[contribteam] [Bug 10541] Suppress ProxyPass for ACME challenge

[bugzilla-daemon]

https://bugs.contribs.org/show_bug.cgi?id=10541

--- Comment #2 from John Crisp <jcr...@safeandsoundit.co.uk> ---
This probably won't be part of the letsencrypt contrib itself as letsencrypt
knows nothing about your Proxy settings and we try to keep the contrib simple
and easy to use.

There could be lots of variations with Proxies which may be difficult to
handle, and I think you need to configure each one individually according to
your needs.

The dehydrated/letsencrypt hook-script.sh was designed for transferring
certificates to other servers. You can add templates there for copying
certificates around.

ProxyPassVirtualHosts was designed to let you create your own Proxied hosts.
You may be better off at looking how to create individual hosts and
configurations.

Have a look at something like this:
https://wiki.contribs.org/SME_Server:Documentation:ProxyPass

For an individual setup you need to set specifics in your ProxyPass$host
something like this (which is what I use on Rocketchat)

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualRocketchat


    if ( $port eq "80" ) {
        $OUT .= "    # Redirect Letsencrypt queries\n";
        $OUT .= "    RewriteRule ^/.well-known/acme-challenge(/.*|\$)
https://%{HTTP_HOST}/.well-known/acme-challenge\$1 [L,R]\n";
        $OUT .= "    # Everything else goes to https\n";
        $OUT .= "    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/ [R,L]\n";
    }


    if ( $port eq "443" ) {
        $OUT .= "    SSLEngine On\n";
        $OUT .= "    RewriteEngine On\n";
        $OUT .= "    ProxyPreserveHost On\n";
        $OUT .= "    # Letsencrypt\n";
        $OUT .= "    Alias /.well-known/acme-challenge/
/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/\n";

Your ProxyPass line probably does a similar thing (I am no guru on all this)
but managing each host with individual virtualhosts gives you more control (but
equally makes things more difficult to handle with letsencrypt)

>(I also want the reverse proxy connection from SME to backend server to be 
>http only, but that's a separate issue.)

That is what happens with RocketChat.

The incoming connection is https, and it proxies back to RocketChat using http.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail contribteam-unsubscr...@lists.contribs.org
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/