From: Ludovic CHEVALIER <ludovic.chevalier@heureux-cyclage.org>
Date: Tue, 6 Sep 2016 08:57:56 +0000 (+0200)
Subject: Ajout : etc/nginx/conf.d/letsencrypt.conf
X-Git-Url: http://git.cyclocoop.org/?p=lhc%2Fadmin.git;a=commitdiff_plain;h=ea6b93ffbab9d1bb47faa0110a118f39f4e9023e

Ajout : etc/nginx/conf.d/letsencrypt.conf
---

diff --git a/srv/ateliers/etc/nginx/conf.d/letsencrypt.conf b/srv/ateliers/etc/nginx/conf.d/letsencrypt.conf
new file mode 100644
index 0000000..8145038
--- /dev/null
+++ b/srv/ateliers/etc/nginx/conf.d/letsencrypt.conf
@@ -0,0 +1,42 @@
+#############################################################################
+# Configuration file for Let's Encrypt ACME Challenge location
+#############################################################################
+#
+# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
+# on all a Web site (HTTP), including all subdomains.
+# This is required by ACME Challenge (webroot authentication).
+# You can check that this location is working by placing ping.txt here:
+# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
+# And pointing your browser to:
+# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
+#
+# Sources:
+# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
+#
+#############################################################################
+
+# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
+# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
+# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
+location ^~ /.well-known/acme-challenge/ {
+
+    # Set correct content type. According to this:
+    # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
+    # Current specification requires "text/plain" or no content header at all.
+    # It seems that "text/plain" is a safe option.
+    default_type "text/plain";
+
+    # This directory must be the same as in /etc/letsencrypt/cli.ini
+    # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
+    # there to "webroot".
+    # Do NOT use alias, use root! Target directory is located here:
+    # /var/www/common/letsencrypt/.well-known/acme-challenge/
+    root /var/www/letsencrypt;
+ }
+
+# Hide /acme-challenge subdirectory and return 404 on all requests.
+# It is somewhat more secure than letting Nginx return 403.
+# Ending slash is important!
+location = /.well-known/acme-challenge/ {
+    return 404;
+ }
diff --git a/srv/ateliers/etc/nginx/org/changedechaine/www/server.conf.m4 b/srv/ateliers/etc/nginx/org/changedechaine/www/server.conf.m4
index 4e8c357..3b0ab4d 100644
--- a/srv/ateliers/etc/nginx/org/changedechaine/www/server.conf.m4
+++ b/srv/ateliers/etc/nginx/org/changedechaine/www/server.conf.m4
@@ -3,6 +3,7 @@ define(`SITE',`DOMAIN/www')dnl
 define(`NAME',`changedechaine.org')dnl
 server {
 	listen 80;
+	include /etc/nginx/conf.d/letsencrypt.conf;
 	include /etc/nginx/SITE/common.conf;
 	access_log /home/www/log/SITE/access.log main;
 	error_log  /home/www/log/SITE/error.log warn;
diff --git a/srv/ateliers/etc/nginx/org/cyclofficinedangouleme/www/server.conf.m4 b/srv/ateliers/etc/nginx/org/cyclofficinedangouleme/www/server.conf.m4
index d16f27b..576b329 100644
--- a/srv/ateliers/etc/nginx/org/cyclofficinedangouleme/www/server.conf.m4
+++ b/srv/ateliers/etc/nginx/org/cyclofficinedangouleme/www/server.conf.m4
@@ -3,6 +3,7 @@ define(`SITE',`DOMAIN/www')dnl
 define(`NAME',`cyclofficinedangouleme.org')dnl
 server {
 	listen 80;
+	include /etc/nginx/conf.d/letsencrypt.conf;
 	include /etc/nginx/SITE/common.conf;
 	access_log /home/www/log/SITE/access.log main;
 	error_log  /home/www/log/SITE/error.log warn;
diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/burettes/server.conf.m4 b/srv/ateliers/etc/nginx/org/heureux-cyclage/burettes/server.conf.m4
