Disroot-Ansible
/
nginx
11
1
Fork 0
Code Pull Requests 4 Projects Releases Activity

WIP: Wildcard for home machine #57

Draft
meaz wants to merge 5 commits from wildcard into main
pull from: wildcard
merge into: Disroot-Ansible:main
Conversation 0 Commits 5 Files Changed 3 +69 -13
meaz commented 2023-11-26 12:19:28 +01:00
Owner
Copy Link

I've started to work on deploying wildcard certificates for home machine coz I find it annoying to accept each certificate for each subdomain when I empty Firefox cache.

I don't know if that the right path...
To have that work, you have to set, in nginx_vhosts:

    ssl_name: 'yourmachine.lan'
    wildcard: 'true'

BUT it doesn't really work at the moment. It does deploy a certificate for *.yourmachine.lan
But in nginx, for some reason, the whole:

   listen 443 ssl ;
 
   ssl_certificate /etc/letsencrypt/live/yourmachine.lan/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/yourmachine.lan/privkey.pem;
   server_tokens off;

is absent, which I don't understand as ssl_name is set...

But even if I manually add those, something is still messed up. For example I tested with search and lufi. If I accept the certificate in firefox for lufi, I'm still being asked to accept the certificate for search. And if I accept both, lufi.yourmachine.lan redirects to search.yourmachine.lan!

I've started to work on deploying wildcard certificates for home machine coz I find it annoying to accept each certificate for each subdomain when I empty Firefox cache. I don't know if that the right path... To have that work, you have to set, in `nginx_vhosts`: ``` ssl_name: 'yourmachine.lan' wildcard: 'true' ``` BUT it doesn't really work at the moment. It does deploy a certificate for *.yourmachine.lan But in nginx, for some reason, the whole: ``` listen 443 ssl ; ssl_certificate /etc/letsencrypt/live/yourmachine.lan/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourmachine.lan/privkey.pem; server_tokens off; ``` is absent, which I don't understand as `ssl_name` is set... But even if I manually add those, something is still messed up. For example I tested with search and lufi. If I accept the certificate in firefox for lufi, I'm still being asked to accept the certificate for search. And if I accept both, lufi.yourmachine.lan redirects to search.yourmachine.lan!
muppeth was assigned by meaz 2023-11-26 12:19:28 +01:00
meaz added 2 commits 2023-11-26 12:19:29 +01:00
muppeth reviewed 2023-11-30 00:00:49 +01:00
templates/etc/nginx/sites-available/core.j2 Outdated
@ -14,1 +14,4 @@
server_name {{ onion_address.content | b64decode | trim }};
{% elif item.wildcard is defined and item.wildcard == 'true' %}
server {
server_name *.{{ item.ssl_name }};
muppeth commented 2023-11-30 00:00:49 +01:00
Owner
Copy Link

You can't use ssl_name for server_name. This should stay the same. Otherwise you get to situation where all your vhosts are serving *.example.lan which is not going to work as you would need to run each vhost on seperate port.

You can't use ssl_name for server_name. This should stay the same. Otherwise you get to situation where all your vhosts are serving *.example.lan which is not going to work as you would need to run each vhost on seperate port.
meaz commented 2023-12-03 12:20:05 +01:00
Author
Owner
Copy Link

I fix that. I still have that problem that the certificate for for example upload and search are the same, but I still have to add the certificate for each, whereas I wanted to accept only once for all services.

I fix that. I still have that problem that the certificate for for example upload and search are the same, but I still have to add the certificate for each, whereas I wanted to accept only once for all services.
meaz added 1 commit 2023-12-03 12:17:08 +01:00
muppeth added 1 commit 2023-12-29 15:11:19 +01:00
muppeth added 1 commit 2023-12-29 18:27:45 +01:00
This pull request is marked as a work in progress.
This branch is out-of-date with the base branch
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
muppeth
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Disroot-Ansible/nginx#57
No description provided.
Delete Branch "wildcard"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?