Comments (5)
I'm not sure if this is the best code (I'm completely unfamiliar with Lua), but I have implemented this using lua-resty-dns-cache largely from the example on the two library's sites:
In the server
section of Ngxin:
lua_shared_dict dns_cache 1m;
In the init_by_lua_block
require("resty.dns.cache").init_cache(200)
And then the allow_domain
function:
auto_ssl:set("allow_domain", function(domain)
if domain == "whitelisted-domain.com" then
return true
end
local DNS_Cache = require("resty.dns.cache")
local dns = DNS_Cache.new({
dict = "dns_cache",
negative_ttl = 5,
max_stale = 300,
resolver = {
nameservers = {"8.8.8.8"}
}
})
local answers, err, stale = dns:query(domain)
if err then
if stale then
ngx.header["Warning"] = "110: Response is stale"
answer = stale
ngx.log(ngx.ERR, err)
else
ngx.status = 500
ngx.say(err)
return ngx.exit(ngx.status)
end
end
if not answers then
ngx.say("failed to query the DNS server: ", err)
return false
end
if answers.errcode then
ngx.say("server returned error code: ", answers.errcode,
": ", answers.errstr)
return false
end
for i, ans in ipairs(answers) do
-- If this CNAME exists at all in the result, generate an SSL certificate.
if ans.cname == "destination.example.com" then
return true
end
end
return false
end)
from lua-resty-auto-ssl.
It should be possible to implement something like this with a custom allow_domain
method and integrating it with lua-resty-dns (lua-resty-dns-cache may also be useful in this case). I can definitely see the use-cases behind this, but I'm not sure integrating this functionality directly into lua-resty-auto-ssl would be the best fit. But if anyone comes up with an example allow_domain
using one of the resty-dns libraries, we could definitely provide that as an example.
from lua-resty-auto-ssl.
@waynerobinson: Thanks for contributing this example! I'll try to give this a spin at some point and add in the README. Or if anyone else gets a chance to test this, it would be great to know if it works for you.
from lua-resty-auto-ssl.
Depending on your use case, using DNS may not produce the expected results. If a domain is using, e.g. Cloudflare CDN, the DNS records will point to a different IP than your server.
Probably not a huge deal, especially since Cloudflare can be configured to accept untrusted certs from the origin server, but worth considering.
from lua-resty-auto-ssl.
Up. I think this has great value since there could be an exploit and end up flooding Let's Encrypt API with wrong or invalid DNS information (eg. set up a local DNS for random-non-existent-domain.xyz that points to your IP and it would try to generate a certificate for an invalid domain).
The workaround we found is to setup a redis and verify if the domain is whitelisted on allow_domain
.
from lua-resty-auto-ssl.
Related Issues (20)
- How to determine if self signed cert is being used HOT 8
- Is it possible to change the LE CA to a custom CA? HOT 1
- Working with a Third-Party ACME Provider and Request is Incorrect HOT 2
- How to pass username in auth option for redis.
- Does it support zerossl
- Test against newer versions of OpenResty HOT 5
- Certificates with multiple accounts HOT 1
- How to explicitly delete a domain/certificate? HOT 1
- Proxy Protocol v2 not supported
- How change allow_domains to file separate
- Security issue
- New Release? HOT 6
- Migrate letsencrypt certifcates on disk to lua-resty-open-ssl HOT 2
- Failing to use the 'has_certificate' method HOT 1
- Renewal fails with error: auto-ssl: failed to obtain lock: closed, context: ngx.timer
- Move Out Renewal Jobs to Another Server HOT 1
- Let's Encrypt response on renewal: Order's status ("valid") is not acceptable for finalization
- Update Dehydrated to 0.7.1+ to fix issuance with Let's Encrypt
- Cannot change the renewal interval
- Remove cached certificate HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lua-resty-auto-ssl.