OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • 24.1 Legacy Series »
  • NGINX - Duplicate Locations
« previous next »
  • Print
Pages: [1]

Author Topic: NGINX - Duplicate Locations  (Read 1300 times)

ChargerDad

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
NGINX - Duplicate Locations
« on: July 04, 2024, 03:34:07 pm »
I'm trying to set up multiple FQDN's to be accessible for acme-challenge requests behind OPNsense.  I want publicly signed certs on the hosts, but the internal traffic to and between the hosts can't or shouldn't go back through NGINX, so using Let's Encrypt in NGINX won't work for these certificates.

I have unique Upstream Servers, Upstreams, and HTTP servers defined for each, but when I try and add multiple locations with the same URL Pattern (/.well-known/acme-challenge/) so that I can restrict  external requests to only hitting that path, NGINX won't start, and generates the following error message.

Code: [Select]
nginx: [emerg] duplicate location "/.well-known/acme-challenge/" in /usr/local/etc/nginx/nginx.conf:1199
I assumed I could have Locations with the same pattern referring to different upstreams and referenced by different HTTP servers, but must have to do this a different way?
Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1660
  • Karma: 178
    • View Profile
Re: NGINX - Duplicate Locations
« Reply #1 on: July 04, 2024, 03:59:17 pm »
I don't know how to do it in nginx, but I implemented it into os-caddy, and there it works quite easily. Maybe that fits your usecase?

https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge
Logged
Hardware:
DEC740

ChargerDad

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Re: NGINX - Duplicate Locations
« Reply #2 on: July 04, 2024, 04:26:44 pm »
I had never seen caddy before, but I'm looking into it and might give it a go.  NGINX configs can be pretty complicated, and there are some things that I just think the OPNsense web interface doesn't handle.
Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1660
  • Karma: 178
    • View Profile
Re: NGINX - Duplicate Locations
« Reply #3 on: July 04, 2024, 05:44:22 pm »
If you have any trouble let me know and I can help you or potentially fix it. I maintain that plugin.
Logged
Hardware:
DEC740

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: NGINX - Duplicate Locations
« Reply #4 on: July 07, 2024, 08:41:03 am »
"Enable Let's Encrypt Plugin Support" enabled at Server settings and then a configured location added also?
Logged

ChargerDad

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Re: NGINX - Duplicate Locations
« Reply #5 on: September 12, 2024, 01:13:28 am »
Quote from: Monviech on July 04, 2024, 05:44:22 pm
If you have any trouble let me know and I can help you or potentially fix it. I maintain that plugin.

Forgot to revisit this and update the thread!  Got this working.  Only thing I don't like is leaving port 80 open, so I've only been allowing it when I want to manually trigger a renewal.    Does Caddy respond at all to port 80 requests when the host hasn't opened it up for validation?
Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1660
  • Karma: 178
    • View Profile
Re: NGINX - Duplicate Locations
« Reply #6 on: September 12, 2024, 06:40:08 am »
If the port 80 is blocked on the host it will use 443 with the TLS-ALPN-01 challenge for certificates automatically.

But these can not be redirected. Only the Port 80 HTTP challenges can, that required port 80
« Last Edit: September 12, 2024, 07:10:57 am by Monviech »
Logged
Hardware:
DEC740
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • 24.1 Legacy Series »
  • NGINX - Duplicate Locations
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2