infinite loop for allow_domain
Sinequanonh opened this issue · 0 comments
Sinequanonh commented
Facing a little issue. For some domains, the allow_domain function is still being called despite the fact that there is already an existing certificate for those domains.
Isn't it auto_ssl:ssl_certificate() role to prevent this?
I am saving files locally, could it be the reason? If so why?
Here's how my whole nginx config looks like:
error_log /var/log/nginx/nginx_error.log debug;
events {
worker_connections 1024;
}
http {
include mime.types;
# The "auto_ssl" shared dict should be defined with enough storage space to
# hold your certificate data. 1MB of storage holds certificates for
# approximately 100 separate domains.
lua_shared_dict auto_ssl 1m;
# The "auto_ssl_settings" shared dict is used to temporarily store various settings
# like the secret used by the hook server on port 8999. Do not change or
# omit it.
lua_shared_dict auto_ssl_settings 64k;
# A DNS resolver must be defined for OCSP stapling to function.
#
# This example uses Google's DNS server. You may want to use your system's
# default DNS servers, which can be found in /etc/resolv.conf. If your network
# is not IPv6 compatible, you may wish to disable IPv6 results by using the
lua_shared_dict tmp 12k;
lua_ssl_verify_depth 2;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.pem;
# "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
lua_package_path "/root/lua-resty-http/lib/?.lua;;";
resolver 8.8.8.8;
# Initial setup tasks.
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("allow_domain", function(domain)
local http = require("resty.http")
local httpc = http.new()
local uri = "https://api.hyperping.io/v1/approveDomain/"..domain
local res, err = httpc:request_uri(uri, {
method = "GET"
})
)
if not res then
print("failed to request: ", err)
return false
end
if res.status == 200 then
return true
end
if res.status == 404 then
return false
end
return false
end)
auto_ssl:init()
}
init_worker_by_lua_block {
auto_ssl:init_worker()
}
# HTTPS server
server {
listen 443 ssl;
ssl on;
gzip on;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
root /var/www/statuspage;
index index.html;
location / {
try_files $uri $uri/ /index.html;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location ~ ^/public/[0-9]+ {
root /var/www/statuspage;
try_files /index.html =404;
}
location ~ ^/static/* {
root /var/www/statuspage;
try_files $uri $uri/ =404;
expires 30d;
add_header Vary Accept-Encoding;
access_log off;
}
}
server {
listen 443 ssl;
server_name *.hyperping.io;
ssl_certificate /etc/letsencrypt/live/hyperping.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hyperping.io/privkey.pem;
root /var/www/statuspage;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location ~ ^/public/[0-9]+ {
root /var/www/statuspage;
try_files /index.html =404;
}
location ~ ^/static/* {
root /var/www/statuspage;
try_files $uri $uri/ =404;
expires 30d;
add_header Vary Accept-Encoding;
access_log off;
}
}
# HTTP server
server {
listen 80;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
location / {
return 301 https://$host$request_uri;
}
}
# Internal server running on port 8999 for handling certificate tasks.
server {
listen 127.0.0.1:8999;
# Increase the body buffer size, to ensure the internal POSTs can always
# parse the full POST contents into memory.
client_body_buffer_size 128k;
client_max_body_size 128k;
location / {
content_by_lua_block {
auto_ssl:hook_server()
}
}
}
}
What am I doing wrong 😬