index 88a327e..803c436 100644
--- a/srv/ateliers/etc/nginx/org/heureux-cyclage/burettes/server.conf.m4
+++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/burettes/server.conf.m4
@@ -2,8 +2,11 @@ define(`DOMAIN',`org/heureux-cyclage')dnl
 define(`SITE',`DOMAIN/burettes')dnl
 server {
 	listen 80;
+	include /etc/nginx/conf.d/letsencrypt.conf;
 	include /etc/nginx/org/heureux-cyclage/burettes/name.conf;
-	return 301 https://$host$request_uri;
+	location / {
+		return 301 https://$host$request_uri;
+	}
  }
 server {
 	listen 443;
diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/clavette-grenoble/server.conf.m4 b/srv/ateliers/etc/nginx/org/heureux-cyclage/clavette-grenoble/server.conf.m4
index 4796fad..b16f4a3 100644
--- a/srv/ateliers/etc/nginx/org/heureux-cyclage/clavette-grenoble/server.conf.m4
+++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/clavette-grenoble/server.conf.m4
@@ -2,6 +2,7 @@ define(`DOMAIN',`org/heureux-cyclage')dnl
 define(`SITE',`DOMAIN/clavette-grenoble')dnl
 server {
 	listen 80;
+	include /etc/nginx/conf.d/letsencrypt.conf;
 	include /etc/nginx/SITE/common.conf;
 	access_log /home/www/log/SITE/access.log main;
 	error_log  /home/www/log/SITE/error.log warn;
diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/clavette-lyon/server.conf.m4 b/srv/ateliers/etc/nginx/org/heureux-cyclage/clavette-lyon/server.conf.m4
index 79791ff..3e2c4ea 100644
--- a/srv/ateliers/etc/nginx/org/heureux-cyclage/clavette-lyon/server.conf.m4
+++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/clavette-lyon/server.conf.m4
@@ -2,6 +2,7 @@ define(`DOMAIN',`org/heureux-cyclage')dnl
 define(`SITE',`DOMAIN/clavette-lyon')dnl
 server {
 	listen 80;
+	include /etc/nginx/conf.d/letsencrypt.conf;
 	include /etc/nginx/SITE/common.conf;
 	access_log /home/www/log/SITE/access.log main;
 	error_log  /home/www/log/SITE/error.log warn;
diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/letsencrypt.cli.ini b/srv/ateliers/etc/nginx/org/heureux-cyclage/letsencrypt.cli.ini
new file mode 100644
index 0000000..5274076
--- /dev/null
+++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/letsencrypt.cli.ini
@@ -0,0 +1,26 @@
+# This is an example of the kind of things you can do in a configuration file.
+# All flags used by the client can be configured here. Run Let's Encrypt with
+# "--help" to learn more about the available options.
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Uncomment and update to register with the specified e-mail address
+email = admin+letsencrypt@heureux-cyclage.org
+
+# Uncomment and update to generate certificates for the specified
+# domains.
+domains = heureux-cyclage.org, agendav.heureux-cyclage.org, ateliers.heureux-cyclage.org, autoconfig.heureux-cyclage.org, bicloud.heureux-cyclage.org, burette.heureux-cyclage.org, burette.atelier-etincelle.heureux-cyclage.org, burette.autourducycle.heureux-cyclage.org, burette.bretzselle.heureux-cyclage.org, burette.changedechaine.heureux-cyclage.org, burette.convibicy.heureux-cyclage.org, burette.cyclamaine.heureux-cyclage.org, burette.cyclesetmanivelles.heureux-cyclage.org, burette.cyclocoop.heureux-cyclage.org, burette.cyclofficineangouleme.heureux-cyclage.org, burette.dynamo.heureux-cyclage.org, burette.etudesetchantiersidf.heureux-cyclage.org, burette.eturecup.heureux-cyclage.org, burette.labecaneajules.heureux-cyclage.org, burette.lapetiterennes.heureux-cyclage.org, burette.laptiterustine.heureux-cyclage.org, burette.larouelibre.heureux-cyclage.org, burette.lechatperche.heureux-cyclage.org, burette.mig.heureux-cyclage.org, burette.mobilidees.heureux-cyclage.org, burette.ocivelo.heureux-cyclage.org, burette.ohcyclo.heureux-cyclage.org, burette.ptitvelo.heureux-cyclage.org, burette.recupr.heureux-cyclage.org, burette.repeyre.heureux-cyclage.org, burette.rouepet.heureux-cyclage.org, burette.tousdeuxroues.heureux-cyclage.org, burette.txirrindola.heureux-cyclage.org, burette.velorutiontoulouse.heureux-cyclage.org, burette.velosenville.heureux-cyclage.org, burettes.heureux-cyclage.org, caldavzap.heureux-cyclage.org, cartes.heureux-cyclage.org, changedechaine.heureux-cyclage.org, clavette-grenoble.heureux-cyclage.org, clavette-lyon.heureux-cyclage.org, cyclocamp.heureux-cyclage.org, cyclocoop.heureux-cyclage.org, cyclofficinedangouleme.heureux-cyclage.org, davical.heureux-cyclage.org, demo.burette.heureux-cyclage.org, fanout.heureux-cyclage.org, formations.heureux-cyclage.org, git.heureux-cyclage.org, imap.heureux-cyclage.org, lesjantesdunord.heureux-cyclage.org, mail.heureux-cyclage.org, mx.heureux-cyclage.org, notifications.heureux-cyclage.org, ns.heureux-cyclage.org, pop.heureux-cyclage.org, ptitvelo.heureux-cyclage.org, questionnaires.heureux-cyclage.org, ra.heureux-cyclage.org, remorque.heureux-cyclage.org, rencontres.heureux-cyclage.org, rouepet.heureux-cyclage.org, roundcube.heureux-cyclage.org, shell.heureux-cyclage.org, smtp.heureux-cyclage.org, stats.heureux-cyclage.org, submission.heureux-cyclage.org, sympa.heureux-cyclage.org, sympa.cyclocoop.heureux-cyclage.org, sympa.lesjantesdunord.heureux-cyclage.org, sympa.ptitvelo.heureux-cyclage.org, velocampus.heureux-cyclage.org, velosenville.heureux-cyclage.org, www.heureux-cyclage.org
+# burette.velocampus_nantes.heureux-cyclage.org
+
+# Uncomment to use a text interface instead of ncurses
+# text = True
+
+# Uncomment to use the standalone authenticator on port 443
+# authenticator = standalone
+# standalone-supported-challenges = tls-sni-01
+
+# Uncomment to use the webroot authenticator. Replace webroot-path with the
+# path to the public_html / webroot folder being served by your web server.
+authenticator = webroot
+webroot-path = /var/www/letsencrypt/
diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/stats/server.conf.m4 b/srv/ateliers/etc/nginx/org/heureux-cyclage/stats/server.conf.m4
index 4e9ed67..4532045 100644
--- a/srv/ateliers/etc/nginx/org/heureux-cyclage/stats/server.conf.m4
+++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/stats/server.conf.m4
@@ -29,6 +29,7 @@ map $http_cookie $lhc_stats_no_cache {
 
 server {
 	listen 80;
+	include /etc/nginx/conf.d/letsencrypt.conf;
 	include /etc/nginx/SITE/common.conf;
 	access_log /home/www/log/SITE/access.log main;
 	error_log  /home/www/log/SITE/error.log warn;
diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/www/server.conf.m4 b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/server.conf.m4
index 258bf21..ad27b10 100644
--- a/srv/ateliers/etc/nginx/org/heureux-cyclage/www/server.conf.m4
+++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/server.conf.m4
@@ -2,6 +2,7 @@ define(`DOMAIN',`org/heureux-cyclage')dnl
 define(`SITE',`DOMAIN/www')dnl
 server {
 	listen 80;
+	include /etc/nginx/conf.d/letsencrypt.conf;
 	include /etc/nginx/SITE/common.conf;
 	access_log /home/www/log/SITE/access.log main;
 	error_log  /home/www/log/SITE/error.log warn;
diff --git a/srv/ateliers/etc/nginx/org/lesjantesdunord/www/server.conf.m4 b/srv/ateliers/etc/nginx/org/lesjantesdunord/www/server.conf.m4
index f25ea8d..ccac2de 100644
--- a/srv/ateliers/etc/nginx/org/lesjantesdunord/www/server.conf.m4
+++ b/srv/ateliers/etc/nginx/org/lesjantesdunord/www/server.conf.m4
@@ -3,6 +3,7 @@ define(`SITE',`DOMAIN/www')dnl
 define(`NAME',`lesjantesdunord.org')dnl
 server {
 	listen 80;
+	include /etc/nginx/conf.d/letsencrypt.conf;
 	include /etc/nginx/SITE/common.conf;
 	access_log /home/www/log/SITE/access.log main;
 	error_log  /home/www/log/SITE/error.log warn;