From e19670702173d8b4b22b230e489d956d2055ae12 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Tue, 3 Dec 2024 06:37:18 +0000 Subject: [PATCH] nginx: separate cert paths from server_name Working on #809 I noticed that the location of SSL certs is based either on the domain name, or on the method of supply of SSL certs. Cert provision approach should probably not affect the nginx "server_name" setting. Also, the old variable name `CNAME` (short for "certificate name?") is easily confused with the DNS concept of CNAME records ("canonical names"). --- files/nginx/odk.conf.template | 8 ++++---- files/nginx/setup-odk.sh | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 663cb874..e5af8b8b 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -1,10 +1,10 @@ server { listen 443 ssl; - server_name ${CNAME}; + server_name ${DOMAIN}; - ssl_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem; - ssl_certificate_key /etc/${SSL_TYPE}/live/${CNAME}/privkey.pem; - ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem; + ssl_certificate /etc/${SSL_TYPE}/live/${CERT_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/${SSL_TYPE}/live/${CERT_DOMAIN}/privkey.pem; + ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CERT_DOMAIN}/fullchain.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; diff --git a/files/nginx/setup-odk.sh b/files/nginx/setup-odk.sh index 85520dd5..db0f9356 100644 --- a/files/nginx/setup-odk.sh +++ b/files/nginx/setup-odk.sh @@ -30,8 +30,8 @@ echo "writing fresh nginx templates..." # redirector.conf gets deleted if using upstream SSL so copy it back cp /usr/share/odk/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf -CNAME=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \ -envsubst '$SSL_TYPE $CNAME $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ +CERT_DOMAIN=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \ +envsubst '$SSL_TYPE $CERT_DOMAIN $DOMAIN $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ < /usr/share/odk/nginx/odk.conf.template \ > /etc/nginx/conf.d/odk.conf