From 1007055da48c03a352465d80411670c1e6b058fc Mon Sep 17 00:00:00 2001
From: irl <iain@learmonth.me>
Date: Sun, 27 Apr 2025 17:52:40 +0100
Subject: [PATCH] feat: automatic ssl certificate

---
 docker-compose.yml |  7 ++++---
 src/Dockerfile     | 10 ++++++++++
 src/default.conf   | 49 +++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 62 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index b76e2d6..3afc8a8 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,7 +5,8 @@ services:
       dockerfile: Dockerfile
     env_file: "sitelen.env"
     ports:
-      - "127.0.0.1:80:80"
+      - "80:80"
+      - "443:443"
 #  updater:
 #    build:
 #      context: legacy
@@ -15,5 +16,5 @@ services:
 #      - ./legacy/configs:/configs
   redis:
     image: redis:latest
-    ports:
-      - "127.0.0.1:6379:6379"
+#    ports:
+#      - "127.0.0.1:6379:6379"
diff --git a/src/Dockerfile b/src/Dockerfile
index 368ad16..5e441a4 100644
--- a/src/Dockerfile
+++ b/src/Dockerfile
@@ -4,6 +4,16 @@ RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-http
 RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-cookie
 RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-iputils
 
+RUN apk add openssl
+RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl
+
+RUN mkdir /etc/resty-auto-ssl && chown -R nobody /etc/resty-auto-ssl
+
+RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    -subj '/CN=fallback.invalid' \
+    -keyout /etc/ssl/resty-auto-ssl-fallback.key \
+    -out /etc/ssl/resty-auto-ssl-fallback.crt
+
 COPY default.conf /etc/nginx/conf.d/default.conf
 COPY env.main /etc/nginx/conf.d/env.main
 COPY lua/* /opt/sitelen-tu/
diff --git a/src/default.conf b/src/default.conf
index 7ed212e..c10dfb6 100644
--- a/src/default.conf
+++ b/src/default.conf
@@ -2,8 +2,25 @@ error_log /dev/stdout;
 
 lua_shared_dict jasima_cache 20m;
 lua_package_path "/opt/sitelen-tu/?.lua;;";
+
+lua_shared_dict auto_ssl 1m;
+lua_shared_dict auto_ssl_settings 64k;
+
 resolver 127.0.0.11 valid=60 ipv6=off;
 
+init_by_lua_block {
+    auto_ssl = (require "resty.auto-ssl").new()
+    auto_ssl:set("allow_domain", function(domain)
+        -- TODO: Set via environment variable
+        return domain ~= "127.0.0.1"
+    end)
+    auto_ssl:init()
+}
+
+init_worker_by_lua_block {
+    auto_ssl:init_worker()
+}
+
 upstream origin {
     server 127.0.0.1;
 
@@ -11,9 +28,15 @@ upstream origin {
 }
 
 server {
-    listen 80;
+    listen 443 ssl;
     server_name localhost default;
 
+    ssl_certificate_by_lua_block {
+        auto_ssl:ssl_certificate()
+    }
+    ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
+    ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
+
     location / {
         # These variables are set in the access_by_lua stage
         # TODO: These might be better to set with a set_by_lua_block
@@ -40,3 +63,27 @@ server {
         body_filter_by_lua_file /opt/sitelen-tu/body_filter.lua;
     }
 }
+
+server {
+    listen 80;
+    location /.well-known/acme-challenge/ {
+        content_by_lua_block {
+            auto_ssl:challenge_server()
+        }
+    }
+    location / {
+        return 404;
+    }
+}
+
+server {
+    listen 127.0.0.1:8999;
+    client_body_buffer_size 128k;
+    client_max_body_size 128k;
+
+    location / {
+        content_by_lua_block {
+            auto_ssl:hook_server()
+        }
+    }
+}