From 06a522cee6941068d1d752842d199727d6325333 Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Sat, 2 Aug 2025 10:56:47 -0700 Subject: [PATCH 1/5] FEATURE: add DISCOURSE_HOSTNAME_ALIASES add comma-separated DISCOURSE_HOSTNAME_ALIASES to handle multiple aliases for letsencrypt domain generation over env vars FIX: add letsencrypt renew location for .well-known and allow for multi-domain renewal Add /.well-known location in /var/www/discourse/public. Allow .well-known on http to continue to serve traffic without redirects Allows for letsencrypt cert renewals to work properly. With DISCOURSE_HOSTNAME of example.com... multiple domains are not able to renew if they cannot access such as http://alternate.example.com ...which redirects under the current https config. FIX: better listening for ipv6 for ipv4 only Current letsencrypt assumes ipv6 in config. Check for ipv6 before listening --- templates/web.letsencrypt.ssl.template.yml | 30 ++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml index 6f50a5b55..874926f0f 100644 --- a/templates/web.letsencrypt.ssl.template.yml +++ b/templates/web.letsencrypt.ssl.template.yml @@ -19,6 +19,20 @@ run: LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --set-default-ca --server letsencrypt + cat << EOF > /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf + server { + listen 80; + + location ~ /.well-known { + root /var/www/discourse/public; + allow all; + } + location / { + return 301 https://${DISCOURSE_HOSTNAME}$request_uri; + } + } + EOF + cat << EOF > /etc/nginx/letsencrypt.conf user www-data; worker_processes auto; @@ -41,7 +55,6 @@ run: server { listen 80; - listen [::]:80; location ~ /.well-known { root /var/www/discourse/public; @@ -51,6 +64,12 @@ run: } EOF + if [ -f "/proc/net/if_inet6" ] ; then + sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf + sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/letsencrypt.conf + fi + + sed -Ei "s/^#?ACCOUNT_EMAIL=.+/ACCOUNT_EMAIL=${LETSENCRYPT_ACCOUNT_EMAIL}/" \ /shared/letsencrypt/account.conf @@ -71,8 +90,15 @@ run: LETSENCRYPT_DIR="/shared/letsencrypt" /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf + extra_domains() { + if [ -n "$DISCOURSE_HOSTNAME_ALIASES" ]; then + domains=$(echo $DISCOURSE_HOSTNAME_ALIASES | sed "s/,/ -d /g") + echo "-d $domains" + fi + } + issue_cert() { - LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} --keylength $1 -w /var/www/discourse/public + LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} $(extra_domains) --keylength $1 -w /var/www/discourse/public } cert_exists() { From b519bf13db04b4afd0696e64dd8b0157750aa8bd Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Sat, 2 Aug 2025 21:12:30 -0700 Subject: [PATCH 2/5] remove unnecessary line --- templates/web.letsencrypt.ssl.template.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml index 874926f0f..afb1c5606 100644 --- a/templates/web.letsencrypt.ssl.template.yml +++ b/templates/web.letsencrypt.ssl.template.yml @@ -69,7 +69,6 @@ run: sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/letsencrypt.conf fi - sed -Ei "s/^#?ACCOUNT_EMAIL=.+/ACCOUNT_EMAIL=${LETSENCRYPT_ACCOUNT_EMAIL}/" \ /shared/letsencrypt/account.conf From b865ad07a6e9373ffe13c02f23fd1e3ee4cda25a Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Sat, 2 Aug 2025 21:13:18 -0700 Subject: [PATCH 3/5] format function --- templates/web.letsencrypt.ssl.template.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml index afb1c5606..6bf9772c0 100644 --- a/templates/web.letsencrypt.ssl.template.yml +++ b/templates/web.letsencrypt.ssl.template.yml @@ -90,10 +90,10 @@ run: /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf extra_domains() { - if [ -n "$DISCOURSE_HOSTNAME_ALIASES" ]; then - domains=$(echo $DISCOURSE_HOSTNAME_ALIASES | sed "s/,/ -d /g") - echo "-d $domains" - fi + if [ -n "$DISCOURSE_HOSTNAME_ALIASES" ]; then + domains=$(echo $DISCOURSE_HOSTNAME_ALIASES | sed "s/,/ -d /g") + echo "-d $domains" + fi } issue_cert() { From 0832bf80848ab5a040b05e9fab6cb9254dd47057 Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Mon, 18 Aug 2025 18:50:13 -0700 Subject: [PATCH 4/5] remove commented multi_accept line --- templates/web.letsencrypt.ssl.template.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml index 6bf9772c0..532d39aea 100644 --- a/templates/web.letsencrypt.ssl.template.yml +++ b/templates/web.letsencrypt.ssl.template.yml @@ -40,7 +40,6 @@ run: events { worker_connections 768; - # multi_accept on; } http { From 4d2a5246019a920c0cfb96873ae15108e7f5352a Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Mon, 18 Aug 2025 19:05:18 -0700 Subject: [PATCH 5/5] Implement feedback * Bundle well-known location http passthrough into base ssl template. * Always configure to listen on ipv4 and v6 --- templates/web.letsencrypt.ssl.template.yml | 20 +------------------- templates/web.ssl.template.yml | 13 ++++++++----- 2 files changed, 9 insertions(+), 24 deletions(-) diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml index 532d39aea..bb1a9cb8e 100644 --- a/templates/web.letsencrypt.ssl.template.yml +++ b/templates/web.letsencrypt.ssl.template.yml @@ -19,20 +19,6 @@ run: LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --set-default-ca --server letsencrypt - cat << EOF > /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf - server { - listen 80; - - location ~ /.well-known { - root /var/www/discourse/public; - allow all; - } - location / { - return 301 https://${DISCOURSE_HOSTNAME}$request_uri; - } - } - EOF - cat << EOF > /etc/nginx/letsencrypt.conf user www-data; worker_processes auto; @@ -54,6 +40,7 @@ run: server { listen 80; + listen [::]:80; location ~ /.well-known { root /var/www/discourse/public; @@ -63,11 +50,6 @@ run: } EOF - if [ -f "/proc/net/if_inet6" ] ; then - sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf - sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/letsencrypt.conf - fi - sed -Ei "s/^#?ACCOUNT_EMAIL=.+/ACCOUNT_EMAIL=${LETSENCRYPT_ACCOUNT_EMAIL}/" \ /shared/letsencrypt/account.conf diff --git a/templates/web.ssl.template.yml b/templates/web.ssl.template.yml index c2be2622f..02c643027 100644 --- a/templates/web.ssl.template.yml +++ b/templates/web.ssl.template.yml @@ -27,6 +27,13 @@ run: cat << EOF > /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf server { listen 80; + listen [::]:80; + + location ~ /.well-known { + root /var/www/discourse/public; + allow all; + } + return 301 https://${DISCOURSE_HOSTNAME}$request_uri; } EOF @@ -35,6 +42,7 @@ run: cat << EOF > /etc/nginx/conf.d/outlets/server/20-https.conf listen 443 ssl; + listen [::]:443 ssl; http2 on; ssl_protocols TLSv1.2 TLSv1.3; @@ -58,8 +66,3 @@ run: cat << EOF > /etc/nginx/conf.d/outlets/discourse/20-https.conf add_header Strict-Transport-Security 'max-age=31536000'; EOF - - if [ -f "/proc/net/if_inet6" ] ; then - sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf - sed -i 's/listen 443 ssl;/listen 443 ssl;\nlisten [::]:443 ssl;/g' /etc/nginx/conf.d/outlets/server/20-https.conf - fi