Clément Désiles
314fa715fd
Two issues caused TLS to break on photos.carabosse.cloud over IPv6
(GrapheneOS + Immich app via Orange 5G NAT64):
1. Per-service vhosts only listened on IPv4 (listen 443 ssl). On IPv6,
nginx fell back to the first vhost loaded alphabetically and served
its certificate, breaking hostname verification on every other vhost.
2. /etc/letsencrypt/{live,archive} were 0700 root:root after certbot
created them, so the nginx worker (user http on Arch) could not read
the chained intermediates and served the leaf-only chain.
Changes:
- Add catch-all 00-default.conf default_server on :80 and :443 (v4+v6)
with a self-signed cert and 'return 444'. ACME challenges still
answered on :80.
- Add IPv6 listeners ([::]:80 and [::]:443 ssl) to immich, gitea, ntfy,
uptime_kuma vhosts and to the temporary ACME provisioning vhost.
- Apply 0755 on /etc/letsencrypt/live and /etc/letsencrypt/archive on
every run, not only at initial cert provisioning.
47 lines
1.6 KiB
YAML
47 lines
1.6 KiB
YAML
---
|
|
# Nginx configuration directory for service vhosts
|
|
nginx_conf_dir: /etc/nginx/conf.d
|
|
|
|
# Nginx stream configuration directory (TCP/UDP proxies)
|
|
nginx_streams_dir: /etc/nginx/streams.d
|
|
|
|
# Worker processes (auto = number of CPU cores)
|
|
nginx_worker_processes: auto
|
|
|
|
# Worker connections
|
|
nginx_worker_connections: 1024
|
|
|
|
# Client max body size (for file uploads)
|
|
nginx_client_max_body_size: 100M
|
|
|
|
# SSL configuration (volontarily omit TLSv1.2 here)
|
|
nginx_ssl_protocols: TLSv1.3
|
|
|
|
# Catch-all default_server (rejects unknown SNI / Host with 444).
|
|
# Prevents leaking the first-loaded vhost's cert to unrelated requests.
|
|
nginx_default_server_enabled: true
|
|
nginx_default_ssl_cert: /etc/nginx/ssl/default.crt
|
|
nginx_default_ssl_key: /etc/nginx/ssl/default.key
|
|
|
|
# Logging configuration
|
|
# Backend: 'file' (traditional /var/log/nginx/*.log) or 'journald' (systemd journal)
|
|
nginx_log_backend: journald
|
|
|
|
# Logrotate configuration (only used when nginx_log_backend: file)
|
|
nginx_logrotate_rotate: 14 # Keep 14 days of logs
|
|
nginx_logrotate_frequency: daily # daily|weekly|monthly
|
|
nginx_logrotate_compress: true # Compress rotated logs
|
|
|
|
# Forwarder configuration (transparent proxy to other hosts)
|
|
# Example:
|
|
# nginx_forwarder:
|
|
# "blog.hello.com":
|
|
# forward_to: "you.domain.org"
|
|
# http: true # Forward port 80 (default: true)
|
|
# https: true # Forward port 443 (default: true)
|
|
nginx_forwarder: {}
|
|
|
|
# Let's Encrypt / Certbot configuration
|
|
# acme_email: "" # Required for Let's Encrypt - intentionally undefined
|
|
# Set this variable to enable Certbot installation and certificate management
|