (string.find(domain, "nip.io", 1, true) or string.find(domain, "xip.io", 1, true) or string.find(domain, "sslip.io", 1, true)) then
                ngx.log(ngx.ERR, "allow_domain do not allow HTTPS for IPs ", domain)
                return false
            end
        end

I will have to somewhat replace this rule to allow nip.io, xip.io and sslip.io domains

fititnt commented 4 years ago

Example from v0.8.6-alpha

### AP-ALB ACME ________________________________________________________________
# BY USING Let's Encrypt, even if automated for you, you AGREE with
# Let’s Encrypt Subscriber Agreement at https://letsencrypt.org/repository/

alb_acme_production: true

alb_acme_rule_ips_allowed: false # ACME (Let's Encript at least) will HTTPS for IPs, so don't even try

# Exact match
alb_acme_rule_whitelist: []
alb_acme_rule_whitelist_file: '' # not implemented... yet
alb_acme_rule_blacklist: []
alb_acme_rule_blacklist_file: '' # not implemented... yet

# Suffix match (e.g. for subdomains) and prefix match (e.g. if any full domain, if start with these values)
alb_acme_rule_whitelist_suffix: []
alb_acme_rule_whitelist_prefix: []
alb_acme_rule_blacklist_suffix: []
alb_acme_rule_blacklist_prefix: []

# alb_acme_rule_lua inject custom lua inside GUI/lua-resty-auto-ssl allow_domain function.
alb_acme_rule_lua: |
  -- FILE: /usr/local/openresty/nginx/conf/nginx.conf
  -- NGINX CONTEXT: http/init_by_lua_block/auto_ssl:set("allow_domain", function(domain)
  -- See https://github.com/GUI/lua-resty-auto-ssl
  -- Note 1: Inside lua blocks (like this one) "--" is used for start comments
  --       and not "#"
  -- Note 2: your custom code should 'return true' or 'return false'

# alb_acme_rule_last define your "default" behavior for what was not explicitly
# whitelisted/blacklisted
alb_acme_rule_last: true

# This value is infered from alb_acme_production. But you can customize yourself
alb_acme_url: "{{ 'https://acme-v02.api.letsencrypt.org/directory' if alb_acme_production else 'https://acme-staging-v02.api.letsencrypt.org/directory' }}"