diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/acme-client.conf | 21 | ||||
| -rw-r--r-- | etc/httpd.conf | 37 | ||||
| -rw-r--r-- | etc/httpd/_acme.conf | 4 | ||||
| -rw-r--r-- | etc/httpd/_listen443.conf | 8 | ||||
| -rw-r--r-- | etc/httpd/_listen80.conf | 1 |
5 files changed, 69 insertions, 2 deletions
diff --git a/etc/acme-client.conf b/etc/acme-client.conf new file mode 100644 index 0000000..f97d12a --- /dev/null +++ b/etc/acme-client.conf @@ -0,0 +1,21 @@ +# +# $OpenBSD: acme-client.conf,v 1.6 2025/08/18 15:51:57 job Exp $ +# +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +domain maddaat.org { + alternative names { www.maddaat.org git.maddaat.org } + domain key "/etc/ssl/private/maddaat.org.key" + domain full chain certificate "/etc/ssl/maddaat.org.fullchain.pem" + # Test with the staging server to avoid aggressive rate-limiting. + #sign with letsencrypt-staging + sign with letsencrypt +} diff --git a/etc/httpd.conf b/etc/httpd.conf index 3defb8c..a8d1527 100644 --- a/etc/httpd.conf +++ b/etc/httpd.conf @@ -3,15 +3,48 @@ types { } server "maddaat.org" { - listen on * port 80 + include "/etc/httpd/_listen80.conf" + include "/etc/httpd/_acme.conf" + + location "*" { + # HTTP 301 Moved Permanently - enforce HTTPS + block return 301 "https://maddaat.org$REQUEST_URI" + } +} + +server "maddaat.org" { + include "/etc/httpd/_listen443.conf" + include "/etc/httpd/_acme.conf" location "*" { block return 307 "http://git.maddaat.org" } } +server "www.maddaat.org" { + include "/etc/httpd/_listen80.conf" + include "/etc/httpd/_listen443.conf" + include "/etc/httpd/_acme.conf" + + location "*" { + # HTTP 301 Moved Permanently - enforce non-www site + block return 301 "https://maddaat.org$REQUEST_URI" + } +} + +server "git.maddaat.org" { + include "/etc/httpd/_listen80.conf" + include "/etc/httpd/_acme.conf" + + location "*" { + # HTTP 301 Moved Permanently - enforce HTTPS + block return 301 "https://git.maddaat.org$REQUEST_URI" + } +} + server "git.maddaat.org" { - listen on * port 80 + include "/etc/httpd/_listen443.conf" + include "/etc/httpd/_acme.conf" location "/cgit.*" { root "/cgit" diff --git a/etc/httpd/_acme.conf b/etc/httpd/_acme.conf new file mode 100644 index 0000000..3c1a0ec --- /dev/null +++ b/etc/httpd/_acme.conf @@ -0,0 +1,4 @@ +location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 +} diff --git a/etc/httpd/_listen443.conf b/etc/httpd/_listen443.conf new file mode 100644 index 0000000..92f270e --- /dev/null +++ b/etc/httpd/_listen443.conf @@ -0,0 +1,8 @@ +listen on * tls port 443 + +tls { + certificate "/etc/ssl/maddaat.org.fullchain.pem" + key "/etc/ssl/private/maddaat.org.key" +} + +hsts preload diff --git a/etc/httpd/_listen80.conf b/etc/httpd/_listen80.conf new file mode 100644 index 0000000..8e0f854 --- /dev/null +++ b/etc/httpd/_listen80.conf @@ -0,0 +1 @@ +listen on * port 80 |