diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml index 6f50a5b55..bb1a9cb8e 100644 --- a/templates/web.letsencrypt.ssl.template.yml +++ b/templates/web.letsencrypt.ssl.template.yml @@ -26,7 +26,6 @@ run: events { worker_connections 768; - # multi_accept on; } http { @@ -71,8 +70,15 @@ run: LETSENCRYPT_DIR="/shared/letsencrypt" /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf + extra_domains() { + if [ -n "$DISCOURSE_HOSTNAME_ALIASES" ]; then + domains=$(echo $DISCOURSE_HOSTNAME_ALIASES | sed "s/,/ -d /g") + echo "-d $domains" + fi + } + issue_cert() { - LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} --keylength $1 -w /var/www/discourse/public + LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} $(extra_domains) --keylength $1 -w /var/www/discourse/public } cert_exists() { diff --git a/templates/web.ssl.template.yml b/templates/web.ssl.template.yml index c2be2622f..02c643027 100644 --- a/templates/web.ssl.template.yml +++ b/templates/web.ssl.template.yml @@ -27,6 +27,13 @@ run: cat << EOF > /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf server { listen 80; + listen [::]:80; + + location ~ /.well-known { + root /var/www/discourse/public; + allow all; + } + return 301 https://${DISCOURSE_HOSTNAME}$request_uri; } EOF @@ -35,6 +42,7 @@ run: cat << EOF > /etc/nginx/conf.d/outlets/server/20-https.conf listen 443 ssl; + listen [::]:443 ssl; http2 on; ssl_protocols TLSv1.2 TLSv1.3; @@ -58,8 +66,3 @@ run: cat << EOF > /etc/nginx/conf.d/outlets/discourse/20-https.conf add_header Strict-Transport-Security 'max-age=31536000'; EOF - - if [ -f "/proc/net/if_inet6" ] ; then - sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf - sed -i 's/listen 443 ssl;/listen 443 ssl;\nlisten [::]:443 ssl;/g' /etc/nginx/conf.d/outlets/server/20-https.conf - fi