Https

lighttpd 代理除 .well-known forletsencrypt 之外的所有代理

  • September 10, 2020

我想將 lighttpd 配置為接受來自letsencrypt 服務的證書更新請求,但是我的配置有問題,因為它用作代理伺服器,所以我的/.well-known 不能使用HTTPS。配置文件如下。有什麼建議麼?

我的lighttpd.conf文件:

###############################################################################
# Default lighttpd.conf for Gentoo.
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.5 2010/11/18 15:13:47 hwoarang Exp $
###############################################################################

# {{{ variables
var.basedir  = "/var/www/localhost"
var.logdir   = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"
# }}}

# {{{ modules
# At the very least, mod_access and mod_accesslog should be enabled.
# All other modules should only be loaded if necessary.
# NOTE: the order of modules is important.
server.modules = (
   "mod_rewrite",
   "mod_redirect",
   "mod_alias",
   "mod_access",
#    "mod_cml",
#    "mod_trigger_b4_dl",
#    "mod_auth",
#    "mod_status",
#    "mod_setenv",
   "mod_proxy",
#    "mod_simple_vhost",
#    "mod_evhost",
#    "mod_userdir",
#    "mod_compress",
#    "mod_ssi",
#    "mod_usertrack",
#    "mod_expire",
#    "mod_secdownload",
#    "mod_rrdtool",
#    "mod_webdav",
   "mod_accesslog"
)
#alias.url += (
# "/.well-known/acme-challenge/" => "/tmp/certbot/public_html/",
#)
# }}}

# {{{ includes
include "mime-types.conf"
include_shell "cat /etc/lighttpd/conf.d/*.conf"
# fcgi and cgi are included below 
# }}}

# {{{ server settings
server.username      = "lighttpd"
server.groupname     = "lighttpd"

server.document-root = "/tmp/certbot/public_html" #var.basedir + "/htdocs"
server.pid-file      = "/var/run/lighttpd.pid"

server.errorlog      = var.logdir  + "/error.log"
# log errors to syslog instead
#   server.errorlog-use-syslog = "enable"

server.indexfiles    = ("index.php", "index.html",
                       "index.htm", "default.htm")

# server.tag           = "lighttpd"

server.follow-symlink = "enable"

# event handler (defaults to "poll")
# see performance.txt
# 
# for >= linux-2.4
#   server.event-handler = "linux-rtsig"
# for >= linux-2.6
#   server.event-handler = "linux-sysepoll"
# for FreeBSD
#   server.event-handler = "freebsd-kqueue"

# chroot to directory (defaults to no chroot)
# server.chroot      = "/"

# bind to port (defaults to 80)
# server.port          = 81

# bind to name (defaults to all interfaces)
# server.bind          = "grisu.home.kneschke.de"

# error-handler for status 404
# server.error-handler-404 = "/error-handler.html"
# server.error-handler-404 = "/error-handler.php"

# Format: <errorfile-prefix><status-code>.html
# -> ..../status-404.html for 'File not found'
# server.errorfile-prefix    = var.basedir + "/error/status-"

# FAM support for caching stat() calls
# requires that lighttpd be built with USE=fam
#   server.stat-cache-engine = "fam"

# If lighttpd was build with IPv6 support, and you would like to listen on IPv6,
# uncomment the following:
# server.use-ipv6 = "enable"

# }}}

# {{{ mod_staticfile

# which extensions should not be handled via static-file transfer
# (extensions that are usually handled by mod_cgi, mod_fastcgi, etc).
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")
# }}}

# {{{ mod_accesslog
accesslog.filename   = var.logdir + "/access.log"
# }}}

# {{{ mod_dirlisting
# enable directory listings
#   dir-listing.activate      = "enable"
#
# don't list hidden files/directories
#   dir-listing.hide-dotfiles = "enable"
#
# use a different css for directory listings
#   dir-listing.external-css  = "/path/to/dir-listing.css"
#
# list of regular expressions.  files that match any of the
# specified regular expressions will be excluded from directory
# listings.
#   dir-listing.exclude = ("^\.", "~$")
# }}}

