lua-resty-auto-ssl icon indicating copy to clipboard operation
lua-resty-auto-ssl copied to clipboard

Published 20 hours ago verified publisher icon auto-ssl

Prevent SSL errors on fallback cert

Open benoj opened this issue 7 years ago • 3 comments

Is there a way to prevent the Nginx instance from serving (or serving an error page) when the allow_domain function returns false?

Right now it serves up a proxied page from my upstream service - I would like to short-circuit this and return 404 or some error page/response from Nginx.

See the config below:

user www-data;
worker_processes auto;
pid /run/openresty.pid;

#pid        logs/nginx.pid;

events {

	worker_connections 1024;
}


http {

	include mime.types;
	default_type application/octet-stream;

	lua_shared_dict auto_ssl 1m;
	lua_shared_dict auto_ssl_settings 64k;

	resolver 8.8.8.8 ipv6=off;

	init_by_lua_block {
	auto_ssl = (require "resty.auto-ssl").new()
		auto_ssl:set("allow_domain", function(domain)
            #FIND My valid domains and if found return true else false
		end)

		auto_ssl:init()
	}

	init_worker_by_lua_block {

		auto_ssl:init_worker()
	}

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#                  '$status $body_bytes_sent "$http_referer" '
	#                  '"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/openresty/access.log;
	error_log /var/log/openresty/error.log;

	sendfile on;
	#tcp_nopush     on;

	#keepalive_timeout  0;
	keepalive_timeout 65;

	gzip on;

	server {

		listen 80 default_server;
		listen [::]:80 default_server;
		server_name _;

		location /.well-known/acme-challenge/ {

			content_by_lua_block {

				auto_ssl:challenge_server()
			}
		}

		return 301 https://$host$request_uri;
	}

	server {

		listen 443 ssl;
		ssl_certificate_by_lua_block {

			auto_ssl:ssl_certificate()
		}

		location / {

			proxy_ssl_server_name on;
			proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
			proxy_pass https://mydomain.com/$host;
		}

		ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
		ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
	}

	server {

		listen 127.0.0.1:8999;

		client_body_buffer_size 128k;
		client_max_body_size 128k;

		location / {

			content_by_lua_block {

				auto_ssl:hook_server()
			}
		}
	}

}

benoj avatar Feb 27 '18 11:02 benoj

Hey @GUI is this project still maintained?

benoj avatar Apr 29 '18 19:04 benoj

This is not possible because SSL negotiation occurs before you can send data e.g. a redirect. You could send a 444 which is a special Nginx error code for sending no response. This would still result in an SSL certificate error, but no other content would be served.

yveslaroche avatar Apr 30 '18 13:04 yveslaroche

@yveslaroche Thanks I will try that.

One further question - It seems that sometimes the SSL certificate takes a bit longer to generate and so the self-signed is returned until I refresh again a few minutes later.

Is there a way to know what cert is being used for the response and return 444 then too?

Thanks

benoj avatar Apr 30 '18 13:04 benoj