diff options
author | Sandro <sandro.jaeckel@gmail.com> | 2022-10-22 00:00:52 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-22 00:00:52 +0200 |
commit | 67e4972c5d660bf4ca834cbcc169d44276b55e09 (patch) | |
tree | fe8085e92c5444bb346d9f5724c2afb7804b2bd7 /nixos | |
parent | bfb6a63a439617170866ccf9f75fc39a27d1913d (diff) | |
parent | 1a73877305f32ff158173878dda6b86f378ff3c8 (diff) |
Merge pull request #195745 from virusdave/patch-1
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index aa782b4267e80..9cbac370612fd 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -275,7 +275,10 @@ let redirectListen = filter (x: !x.ssl) defaultListen; acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) '' - location /.well-known/acme-challenge { + # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) + # We use ^~ here, so that we don't check any regexes (which could + # otherwise easily override this intended match accidentally). + location ^~ /.well-known/acme-challenge/ { ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} ${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"} auth_basic off; |