sgg-sgg-docker-container/openresty-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sgg-sgg-docker-container:1908d79444e26f58a8ff09793ea66bfc0638dbed
Branches Tags
sgg-sgg-docker-container:main
...
compare: sgg-sgg-docker-container:main
Branches Tags
sgg-sgg-docker-container:main

5 Commits
1908d79444 ... main

Author SHA1 Message Date
wdh-home
a409cd53e3 1 2026-05-19 10:42:21 +08:00
wdh
cd23baf95c 修改了配置 2026-05-19 10:40:03 +08:00
wdh-home
f29b8f9013 1 2026-05-19 10:38:10 +08:00
wdh-home
fc2e16321b Merge branch 'main' of http://10.1.0.1:3000/sgg-sgg-docker-container/openresty-gateway 2026-05-19 10:21:47 +08:00
wdh-home
d435f3e37f 1 2026-05-19 10:21:45 +08:00
3 changed files with 22 additions and 8 deletions
Expand all files Collapse all files

13
conf/conf.d/gitea.sggai.site.conf
View File

@@ -6,20 +6,25 @@ server {
ssl_certificate /etc/letsencrypt/live/gitea.sggai.site/fullchain.pem; ssl_certificate /etc/letsencrypt/live/gitea.sggai.site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gitea.sggai.site/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/gitea.sggai.site/privkey.pem;
root /var/www/gitea.sggai.site; root /var/www;
index index.html; index index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
location ^~ /.well-known/acme-challenge/ { location ^~ /.well-known/acme-challenge/ {
root /var/www; root /var/www;
default_type text/plain; default_type text/plain;
try_files $uri =404; try_files $uri =404;
} }
location / { location / {
if ($scheme = http) { if ($scheme = http) {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
proxy_pass http://10.1.0.1:3000;
try_files $uri $uri/ /index.html;
} }
} }

2
conf/conf.d/proxy.sggai.site.conf
View File

@@ -6,7 +6,7 @@ server {
ssl_certificate /etc/letsencrypt/live/proxy.sggai.site/fullchain.pem; ssl_certificate /etc/letsencrypt/live/proxy.sggai.site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/proxy.sggai.site/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/proxy.sggai.site/privkey.pem;
root /var/www/proxy.sggai.site; root /var/www;
index index.html; index index.html;
location ^~ /.well-known/acme-challenge/ { location ^~ /.well-known/acme-challenge/ {

15
scripts/add-domain-certs-core.sh
View File

@@ -3,6 +3,11 @@ set -eu
# Add certificates for new domains on an already running OpenResty gateway. # Add certificates for new domains on an already running OpenResty gateway.
# This flow is separate from init-certs-core.sh and never restarts containers. # This flow is separate from init-certs-core.sh and never restarts containers.
# Order matters:
# 1. Ensure nginx configs exist for the new domains.
# 2. Create temporary dummy certificates for SSL configs that do not have certs yet.
# 3. Reload OpenResty so the new HTTP-01 challenge routes are active.
# 4. Probe the challenge routes, request real certificates, then reload again.
CERT_ROOT="./certs/live" CERT_ROOT="./certs/live"
ROOT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")/.." && pwd)" ROOT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")/.." && pwd)"
@@ -97,12 +102,14 @@ check_http_challenge() {
for domain in $DOMAINS; do for domain in $DOMAINS; do
url="http://$domain/$HTTP_PROBE_PATH" url="http://$domain/$HTTP_PROBE_PATH"
local_url="http://127.0.0.1/$HTTP_PROBE_PATH"
echo "Checking local HTTP-01 route for $domain..." echo "Checking local HTTP-01 route for $domain..."
if ! body="$(curl -fsS --max-time 5 --resolve "$domain:80:127.0.0.1" "$url" 2>&1)"; then if ! body="$(curl -fsS --noproxy '*' --max-time 5 -H "Host: $domain" "$local_url" 2>&1)"; then
echo "Error: OpenResty is not serving the challenge path for $domain on local port 80." >&2 echo "Error: OpenResty is not serving the challenge path for $domain on local port 80." >&2
echo "Tried: $url via 127.0.0.1" >&2 echo "Tried: $local_url with Host: $domain" >&2
echo "$body" >&2 echo "$body" >&2
echo "Hint: an empty reply usually means the request hit the default deny server, so verify OpenResty loaded the domain config." >&2
return 1 return 1
fi fi
@@ -119,7 +126,7 @@ check_http_challenge() {
fi fi
echo "Checking public HTTP-01 route for $domain..." echo "Checking public HTTP-01 route for $domain..."
if ! body="$(curl -fsS --max-time 10 "$url" 2>&1)"; then if ! body="$(curl -fsS --noproxy '*' --max-time 10 "$url" 2>&1)"; then
echo "Error: $domain is not reachable on public HTTP port 80." >&2 echo "Error: $domain is not reachable on public HTTP port 80." >&2
echo "Tried: $url" >&2 echo "Tried: $url" >&2
echo "$body" >&2 echo "$body" >&2
@@ -211,8 +218,10 @@ if [ "$conf_error" -ne 0 ]; then
fi fi
export DOMAINS CERT_ROOT export DOMAINS CERT_ROOT
echo "Ensuring temporary certificates exist before loading any new SSL configs..."
DUMMY_DOMAINS="$(sh "$ROOT_DIR/scripts/ensure-dummy-certs.sh")" DUMMY_DOMAINS="$(sh "$ROOT_DIR/scripts/ensure-dummy-certs.sh")"
echo "Reloading OpenResty so new domain configs can serve HTTP-01 challenges..."
reload_openresty reload_openresty
check_http_challenge check_http_challenge