From 6e38fd558bd8a07eb8d112708649e03062dd511b Mon Sep 17 00:00:00 2001 From: Jamil Date: Fri, 19 Aug 2022 18:12:28 -0700 Subject: [PATCH] Revert "(fixed) Don't listen on port 80 if ACME is disabled (#927)" (#930) This reverts commit bda920a065b9221414103954a1fab1a9577ecf74. --- .../administer/security-considerations.md | 5 ++--- docs/docs/reference/configuration-file.md | 2 +- omnibus/cookbooks/firezone/recipes/nginx.rb | 2 -- .../firezone/templates/redirect.conf.erb | 22 +++++++++---------- 4 files changed, 13 insertions(+), 18 deletions(-) diff --git a/docs/docs/administer/security-considerations.md b/docs/docs/administer/security-considerations.md index aefff3121..8041dc6ec 100644 --- a/docs/docs/administer/security-considerations.md +++ b/docs/docs/administer/security-considerations.md @@ -10,14 +10,13 @@ detailed [below](#production-deployments). ## List of services and ports -Shown below is a table of ports used by default for Firezone services. +Shown below is a table of ports used by Firezone services. | Service | Default port | Listen address | Description | | ------ | --------- | ------- | --------- | -| Nginx | `443` | `all` | Public HTTPS port for administering Firezone and facilitating authentication. | -| Nginx | `80` | `all` | Public HTTP port used for automatic SSL certiticate renewal if enabled. | +| Nginx | `80` `443` | `all` | Public HTTP(S) port for administering Firezone and facilitating authentication. | | WireGuard | `51820` | `all` | Public WireGuard port used for VPN sessions. | | Postgresql | `15432` | `127.0.0.1` | Local-only port used for bundled Postgresql server. | | Phoenix | `13000` | `127.0.0.1` | Local-only port used by upstream elixir app server. | diff --git a/docs/docs/reference/configuration-file.md b/docs/docs/reference/configuration-file.md index 841c7abac..7d9d2e601 100644 --- a/docs/docs/reference/configuration-file.md +++ b/docs/docs/reference/configuration-file.md @@ -147,7 +147,7 @@ Shown below is a complete listing of the configuration options available in | `default['firezone']['runit']['svlogd_bin']` | Runit svlogd bin location. | `"#{node['firezone']['install_directory']}/embedded/bin/svlogd"` | | `default['firezone']['ssl']['directory']` | SSL directory for storing generated certs. | `'/var/opt/firezone/ssl'` | | `default['firezone']['ssl']['email_address']` | Email address to use for self-signed certs and ACME protocol renewal notices. | `'you@example.com'` | -| `default['firezone']['ssl']['acme']['enabled']` | Enable ACME for automatic SSL cert provisioning. Disable this to prevent Nginx from listening on port 80. See [here](https://docs.firezone.dev/deploy/prerequisites/#create-an-ssl-certificate) for more instructions. | `false` | +| `default['firezone']['ssl']['acme']['enabled']` | Enable ACME for automatic SSL cert provisioning. See [here](https://docs.firezone.dev/deploy/prerequisites/#create-an-ssl-certificate) for more instructions. | `false` | | `default['firezone']['ssl']['acme']['server']` | ACME server to use for certificate issuance/renewal. Can be any [valid acme.sh server](https://github.com/acmesh-official/acme.sh/wiki/Server) | `letsencrypt` | | `default['firezone']['ssl']['acme']['keylength']` | Specify the key type and length for SSL certificates. See [here](https://github.com/acmesh-official/acme.sh#10-issue-ecc-certificates) | `ec-256` | | `default['firezone']['ssl']['certificate']` | Path to the certificate file for your FQDN. Overrides ACME setting above if specified. If both ACME and this are `nil` a self-signed cert will be generated. | `nil` | diff --git a/omnibus/cookbooks/firezone/recipes/nginx.rb b/omnibus/cookbooks/firezone/recipes/nginx.rb index bc383fa3d..0f938fb68 100644 --- a/omnibus/cookbooks/firezone/recipes/nginx.rb +++ b/omnibus/cookbooks/firezone/recipes/nginx.rb @@ -61,7 +61,6 @@ template 'redirect.conf' do group node['firezone']['group'] mode '0640' variables( - acme: { 'enabled' => node['firezone']['ssl']['acme']['enabled'] }, server_name: URI.parse(node['firezone']['external_url']).host, acme_www_root: "#{node['firezone']['var_directory']}/nginx/acme_root", rate_limiting_zone_name: node['firezone']['nginx']['rate_limiting_zone_name'], @@ -74,7 +73,6 @@ if node['firezone']['nginx']['enabled'] package 'firezone' action :enable subscribes :restart, 'template[nginx.conf]' - subscribes :restart, 'template[redirect.conf]' subscribes :restart, 'template[phoenix.nginx.conf]' subscribes :restart, 'template[acme.conf]' end diff --git a/omnibus/cookbooks/firezone/templates/redirect.conf.erb b/omnibus/cookbooks/firezone/templates/redirect.conf.erb index 52b3b40fb..94934a609 100644 --- a/omnibus/cookbooks/firezone/templates/redirect.conf.erb +++ b/omnibus/cookbooks/firezone/templates/redirect.conf.erb @@ -1,14 +1,12 @@ -<% if @acme['enabled'] -%> - server { - listen 80 default_server; - <% if @ipv6 -%> - listen [::]:80 default_server; - <% end -%> - server_name <%= @server_name %>; +server { + listen 80 default_server; + <% if @ipv6 -%> + listen [::]:80 default_server; + <% end -%> + server_name <%= @server_name %>; - # Needed for ACME requests - location /.well-known/acme-challenge/ { - alias <%= @acme_www_root %>/.well-known/acme-challenge/; - } + # Needed for ACME requests + location /.well-known/acme-challenge/ { + alias <%= @acme_www_root %>/.well-known/acme-challenge/; } -<% end -%> +}