Put reuseport into the default site config

2024-06-29 14:56:28 -07:00 · 2024-06-29 14:56:28 -07:00 · 616669f832
commit 616669f832
parent dcd36c9051
6 changed files with 36 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@ These are my NGINX configurations. They are written for Fedora CoreOS's `nginx-c
 1. Install `nginx-core`, `nginx-mod-stream`, and `policycoreutils-python-utils` on Fedora. Makesure `rsync` is available on the OS.
 2. Comment out the default server block in `/etc/nginx/nginx.conf`.
 3. Run `setup.sh`
-4. Make a dummy vhost listening on port `80` with the server_name you want.
+4. Generate a certificate with your hostname with the `certbot/default-quic` example. Copy `etc/nginx/conf.d/sites_default_quic.conf` to the corresponding directory on your server and edit it approprieately.
 5. Generate certificates with the example in the certbot directory.
 6. Make your actual vhost config based on the `sites_.*` samples in `/etc/nginx/conf.d`.

--- a/certbot/default-quic
+++ b/certbot/default-quic
@ -0,0 +1,7 @@
+certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
+    --key-type ecdsa --must-staple \
+    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
+    --cert-name hostname.of.your.server \
+    -d hostname.of.your.server
+
+restorecon -Rv /var/cache/certbot-ocsp-fetcher
--- a/certbot/miniflux
+++ b/certbot/miniflux
@ -0,0 +1,7 @@
+certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
+    --key-type ecdsa --must-staple \
+    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
+    --cert-name miniflux.yourdomain.tld \
+    -d miniflux.yourdomain.tld
+
+restorecon -Rv /var/cache/certbot-ocsp-fetcher
--- a/certbot/uptime-kuma
+++ b/certbot/uptime-kuma
@ -3,3 +3,5 @@ certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
    --cert-name uptime.yourdomain.tld \
    -d uptime.yourdomain.tld
+
+restorecon -Rv /var/cache/certbot-ocsp-fetcher
--- a/etc/nginx/conf.d/sites_default_quic.conf
+++ b/etc/nginx/conf.d/sites_default_quic.conf
@ -0,0 +1,17 @@
+server {
+    listen ipv4_1:443 quic reuseport;
+    listen ipv4_1:443 ssl;
+    listen [ipv6_1]:443 quic reuseport;
+    listen [ipv6_1]:443 ssl;
+
+    server_name hostname.of.your.server;
+
+    include snippets/universal_paths.conf;
+    include snippets/hsts.conf;
+    include snippets/quic.conf;
+
+    ssl_certificate /etc/letsencrypt/live/hostname.of.your.server/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/hostname.of.your.server/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/hostname.of.your.server/chain.pem;
+    ssl_stapling_file  /var/cache/certbot-ocsp-fetcher/hostname.of.your.server.der;
+}
--- a/etc/nginx/conf.d/sites_uptime-kuma.conf
+++ b/etc/nginx/conf.d/sites_uptime-kuma.conf
@ -1,9 +1,9 @@
 # This file assumes you have an uptime kuma instance running on the server

 server {
-    listen ipv4_1:443 quic reuseport;
+    listen ipv4_1:443 quic;
    listen ipv4_1:443 ssl;
-    listen [ipv6_1]:443 quic reuseport;
+    listen [ipv6_1]:443 quic;
    listen [ipv6_1]:443 ssl;

    server_name uptime.yourdomain.tld;