security/acme-client: add support for nginx

[fabianfrz]

In case you are interested. You may want to add support for the nginx plugin as well:
#696 - currently here - it probably needs a additional location block in http blocks.

[fraenki]

@fabianfrz Correct me if I'm wrong, the LE plugin should be able to integrate with nginx in a similar manner to the HAProxy integration, right? So that nginx could be used for HTTP-01 validation, right?

Could you please provide an example configuration for nginx integration? I don't use nginx at all so this would make it much easier.
Some hints or examples regarding the required API endpoints would help a lot too. Thanks!

[fabianfrz]

Just create a simple HTTP server:

I am not sure but I don't think you have to disable the bot protection (blocks common bot UAs which are known to be used for most bad traffic)

Click the small reload button

Now you should be able to reach your challenge directory (/var/etc/acme-client/challenges), which should act exactly as your let's encrypt lighttpd server (maybe it is all about just testing it).
See this config template for details:
https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L154-L159

root is the web root of the HTTP server, so if you access /.well-known, you will be in $root/.well-known.

If you want to test a load balancer setup, it is similar to your haproxy plugin. you just have to create an upstream server (more or less your physical or real server), group them to an upstream (some like a backend but load balancing only), and add them to a location (something like your rules but URL specific). I am pretty sure that the simple version above is enough as it would work still the same (same rule).

I hope this helps you.

[fraenki]

Now you should be able to reach your challenge directory (/var/etc/acme-client/challenges), which should act exactly as your let's encrypt lighttpd server

That's not the kind of integration I would like to implement. In my opinion this would make the Let's Encrypt plugin even more error-prone.

The HAProxy integration works differently: it simply adds a rule to proxy all requests to /.well-known/ to the internal Acme webservices. This way the LE plugin still has full control and HTTP-01 validation is pretty stable.

[fabianfrz]

You can do this as well. You can use proxy_pass to forward the request to an internal IP/port combination. It would probably look like this:

proxy_pass http://127.0.0.1:1234

See the docs for more information.

You can just replace the root directive to handle it this way.

[fraenki]

You can do this as well. You can use proxy_pass to forward the request to an internal IP/port combination.

Cool. Which os-nginx function calls should I use to add this configuration? For example, os-acme-client queries HAProxy backends, acls, etc. to get/add the required elements to the os-haproxy configuration.

[fabianfrz]

The model is quite simple:

plugins/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml

Line 616 in 8257b1f

<enable_acme_support type="BooleanField">

the rest is pretty standard: reload the template: template reload OPNsense/Nginx should work and then you can restart it nginx restart.

The setup script should generate everything so there is nothing to care about. It is not implemented but if you call nginx -t from the command line using exec, you can do a syntax check if you like.