update acme.sh

nginx.sh default.conf does not need site directories & should always return 404

debian/bullseye/notes/acme.sh.md

@@ -7,9 +7,9 @@ mkdir /etc/nginx/acme
 
 chmod 740 /etc/nginx/acme
 
-chmod nginx:nginx /etc/nginx/acme
+chown nginx:nginx /etc/nginx/acme
 
-chmod g+s,o+s /etc/nginx/acme
+chmod g+s,o+s,u+s /etc/nginx/acme
 
 sudo -s -u nginx
 

debian/bullseye/scripts/nginx.sh

@@ -28,12 +28,6 @@ NGINX_PEM_DIR='/etc/nginx/pem'
 # Just a name please.
 NGINX_DEFAULT_SITE_CONF_NAME="default"
 
-# Default site directory.
-NGINX_DEFAULT_SITE_PATH='/var/www/default'
-
-# Default site publicly served path.
-NGINX_DEFAULT_SITE_PUB='/var/www/default/public'
-
 main() {
 cat <<INFO
 Run with one of the following options:-
@@ -85,17 +79,6 @@ cd ${NGINX_CONF:-/no_path/9} || (
 
 systemctl stop nginx
 
-# Make default site directories.
-cd ${NGINX_DEFAULT_SITE_PATH:-/no_path/1} && (
-    echo "\"${NGINX_DEFAULT_SITE_PATH}\" exists? Continue (hit enter)?"
-    read
-) || (
-    mkdir ${NGINX_DEFAULT_SITE_PATH:-/no_path/1} -p
-    cd ${NGINX_DEFAULT_SITE_PATH:-/no_path/1}
-)
-
-mkdir ${NGINX_DEFAULT_SITE_PUB:-/no_path/2} -p
-
 # Make pems.
 cd ${NGINX_PEM_DIR:-/no_path/3} && (
     echo "\"${NGINX_PEM_DIR}\" exists? Continue (hit enter)?"
@@ -138,6 +121,11 @@ uninitialized_variable_warn on;
 # Don't print software version
 server_tokens off;
 
+# If you don't use acme.sh you can remove this block.
+upstream acme {
+    server 127.0.0.1:18080;
+}
+
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
@@ -146,13 +134,18 @@ server {
         return 301 https://\$host\$request_uri;
     }
 
-    # Don't serve dot files.
-    location ~ /\. {
-        return 404;
+    # Proxy Let's Encrypt to acme upstream - remove if you don't use
+    # acme.sh
+    location ^~ /.well-known/acme-challenge/ {
+        proxy_pass http://acme;
     }
 
-    # Include extra files.
-    include ${NGINX_CONFD:-/no_path/5}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}-*.inc;
+    # For everything else return 404
+    location / {
+        log_not_found off;
+        access_log off;
+        return 404;
+    }
 }
 
 server {
@@ -171,32 +164,19 @@ server {
 
     resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4;
 
-    root ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/;
-    error_log ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/.error.log;
-    access_log ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/.access.log;
+    # Proxy Let's Encrypt to acme upstream - remove if you don't use
+    # acme.sh
+    location ^~ /.well-known/acme-challenge/ {
+        proxy_pass http://acme;
+    }
 
-    # Don't serve dot files.
-    location ~ /\. {
-        access_log off;
+    # For everything else return 404
+    location / {
         log_not_found off;
+        access_log off;
         return 404;
     }
 
-    # Don't log robots.
-    location = /robots.txt {
-        log_not_found off;
-        access_log off;
-    }
-
-    # Don't log common file requests.
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-        expires max;
-        log_not_found off;
-        access_log off;
-    }
-
-    # Include extra files.
-    include ${NGINX_CONFD:-/no_path/8}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}-*.inc;
 }
 NGX