Merge pull request #276260 from Izorkin/update-nginx-acme-locations
nixos/nginx: change position acmeLocation in nginx configuration
This commit is contained in:
commit
5ab6191ee5
1 changed files with 12 additions and 9 deletions
|
@ -352,10 +352,11 @@ let
|
|||
|
||||
# The acme-challenge location doesn't need to be added if we are not using any automated
|
||||
# certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge
|
||||
acmeLocation = optionalString (vhost.enableACME || (vhost.useACMEHost != null && config.security.acme.certs.${vhost.useACMEHost}.dnsProvider == null)) ''
|
||||
acmeLocation = optionalString (vhost.enableACME || (vhost.useACMEHost != null && config.security.acme.certs.${vhost.useACMEHost}.dnsProvider == null))
|
||||
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
|
||||
# We use ^~ here, so that we don't check any regexes (which could
|
||||
# otherwise easily override this intended match accidentally).
|
||||
''
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
|
||||
${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"}
|
||||
|
@ -375,10 +376,11 @@ let
|
|||
${concatMapStringsSep "\n" listenString redirectListen}
|
||||
|
||||
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
|
||||
${acmeLocation}
|
||||
|
||||
location / {
|
||||
return ${toString vhost.redirectCode} https://$host$request_uri;
|
||||
}
|
||||
${acmeLocation}
|
||||
}
|
||||
''}
|
||||
|
||||
|
@ -392,13 +394,6 @@ let
|
|||
http3 ${if vhost.http3 then "on" else "off"};
|
||||
http3_hq ${if vhost.http3_hq then "on" else "off"};
|
||||
''}
|
||||
${acmeLocation}
|
||||
${optionalString (vhost.root != null) "root ${vhost.root};"}
|
||||
${optionalString (vhost.globalRedirect != null) ''
|
||||
location / {
|
||||
return ${toString vhost.redirectCode} http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
|
||||
}
|
||||
''}
|
||||
${optionalString hasSSL ''
|
||||
ssl_certificate ${vhost.sslCertificate};
|
||||
ssl_certificate_key ${vhost.sslCertificateKey};
|
||||
|
@ -421,6 +416,14 @@ let
|
|||
|
||||
${mkBasicAuth vhostName vhost}
|
||||
|
||||
${optionalString (vhost.root != null) "root ${vhost.root};"}
|
||||
|
||||
${optionalString (vhost.globalRedirect != null) ''
|
||||
location / {
|
||||
return ${toString vhost.redirectCode} http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
|
||||
}
|
||||
''}
|
||||
${acmeLocation}
|
||||
${mkLocations vhost.locations}
|
||||
|
||||
${vhost.extraConfig}
|
||||
|
|
Loading…
Reference in a new issue