BergenBergen BergenBergen
2021-04-02 06:16:02 UTC
Hi!
I have some webapps that need Let's Encrypt certificates. I currently
use relayd to forward matching hostnames to my Ruby on Rails ports
(https://puma.io/), and was wondering what would be the ideal way of
adding ACME Challenge support to this setup?
So far I've added an ACME challenge table, a port and a forward rule.
I've also enabled httpd, and attempted to set up a catch-all directive
listening on port 5000. Unfortunately though it doesn't work, so any
feedback or criticism would be greatly appreciated!
Thanks!
Regards,
Murk
--
% acme-client -v mysite.com
acme-client: Fetching http://mysite.com/.well-known/acme-challenge
/TgxaQYLZ0iwwH4VR-Ss5Zf6sBGxlKvn8ra8V-o4SpLs: Connection refused
--
# relayd.conf
localhost="lo0"
ext_if="vio0"
table <acme_challenge> { $localhost }
acme_challenge_port="5000"
table <mysite> { $localhost }
mysite_port="8080"
table <mysite2> { $localhost }
mysite2_port="8081"
http protocol "http" {
pass request quick path "/.well-known/acme-challenge/*" forward to
<acme_challenge>
pass request header "Host" value "mysite.com" forward to <mysite>
pass request header "Host" value "www.mysite.com" forward to <mysite>
pass request header "Host" value "mysite2.com" forward to <mysite2>
pass request header "Host" value "www.mysite2.com" forward to <mysite2>
}
http protocol "https" {
pass request header "Host" value "mysite.com" forward to <mysite>
pass request header "Host" value "www.mysite.com" forward to <mysite>
tls keypair "mysite"
pass request header "Host" value "mysite2.com" forward to <mysite2>
pass request header "Host" value "www.mysite2.com" forward to <mysite2>
tls keypair "mysite2"
# Preserve address headers
match header set "X-Client-IP" value "$REMOTE_ADDR:$REMOTE_PORT"
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
# Best practice security headers
# https://securityheaders.com/
match response header remove "Server"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-XSS-Protection" value "1; mode=block"
match response header set "Referrer-Policy" value "strict-origin"
match response header set "Feature-Policy" value "accelerometer
'none'; ambient-light-sensor 'none'; battery 'none'; camera 'none';
geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone
'none'; midi 'none'; payment 'none'; usb 'none';"
# Log extras
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
}
relay "http" {
listen on $ext_if port http
protocol "http"
forward to <acme_challenge> port $acme_challenge_port
forward to <mysite> port $mysite_port
forward to <mysite2> port $mysite2_port
}
relay "https" {
listen on $ext_if port https tls
protocol "https"
# Assumes that Rails has force HTTPS enabled
# https://api.rubyonrails.org/classes/ActionDispatch/SSL.html
forward to <mysite> port $mysite_port
forward to <mysite2> port $mysite2_port
}
--
# httpd.conf
types {
include "/usr/share/misc/mime.types"
}
localhost="lo0"
acme_challenge_port="5000"
server "*" {
listen on $localhost port $acme_challenge_port
root "/"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
--
# acme-client.conf
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/ssl/private/letsencrypt.key"
}
domain mysite.com {
alternative names { www.mysite.com }
domain key "/etc/ssl/private/mysite.key"
domain full chain certificate "/etc/ssl/mysite.crt"
sign with letsencrypt
}
domain mysite2.com {
alternative names { www.mysite2.com }
domain key "/etc/ssl/private/mysite2.key"
domain full chain certificate "/etc/ssl/mysite2.crt"
sign with letsencrypt
}
I have some webapps that need Let's Encrypt certificates. I currently
use relayd to forward matching hostnames to my Ruby on Rails ports
(https://puma.io/), and was wondering what would be the ideal way of
adding ACME Challenge support to this setup?
So far I've added an ACME challenge table, a port and a forward rule.
I've also enabled httpd, and attempted to set up a catch-all directive
listening on port 5000. Unfortunately though it doesn't work, so any
feedback or criticism would be greatly appreciated!
Thanks!
Regards,
Murk
--
% acme-client -v mysite.com
acme-client: Fetching http://mysite.com/.well-known/acme-challenge
/TgxaQYLZ0iwwH4VR-Ss5Zf6sBGxlKvn8ra8V-o4SpLs: Connection refused
--
# relayd.conf
localhost="lo0"
ext_if="vio0"
table <acme_challenge> { $localhost }
acme_challenge_port="5000"
table <mysite> { $localhost }
mysite_port="8080"
table <mysite2> { $localhost }
mysite2_port="8081"
http protocol "http" {
pass request quick path "/.well-known/acme-challenge/*" forward to
<acme_challenge>
pass request header "Host" value "mysite.com" forward to <mysite>
pass request header "Host" value "www.mysite.com" forward to <mysite>
pass request header "Host" value "mysite2.com" forward to <mysite2>
pass request header "Host" value "www.mysite2.com" forward to <mysite2>
}
http protocol "https" {
pass request header "Host" value "mysite.com" forward to <mysite>
pass request header "Host" value "www.mysite.com" forward to <mysite>
tls keypair "mysite"
pass request header "Host" value "mysite2.com" forward to <mysite2>
pass request header "Host" value "www.mysite2.com" forward to <mysite2>
tls keypair "mysite2"
# Preserve address headers
match header set "X-Client-IP" value "$REMOTE_ADDR:$REMOTE_PORT"
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
# Best practice security headers
# https://securityheaders.com/
match response header remove "Server"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-XSS-Protection" value "1; mode=block"
match response header set "Referrer-Policy" value "strict-origin"
match response header set "Feature-Policy" value "accelerometer
'none'; ambient-light-sensor 'none'; battery 'none'; camera 'none';
geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone
'none'; midi 'none'; payment 'none'; usb 'none';"
# Log extras
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
}
relay "http" {
listen on $ext_if port http
protocol "http"
forward to <acme_challenge> port $acme_challenge_port
forward to <mysite> port $mysite_port
forward to <mysite2> port $mysite2_port
}
relay "https" {
listen on $ext_if port https tls
protocol "https"
# Assumes that Rails has force HTTPS enabled
# https://api.rubyonrails.org/classes/ActionDispatch/SSL.html
forward to <mysite> port $mysite_port
forward to <mysite2> port $mysite2_port
}
--
# httpd.conf
types {
include "/usr/share/misc/mime.types"
}
localhost="lo0"
acme_challenge_port="5000"
server "*" {
listen on $localhost port $acme_challenge_port
root "/"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
--
# acme-client.conf
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/ssl/private/letsencrypt.key"
}
domain mysite.com {
alternative names { www.mysite.com }
domain key "/etc/ssl/private/mysite.key"
domain full chain certificate "/etc/ssl/mysite.crt"
sign with letsencrypt
}
domain mysite2.com {
alternative names { www.mysite2.com }
domain key "/etc/ssl/private/mysite2.key"
domain full chain certificate "/etc/ssl/mysite2.crt"
sign with letsencrypt
}