# {{{ mod_access
# see access.txt

url.access-deny = ("~", ".inc")
# }}}

# {{{ mod_userdir
# see userdir.txt
#
# userdir.path = "public_html"
# userdir.exclude-user = ("root")
# }}}

# {{{ mod_ssi
# see ssi.txt
#
# ssi.extension = (".shtml")
# }}}

# {{{ mod_ssl
# see ssl.txt
#
# ssl.engine    = "enable"
# ssl.pemfile   = "server.pem"
# }}}

# {{{ mod_status
# see status.txt
#
# status.status-url  = "/server-status"
# status.config-url  = "/server-config"
# }}}

# {{{ mod_simple_vhost
# see simple-vhost.txt
#
#  If you want name-based virtual hosting add the next three settings and load
#  mod_simple_vhost
#
# document-root =
#   virtual-server-root + virtual-server-default-host + virtual-server-docroot
# or
#   virtual-server-root + http-host + virtual-server-docroot
#
# simple-vhost.server-root   = "/home/weigon/wwwroot/servers/"
# simple-vhost.default-host  = "grisu.home.kneschke.de"
# simple-vhost.document-root = "/pages/"
# }}}

# {{{ mod_compress
# see compress.txt
#
# compress.cache-dir   = var.statedir + "/cache/compress"
# compress.filetype    = ("text/plain", "text/html")
# }}}

# {{{ mod_proxy
# see proxy.txt
#
# proxy.server               = ( ".php" =>
#                               ( "localhost" =>
#                                 (
#                                   "host" => "192.168.0.101",
#                                   "port" => 80
#                                 )
#                               )
#                             )
# }}}

# {{{ mod_auth
# see authentication.txt
#
# auth.backend               = "plain"
# auth.backend.plain.userfile = "lighttpd.user"
# auth.backend.plain.groupfile = "lighttpd.group"

# auth.backend.ldap.hostname = "localhost"
# auth.backend.ldap.base-dn  = "dc=my-domain,dc=com"
# auth.backend.ldap.filter   = "(uid=$)"

# auth.require               = ( "/server-status" =>
#                               (
#                                 "method"  => "digest",
#                                 "realm"   => "download archiv",
#                                 "require" => "user=jan"
#                               ),
#                               "/server-info" =>
#                               (
#                                 "method"  => "digest",
#                                 "realm"   => "download archiv",
#                                 "require" => "valid-user"
#                               )
#                             )
# }}}

# {{{ mod_rewrite
# see rewrite.txt
#
# url.rewrite = (
#   "^/$"       =>      "/server-status"
# )
# }}}

# {{{ mod_redirect
# see redirect.txt
#
# url.redirect = (
#   "^/wishlist/(.+)"       =>      "http://www.123.org/$1"
# )
# }}}

# {{{ mod_evhost
# define a pattern for the host url finding
# %% => % sign
# %0 => domain name + tld
# %1 => tld
# %2 => domain name without tld
# %3 => subdomain 1 name
# %4 => subdomain 2 name
#
# evhost.path-pattern        = "/home/storage/dev/www/%3/htdocs/"
# }}}

# {{{ mod_expire
# expire.url = (
#   "/buggy/"       =>      "access 2 hours",
#   "/asdhas/"      =>      "access plus 1 seconds 2 minutes"
# )
# }}}

# {{{ mod_rrdtool
# see rrdtool.txt
#
# rrdtool.binary  = "/usr/bin/rrdtool"
# rrdtool.db-name = var.statedir + "/lighttpd.rrd"
# }}}

# {{{ mod_setenv
# see setenv.txt
#
# setenv.add-request-header  = ( "TRAV_ENV" => "mysql://user@host/db" )
# setenv.add-response-header = ( "X-Secret-Message" => "42" )
# }}}

# {{{ mod_trigger_b4_dl
# see trigger_b4_dl.txt
#
# trigger-before-download.gdbm-filename = "/home/weigon/testbase/trigger.db"
# trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" )
# trigger-before-download.trigger-url = "^/trigger/"
# trigger-before-download.download-url = "^/download/"
# trigger-before-download.deny-url = "http://127.0.0.1/index.html"
# trigger-before-download.trigger-timeout = 10
# }}}

# {{{ mod_cml
# see cml.txt
#
# don't forget to add index.cml to server.indexfiles
# cml.extension               = ".cml"
# cml.memcache-hosts          = ( "127.0.0.1:11211" )
# }}} 

