diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 46db324f..924f978f 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -34,6 +34,25 @@ http { '' $scheme; } + {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] and not TLS_ERROR %} + # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes + # + server { + # Listen over HTTP + listen 80; + listen [::]:80; + {% if TLS_FLAVOR == 'letsencrypt' %} + location ^~ /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:8008; + } + {% endif %} + # redirect to https + location / { + return 301 https://$host$request_uri; + } + } + {% endif %} + # Main HTTP server server { # Favicon stuff @@ -48,9 +67,11 @@ http { set $webdav {{ WEBDAV_ADDRESS }}; {% endif %} - # Always listen over HTTP + # Listen on HTTP only in kubernetes or behind reverse proxy + {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] or TLS_ERROR %} listen 80; listen [::]:80; + {% endif %} # Only enable HTTPS if TLS is enabled with no error and not on kubernetes {% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %} @@ -78,8 +99,7 @@ http { add_header X-XSS-Protection '1; mode=block'; add_header Referrer-Policy 'same-origin'; - # In any case, enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes - {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %} + {% if TLS_FLAVOR == 'mail-letsencrypt' %} location ^~ /.well-known/acme-challenge/ { proxy_pass http://127.0.0.1:8008; } diff --git a/towncrier/newsfragments/1564.bugfix b/towncrier/newsfragments/1564.bugfix new file mode 100644 index 00000000..5c189b80 --- /dev/null +++ b/towncrier/newsfragments/1564.bugfix @@ -0,0 +1 @@ +Fixes certbot renewal