diff options
| -rw-r--r-- | template/nginx/cert-only.conf.template | 13 | ||||
| -rw-r--r-- | template/nginx/forbid_unknown_domain.conf | 2 | ||||
| -rwxr-xr-x | tool/modules/nginx.py | 5 |
3 files changed, 19 insertions, 1 deletions
diff --git a/template/nginx/cert-only.conf.template b/template/nginx/cert-only.conf.template new file mode 100644 index 0000000..08daa8a --- /dev/null +++ b/template/nginx/cert-only.conf.template @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + server_name ${CRUPEST_NGINX_SUBDOMAIN}.${CRUPEST_DOMAIN}; + + location / { + return 444; + } + + location /.well-known/acme-challenge { + root /srv/acme; + } +} diff --git a/template/nginx/forbid_unknown_domain.conf b/template/nginx/forbid_unknown_domain.conf index 661a2b6..ae96393 100644 --- a/template/nginx/forbid_unknown_domain.conf +++ b/template/nginx/forbid_unknown_domain.conf @@ -1,6 +1,8 @@ server { listen 80 default_server; listen [::]:80 default_server; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; return 444; } diff --git a/tool/modules/nginx.py b/tool/modules/nginx.py index 7336c3e..dbe93bb 100755 --- a/tool/modules/nginx.py +++ b/tool/modules/nginx.py @@ -25,6 +25,7 @@ static_file_template = Template(os.path.join( nginx_template_dir, 'static-file.conf.template')) reverse_proxy_template = Template(os.path.join( nginx_template_dir, 'reverse-proxy.conf.template')) +cert_only_template = Template(os.path.join(nginx_template_dir, 'cert-only.conf.template')) nginx_var_set = set.union(root_template.var_set, static_file_template.var_set, reverse_proxy_template.var_set) @@ -48,7 +49,7 @@ def nginx_config_gen(domain: str, dest: str) -> None: # generate nginx config for each site sites: list = server["sites"] for site in sites: - if site["type"] not in ['static-file', 'reverse-proxy']: + if site["type"] not in ['static-file', 'reverse-proxy', "cert-only"]: continue subdomain = site["subdomain"] local_config = config.copy() @@ -60,6 +61,8 @@ def nginx_config_gen(domain: str, dest: str) -> None: template = reverse_proxy_template local_config['CRUPEST_NGINX_UPSTREAM_NAME'] = site["upstream"]["name"] local_config['CRUPEST_NGINX_UPSTREAM_SERVER'] = site["upstream"]["server"] + elif site["type"] == 'cert-only': + template = cert_only_template with open(os.path.join(dest, f'{subdomain}.{domain}.conf'), 'w') as f: f.write(template.generate(local_config)) |