# {{{ mod_webdav
# see webdav.txt
#
# $HTTP["url"] =~ "^/dav($|/)" {
#     webdav.activate = "enable"
#     webdav.is-readonly = "enable"
# }
# }}}

# {{{ extra rules
#
# set Content-Encoding and reset Content-Type for browsers that
# support decompressing on-thy-fly (requires mod_setenv)
# $HTTP["url"] =~ "\.gz$" {
#     setenv.add-response-header = ("Content-Encoding" => "x-gzip")
#     mimetype.assign = (".gz" => "text/plain")
# }

# $HTTP["url"] =~ "\.bz2$" {
#     setenv.add-response-header = ("Content-Encoding" => "x-bzip2")
#     mimetype.assign = (".bz2" => "text/plain")
# }
#
# }}}

# {{{ debug
# debug.log-request-header   = "enable"
# debug.log-response-header  = "enable"
# debug.log-request-handling = "enable"
# debug.log-file-not-found   = "enable"
# }}}

# {{{ cgi includes
# uncomment for cgi support
#   include "mod_cgi.conf"
# uncomment for php/fastcgi support
#   include "mod_fastcgi.conf"
# }}}
#dir-listing.activate = "enable"

$SERVER["socket"] == ":443" {
       ssl.engine = "enable"
       ssl.pemfile = "/etc/letsencrypt/live/myhost.me/ssl.pem"
       ssl.ca-file =  "/etc/letsencrypt/live/myhost.me/fullchain.pem"
       ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
       ssl.ec-curve = "secp384r1"
       ssl.use-compression = "disable"
       ssl.honor-cipher-order = "enable"
       ssl.disable-client-renegotiation = "enable"
       ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
       ssl.use-sslv2 = "disable"
       ssl.use-sslv3 = "disable"
       server.document-root = "/tmp/certbot/public_html"
}
$SERVER["socket"] == ":80" {

}
$HTTP["scheme"] == "https" {
 $HTTP["host"] =~ "^www\.(.*)" {
     url.redirect = ("^/(.*)" => "https://%1/$1")
       }
}

extforward.headers = ("X-Real-IP")
extforward.forwarder = ( "PROXY_IP" => "trust")
# vim: set ft=conf foldmethod=marker et :

myvhost.conf文件:

$SERVER["socket"] == ":443" {
   $HTTP["host"] == "myvhost.com" {
       ssl.pemfile = "/etc/letsencrypt/live/myvhost.com/ssl.pem"
       ssl.ca-file =  "/etc/letsencrypt/live/myvhost.com/fullchain.pem"
               proxy.server = (
                   "" => (( "host" => "127.0.0.1", "port" => 3334 ))
               )
   }
}

$HTTP["scheme"] == "http" {
 $HTTP["host"] =~ "myvhost.com" {
       url.redirect = (".*" => "https://%0$0")
 }
}
$HTTP["url"] !~ "^/.well-known/(.*)" {
 $SERVER["socket"] == ":443" {
 $HTTP["host"] == "myvhost.com" {
   ssl.pemfile = "/etc/letsencrypt/live/myvhost.com/ssl.pem"
   ssl.ca-file =  "/etc/letsencrypt/live/myvhost.com/fullchain.pem"
           proxy.server = (
               "" => (( "host" => "127.0.0.1", "port" => 3334 ))
           )
     }
 }

 $HTTP["scheme"] == "http" {
   $HTTP["host"] =~ "myvhost.com" {
       url.redirect = (".*" => "https://%0$0")
   }
 }
}
$HTTP["scheme"] == "http" {
 $HTTP["host"] =~ "(your-domain.tld |www.your-domain.tld)"       { 
   url.redirect-code = 301
   url.redirect = ( "^/\.well-known/acme-challenge/" => "", # All access to this URI will match the alias.url below.
                    "^(.*)" => "https://%0$0" ) # Everything else redirect to HTTPS.
   alias.url += ("/.well-known/acme-challenge/" => "/var/www/letsencrypt/.well-known/acme-challenge/") # Your web root path for Let's Encrypt.
 }
}
else $HTTP["scheme"] == "https" {
 $HTTP["host"] =~ "(your-domain.tld |www.your-domain.tld)"       {
   alias.url += ("/.well-known/acme-challenge/" => "/var/www/letsencrypt/.well-known/acme-challenge/")
 }
}

引用自:https://serverfault.com/questions/907101