NGINX - Duplicate Locations

Started by ChargerDad, July 04, 2024, 03:34:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 04, 2024, 03:34:07 PM
I'm trying to set up multiple FQDN's to be accessible for acme-challenge requests behind OPNsense.  I want publicly signed certs on the hosts, but the internal traffic to and between the hosts can't or shouldn't go back through NGINX, so using Let's Encrypt in NGINX won't work for these certificates.

I have unique Upstream Servers, Upstreams, and HTTP servers defined for each, but when I try and add multiple locations with the same URL Pattern (/.well-known/acme-challenge/) so that I can restrict  external requests to only hitting that path, NGINX won't start, and generates the following error message.

Code Select
nginx: [emerg] duplicate location "/.well-known/acme-challenge/" in /usr/local/etc/nginx/nginx.conf:1199

I assumed I could have Locations with the same pattern referring to different upstreams and referenced by different HTTP servers, but must have to do this a different way?
July 04, 2024, 03:59:17 PM #1
I don't know how to do it in nginx, but I implemented it into os-caddy, and there it works quite easily. Maybe that fits your usecase?

https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge
Hardware:
DEC740
July 04, 2024, 04:26:44 PM #2
I had never seen caddy before, but I'm looking into it and might give it a go.  NGINX configs can be pretty complicated, and there are some things that I just think the OPNsense web interface doesn't handle.
July 04, 2024, 05:44:22 PM #3
If you have any trouble let me know and I can help you or potentially fix it. I maintain that plugin.
Hardware:
DEC740
July 07, 2024, 08:41:03 AM #4
"Enable Let's Encrypt Plugin Support" enabled at Server settings and then a configured location added also?
September 12, 2024, 01:13:28 AM #5
Quote from: Monviech on July 04, 2024, 05:44:22 PM
If you have any trouble let me know and I can help you or potentially fix it. I maintain that plugin.

Forgot to revisit this and update the thread!  Got this working.  Only thing I don't like is leaving port 80 open, so I've only been allowing it when I want to manually trigger a renewal.    Does Caddy respond at all to port 80 requests when the host hasn't opened it up for validation?
September 12, 2024, 06:40:08 AM #6 Last Edit: September 12, 2024, 07:10:57 AM by Monviech
If the port 80 is blocked on the host it will use 443 with the TLS-ALPN-01 challenge for certificates automatically.

But these can not be redirected. Only the Port 80 HTTP challenges can, that required port 80
Hardware:
DEC740
Print
Go Up Pages1
User actions