search

fititnt / ap-application-load-balancer

AP Application Load Balancer (AP-ALB). Sophisticated monolithic Ansible role to manage standalone and clusters of cross-platform and multicloud load balancers. Abstract HAProxy + OpenResty + On-the-fly auto HTTPS. Dedicated to Public Domain.
https://ap-application-load-balancer.etica.ai/
The Unlicense
1 stars 0 forks source link

Expose `lua-resty-auto-ssl` allow_domain functionality to end user (Let's Encrypt auto HTTPS) #6

Closed fititnt closed 4 years ago

fititnt commented 5 years ago

See also:

The AP-ALB v0.4-beta still not expose to the user ways to customize the allow_domain, not even as function. This issue is for improve this.

This is our current rule that is hardcored (not able to not even customize with Ansible).

    # Initial setup tasks.
    init_by_lua_block {
      auto_ssl = (require "resty.auto-ssl").new()

      -- Define a function to determine which SNI domains to automatically handle
      -- and register new certificates for. Defaults to not allowing any domains,
      -- so this must be configured.
      auto_ssl:set("allow_domain", function(domain)
        return true
      end)

      auto_ssl:init()
    }

It's ok for testing (whitelist everything), and in fact was on the documentation of GUI/lua-resty-auto-ssl, but can hit Let's Encrypt limits fast for invalid domains pointing to IP of the server.

fititnt commented 4 years ago

Implemented. Still allow end user implement raw lua code with alb_acme_rule_lua, but some common user cases are done using plain YAML.

This may specially useful for who did not want learn to debug the OpenResty full stack

Example from v0.8.6-alpha

### AP-ALB ACME ________________________________________________________________
# BY USING Let's Encrypt, even if automated for you, you AGREE with
# Let’s Encrypt Subscriber Agreement at https://letsencrypt.org/repository/

alb_acme_production: true

alb_acme_rule_ips_allowed: false # ACME (Let's Encript at least) will HTTPS for IPs, so don't even try

# Exact match
alb_acme_rule_whitelist: []
alb_acme_rule_whitelist_file: '' # not implemented... yet
alb_acme_rule_blacklist: []
alb_acme_rule_blacklist_file: '' # not implemented... yet

# Suffix match (e.g. for subdomains) and prefix match (e.g. if any full domain, if start with these values)
alb_acme_rule_whitelist_suffix: []
alb_acme_rule_whitelist_prefix: []
alb_acme_rule_blacklist_suffix: []
alb_acme_rule_blacklist_prefix: []

# alb_acme_rule_lua inject custom lua inside GUI/lua-resty-auto-ssl allow_domain function.
alb_acme_rule_lua: |
  -- FILE: /usr/local/openresty/nginx/conf/nginx.conf
  -- NGINX CONTEXT: http/init_by_lua_block/auto_ssl:set("allow_domain", function(domain)
  -- See https://github.com/GUI/lua-resty-auto-ssl
  -- Note 1: Inside lua blocks (like this one) "--" is used for start comments
  --       and not "#"
  -- Note 2: your custom code should 'return true' or 'return false'

# alb_acme_rule_last define your "default" behavior for what was not explicitly
# whitelisted/blacklisted
alb_acme_rule_last: true

# This value is infered from alb_acme_production. But you can customize yourself
alb_acme_url: "{{ 'https://acme-v02.api.letsencrypt.org/directory' if alb_acme_production else 'https://acme-staging-v02.api.letsencrypt.org/directory' }}"