Clément Désiles
314fa715fd
Two issues caused TLS to break on photos.carabosse.cloud over IPv6
(GrapheneOS + Immich app via Orange 5G NAT64):
1. Per-service vhosts only listened on IPv4 (listen 443 ssl). On IPv6,
nginx fell back to the first vhost loaded alphabetically and served
its certificate, breaking hostname verification on every other vhost.
2. /etc/letsencrypt/{live,archive} were 0700 root:root after certbot
created them, so the nginx worker (user http on Arch) could not read
the chained intermediates and served the leaf-only chain.
Changes:
- Add catch-all 00-default.conf default_server on :80 and :443 (v4+v6)
with a self-signed cert and 'return 444'. ACME challenges still
answered on :80.
- Add IPv6 listeners ([::]:80 and [::]:443 ssl) to immich, gitea, ntfy,
uptime_kuma vhosts and to the temporary ACME provisioning vhost.
- Apply 0755 on /etc/letsencrypt/live and /etc/letsencrypt/archive on
every run, not only at initial cert provisioning.
56 lines
1.7 KiB
Django/Jinja
56 lines
1.7 KiB
Django/Jinja
# Gitea vhost with Let's Encrypt (Certbot)
|
|
# Managed by Ansible - DO NOT EDIT MANUALLY
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ gitea_nginx_hostname }};
|
|
|
|
# Certbot webroot for ACME challenges
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/certbot;
|
|
}
|
|
|
|
# Redirect to HTTPS
|
|
location / {
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
server_name {{ gitea_nginx_hostname }};
|
|
|
|
# Let's Encrypt certificates (managed by Certbot)
|
|
ssl_certificate /etc/letsencrypt/live/{{ gitea_nginx_hostname }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ gitea_nginx_hostname }}/privkey.pem;
|
|
|
|
# SSL configuration
|
|
ssl_protocols {{ nginx_ssl_protocols | default('TLSv1.3') }};
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
{% if nginx_log_backend | default('journald') == 'journald' %}
|
|
access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_gitea;
|
|
error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_gitea;
|
|
{% else %}
|
|
access_log /var/log/nginx/{{ gitea_nginx_hostname }}_access.log main;
|
|
error_log /var/log/nginx/{{ gitea_nginx_hostname }}_error.log;
|
|
{% endif %}
|
|
|
|
# Increase client max body size for large Git pushes
|
|
client_max_body_size 512M;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:{{ gitea_port }};
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Required for Git LFS and large repository operations
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
}
|