jasima/sitelen-tu
3
1
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

feat: automatic ssl certificate

Browse source
This commit is contained in:
Iain Learmonth 2025-04-27 17:52:40 +01:00
parent 6179dea246
commit 1007055da4
3 changed files with 62 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docker-compose.yml
View file

@ -5,7 +5,8 @@ services:
dockerfile: Dockerfile dockerfile: Dockerfile
env_file: "sitelen.env" env_file: "sitelen.env"
ports: ports:
- "127.0.0.1:80:80" - "80:80"
- "443:443"
# updater: # updater:
# build: # build:
# context: legacy # context: legacy
@ -15,5 +16,5 @@ services:
# - ./legacy/configs:/configs # - ./legacy/configs:/configs
redis: redis:
image: redis:latest image: redis:latest
ports: # ports:
- "127.0.0.1:6379:6379" # - "127.0.0.1:6379:6379"

10
src/Dockerfile
View file

@ -4,6 +4,16 @@ RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-http
RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-cookie RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-cookie
RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-iputils RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-iputils
RUN apk add openssl
RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl
RUN mkdir /etc/resty-auto-ssl && chown -R nobody /etc/resty-auto-ssl
RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
-subj '/CN=fallback.invalid' \
-keyout /etc/ssl/resty-auto-ssl-fallback.key \
-out /etc/ssl/resty-auto-ssl-fallback.crt
COPY default.conf /etc/nginx/conf.d/default.conf COPY default.conf /etc/nginx/conf.d/default.conf
COPY env.main /etc/nginx/conf.d/env.main COPY env.main /etc/nginx/conf.d/env.main
COPY lua/* /opt/sitelen-tu/ COPY lua/* /opt/sitelen-tu/

49
src/default.conf
View file

@ -2,8 +2,25 @@ error_log /dev/stdout;
lua_shared_dict jasima_cache 20m; lua_shared_dict jasima_cache 20m;
lua_package_path "/opt/sitelen-tu/?.lua;;"; lua_package_path "/opt/sitelen-tu/?.lua;;";
lua_shared_dict auto_ssl 1m;
lua_shared_dict auto_ssl_settings 64k;
resolver 127.0.0.11 valid=60 ipv6=off; resolver 127.0.0.11 valid=60 ipv6=off;
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("allow_domain", function(domain)
-- TODO: Set via environment variable
return domain ~= "127.0.0.1"
end)
auto_ssl:init()
}
init_worker_by_lua_block {
auto_ssl:init_worker()
}
upstream origin { upstream origin {
server 127.0.0.1; server 127.0.0.1;
@ -11,9 +28,15 @@ upstream origin {
} }
server { server {
listen 80; listen 443 ssl;
server_name localhost default; server_name localhost default;
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
location / { location / {
# These variables are set in the access_by_lua stage # These variables are set in the access_by_lua stage
# TODO: These might be better to set with a set_by_lua_block # TODO: These might be better to set with a set_by_lua_block
@ -40,3 +63,27 @@ server {
body_filter_by_lua_file /opt/sitelen-tu/body_filter.lua; body_filter_by_lua_file /opt/sitelen-tu/body_filter.lua;
} }
} }
server {
listen 80;
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
location / {
return 404;
}
}
server {
listen 127.0.0.1:8999;
client_body_buffer_size 128k;
client_max_body_size 128k;
location / {
content_by_lua_block {
auto_ssl:hook_server()
}
}
}