Revert "(fixed) Don't listen on port 80 if ACME is disabled (#927)" (#930)

This reverts commit bda920a065.
2026-01-27 18:18:55 +00:00 · 2022-08-19 18:12:28 -07:00
parent 41ff3c3b3f
commit 6e38fd558b
4 changed files with 13 additions and 18 deletions
--- a/docs/docs/administer/security-considerations.md
+++ b/docs/docs/administer/security-considerations.md
@@ -10,14 +10,13 @@ detailed [below](#production-deployments).

 ## List of services and ports

-Shown below is a table of ports used by default for Firezone services.
+Shown below is a table of ports used by Firezone services.

 <!-- markdownlint-disable MD013 -->

 | Service | Default port | Listen address | Description |
 | ------ | --------- | ------- | --------- |
-| Nginx | `443` | `all` | Public HTTPS port for administering Firezone and facilitating authentication. |
-| Nginx | `80` | `all` | Public HTTP port used for automatic SSL certiticate renewal if enabled. |
+| Nginx | `80` `443` | `all` | Public HTTP(S) port for administering Firezone and facilitating authentication. |
 | WireGuard | `51820` | `all` | Public WireGuard port used for VPN sessions. |
 | Postgresql | `15432` | `127.0.0.1` | Local-only port used for bundled Postgresql server. |
 | Phoenix | `13000` | `127.0.0.1` | Local-only port used by upstream elixir app server. |
--- a/docs/docs/reference/configuration-file.md
+++ b/docs/docs/reference/configuration-file.md
@@ -147,7 +147,7 @@ Shown below is a complete listing of the configuration options available in
 | `default['firezone']['runit']['svlogd_bin']`                                  | Runit svlogd bin location.                                                                                   | `"#{node['firezone']['install_directory']}/embedded/bin/svlogd"`       |
 | `default['firezone']['ssl']['directory']`                                     | SSL directory for storing generated certs.                                                                   | `'/var/opt/firezone/ssl'`                                              |
 | `default['firezone']['ssl']['email_address']`                                 | Email address to use for self-signed certs and ACME protocol renewal notices.                                | `'you@example.com'`                                                    |
-| `default['firezone']['ssl']['acme']['enabled']`                               | Enable ACME for automatic SSL cert provisioning. Disable this to prevent Nginx from listening on port 80. See [here](https://docs.firezone.dev/deploy/prerequisites/#create-an-ssl-certificate) for more instructions. | `false` |
+| `default['firezone']['ssl']['acme']['enabled']`                               | Enable ACME for automatic SSL cert provisioning. See [here](https://docs.firezone.dev/deploy/prerequisites/#create-an-ssl-certificate) for more instructions.    | `false`       |
 | `default['firezone']['ssl']['acme']['server']`                                | ACME server to use for certificate issuance/renewal. Can be any [valid acme.sh server](https://github.com/acmesh-official/acme.sh/wiki/Server)                        | `letsencrypt` |
 | `default['firezone']['ssl']['acme']['keylength']`                             | Specify the key type and length for SSL certificates. See [here](https://github.com/acmesh-official/acme.sh#10-issue-ecc-certificates)                                | `ec-256`      |
 | `default['firezone']['ssl']['certificate']`                                   | Path to the certificate file for your FQDN. Overrides ACME setting above if specified. If both ACME and this are `nil` a self-signed cert will be generated.          | `nil`         |
--- a/omnibus/cookbooks/firezone/recipes/nginx.rb
+++ b/omnibus/cookbooks/firezone/recipes/nginx.rb
@@ -61,7 +61,6 @@ template 'redirect.conf' do
  group node['firezone']['group']
  mode '0640'
  variables(
-    acme: { 'enabled' => node['firezone']['ssl']['acme']['enabled'] },
    server_name: URI.parse(node['firezone']['external_url']).host,
    acme_www_root: "#{node['firezone']['var_directory']}/nginx/acme_root",
    rate_limiting_zone_name: node['firezone']['nginx']['rate_limiting_zone_name'],
@@ -74,7 +73,6 @@ if node['firezone']['nginx']['enabled']
    package 'firezone'
    action :enable
    subscribes :restart, 'template[nginx.conf]'
-    subscribes :restart, 'template[redirect.conf]'
    subscribes :restart, 'template[phoenix.nginx.conf]'
    subscribes :restart, 'template[acme.conf]'
  end
--- a/omnibus/cookbooks/firezone/templates/redirect.conf.erb
+++ b/omnibus/cookbooks/firezone/templates/redirect.conf.erb
@@ -1,14 +1,12 @@
-<% if @acme['enabled'] -%>
-  server {
-    listen 80 default_server;
-    <% if @ipv6 -%>
-    listen [::]:80 default_server;
-    <% end -%>
-    server_name <%= @server_name %>;
+server {
+  listen 80 default_server;
+  <% if @ipv6 -%>
+  listen [::]:80 default_server;
+  <% end -%>
+  server_name <%= @server_name %>;

-    # Needed for ACME requests
-    location /.well-known/acme-challenge/ {
-      alias <%= @acme_www_root %>/.well-known/acme-challenge/;
-    }
+  # Needed for ACME requests
+  location /.well-known/acme-challenge/ {
+    alias <%= @acme_www_root %>/.well-known/acme-challenge/;
  }
-<% end -%>
+}