1st commit - refined 2019 cfg + AI made README (I despise writing docs so it was either letting AI write README or having none, sorry)

2026-05-19 00:00:03 +02:00
parent 910f9675b1
commit d1ab7d369c
22 changed files with 1439 additions and 0 deletions
--- a/nginx/snippets/letsencrypt-acme-challenge.conf
+++ b/nginx/snippets/letsencrypt-acme-challenge.conf
@@ -0,0 +1,51 @@
+ # This is an NGINX configuration file written and used by me in order to serve Let's Encrypt ACME challenges.
+ #
+ # (c) Corrado Mulas <tlc@mulas.me>
+ #
+ # For the full copyright and license information, please view the LICENSE
+ # file that was distributed with this source code.
+
+#############################################################################
+# Configuration file for Let's Encrypt ACME Challenge location
+# This file is already included in listen_xxx.conf files.
+# Do NOT include it separately!
+#############################################################################
+#
+# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
+# on all our sites (HTTP), including all subdomains.
+# This is required by ACME Challenge (webroot authentication).
+# You can check that this location is working by placing ping.txt here:
+# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
+# And pointing your browser to:
+# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
+#
+# Sources:
+# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
+#
+#############################################################################
+
+# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
+# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
+# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
+location ^~ /.well-known/acme-challenge/ {
+
+    # Set correct content type. According to this:
+    # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
+    # Current specification requires "text/plain" or no content header at all.
+    # It seems that "text/plain" is a safe option.
+    default_type "text/plain";
+
+    # This directory must be the same as in /etc/letsencrypt/cli.ini
+    # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
+    # there to "webroot".
+    # Do NOT use alias, use root! Target directory is located here:
+    # /var/www/common/letsencrypt/.well-known/acme-challenge/
+    root         /var/www/letsencrypt;
+}
+
+# Hide /acme-challenge subdirectory and return 404 on all requests.
+# It is somewhat more secure than letting Nginx return 403.
+# Ending slash is important!
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
--- a/nginx/snippets/snakeoil.conf
+++ b/nginx/snippets/snakeoil.conf
@@ -0,0 +1,9 @@
+ # This is an NGINX configuration file written and used by me in order to load the self-signed snakeoil certificate.
+ #
+ # (c) Corrado Mulas <tlc@mulas.me>
+ #
+ # For the full copyright and license information, please view the LICENSE
+ # file that was distributed with this source code.
+
+ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;