Make /acme/auto request on startup; Increase time between /acme/auto calls

[zsteinkamp]

Checking certificate validity every 90 seconds is overkill. Every hour should be sufficient. However, simply adjusting the recommended time interval would have the negative side effect of unacceptably delaying the initial call to /acme/auto to provision the certificate.

Let's investigate if we can call /acme/auto after nginx has started successfully (perhaps via a script), and then reduce the frequency of polling that URL to something like an hour (again, making use of the script so that we don't have stuff all over).

[zsteinkamp]

We could also put a HEALTHCHECK in the Dockerfile to eliminate the need for users to do this in their compose files.

[tippexs]

Hi @zsteinkamp and @ivanitskiy ! Love this project! I am about to update on of my NGINX hosting clusters to the new acme version and came accross an missing statement in the README. We should limit access to /acme/auto to some IPs OR CIDRS. With the current setup everybody on the internet could trigger a renewal. We should just mention something like this somewhere in the docs if possible.

[zsteinkamp]

Thanks Timo :) Agreed on limiting access to that endpoint. I'll do that with the README.md work I'm doing now (adding installation instructions).

Future context: njs is about to gain a capability of running a JS function on a time interval, which will allow/acme/auto and associated cron/healthcheck hacks to be retired soon.

[zsteinkamp]

Updating here -- We are currently testing some new NJS functionality that will be released soon that eliminates the need to have an /acme/auto location block. Very exciting!

[captain828]

How did the js_periodic testing go?

[zsteinkamp]

Hi @captain828 -- We've merged the MR with the js_periodic change. Please let us know how it works out when you try it.