Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: ChargerDad on July 04, 2024, 03:34:07 PM

Title: NGINX - Duplicate Locations
Post by: ChargerDad on July 04, 2024, 03:34:07 PM
I'm trying to set up multiple FQDN's to be accessible for acme-challenge requests behind OPNsense.  I want publicly signed certs on the hosts, but the internal traffic to and between the hosts can't or shouldn't go back through NGINX, so using Let's Encrypt in NGINX won't work for these certificates.

I have unique Upstream Servers, Upstreams, and HTTP servers defined for each, but when I try and add multiple locations with the same URL Pattern (/.well-known/acme-challenge/) so that I can restrict  external requests to only hitting that path, NGINX won't start, and generates the following error message.

Code Select
nginx: [emerg] duplicate location "/.well-known/acme-challenge/" in /usr/local/etc/nginx/nginx.conf:1199

I assumed I could have Locations with the same pattern referring to different upstreams and referenced by different HTTP servers, but must have to do this a different way?
Title: Re: NGINX - Duplicate Locations
Post by: Monviech (Cedrik) on July 04, 2024, 03:59:17 PM
I don't know how to do it in nginx, but I implemented it into os-caddy, and there it works quite easily. Maybe that fits your usecase?

https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge
Title: Re: NGINX - Duplicate Locations
Post by: ChargerDad on July 04, 2024, 04:26:44 PM
I had never seen caddy before, but I'm looking into it and might give it a go.  NGINX configs can be pretty complicated, and there are some things that I just think the OPNsense web interface doesn't handle.
Title: Re: NGINX - Duplicate Locations
Post by: Monviech (Cedrik) on July 04, 2024, 05:44:22 PM
If you have any trouble let me know and I can help you or potentially fix it. I maintain that plugin.
Title: Re: NGINX - Duplicate Locations
Post by: Fright on July 07, 2024, 08:41:03 AM
"Enable Let's Encrypt Plugin Support" enabled at Server settings and then a configured location added also?
Title: Re: NGINX - Duplicate Locations
Post by: ChargerDad on September 12, 2024, 01:13:28 AM
Quote from: Monviech on July 04, 2024, 05:44:22 PM
If you have any trouble let me know and I can help you or potentially fix it. I maintain that plugin.

Forgot to revisit this and update the thread!  Got this working.  Only thing I don't like is leaving port 80 open, so I've only been allowing it when I want to manually trigger a renewal.    Does Caddy respond at all to port 80 requests when the host hasn't opened it up for validation?
Title: Re: NGINX - Duplicate Locations
Post by: Monviech (Cedrik) on September 12, 2024, 06:40:08 AM
If the port 80 is blocked on the host it will use 443 with the TLS-ALPN-01 challenge for certificates automatically.

But these can not be redirected. Only the Port 80 HTTP challenges can, that required port 80
Text only | Text with Images