diff options
| author | Joona Hoikkala <joona@kuori.org> | 2017-10-31 17:28:52 +0300 |
|---|---|---|
| committer | Joona Hoikkala <joona@kuori.org> | 2017-10-31 17:28:52 +0300 |
| commit | 8b59032614730196975fb73f4c262fccd6d20955 (patch) | |
| tree | 3025054596802fc8a83112c58ea3c26b8c1e6b84 | |
| parent | c0a7600deba0bb8133dd3f9976fa908fd320ec37 (diff) | |
Requested changesnginx-ipv6
| -rw-r--r-- | certbot-nginx/certbot_nginx/configurator.py | 18 | ||||
| -rw-r--r-- | certbot-nginx/certbot_nginx/obj.py | 7 | ||||
| -rw-r--r-- | certbot-nginx/certbot_nginx/tls_sni_01.py | 4 |
3 files changed, 24 insertions, 5 deletions
diff --git a/certbot-nginx/certbot_nginx/configurator.py b/certbot-nginx/certbot_nginx/configurator.py index 41bfe1298..0299d09fe 100644 --- a/certbot-nginx/certbot_nginx/configurator.py +++ b/certbot-nginx/certbot_nginx/configurator.py @@ -513,6 +513,8 @@ class NginxConfigurator(common.Installer): """ ipv6info = self.ipv6_info(self.config.tls_sni_01_port) + ipv6_block = [''] + ipv4_block = [''] # If the vhost was implicitly listening on the default Nginx port, # have it continue to do so. @@ -520,22 +522,28 @@ class NginxConfigurator(common.Installer): listen_block = [['\n ', 'listen', ' ', self.DEFAULT_LISTEN_PORT]] self.parser.add_server_directives(vhost, listen_block, replace=False) - ipv6_block = [''] if vhost.ipv6_enabled(): ipv6_block = ['\n ', - 'listen', - ' ', - '[::]:{0} ssl'.format(self.config.tls_sni_01_port)] + 'listen', + ' ', + '[::]:{0} ssl'.format(self.config.tls_sni_01_port)] if not ipv6info[1]: # ipv6only=on is absent in global config ipv6_block.append(' ') ipv6_block.append('ipv6only=on') + if vhost.ipv4_enabled(): + ipv4_block = ['\n ', + 'listen', + ' ', + '{0} ssl'.format(self.config.tls_sni_01_port)] + + snakeoil_cert, snakeoil_key = self._get_snakeoil_paths() ssl_block = ([ ipv6_block, - ['\n ', 'listen', ' ', '{0} ssl'.format(self.config.tls_sni_01_port)], + ipv4_block, ['\n ', 'ssl_certificate', ' ', snakeoil_cert], ['\n ', 'ssl_certificate_key', ' ', snakeoil_key], ['\n ', 'include', ' ', self.mod_ssl_conf], diff --git a/certbot-nginx/certbot_nginx/obj.py b/certbot-nginx/certbot_nginx/obj.py index acf8ced51..5816c5571 100644 --- a/certbot-nginx/certbot_nginx/obj.py +++ b/certbot-nginx/certbot_nginx/obj.py @@ -217,6 +217,13 @@ class VirtualHost(object): # pylint: disable=too-few-public-methods if a.ipv6: return True + def ipv4_enabled(self): + """Return true if one or more of the listen directives in vhost are IPv4 + only""" + for a in self.addrs: + if not a.ipv6: + return True + def _find_directive(directives, directive_name): """Find a directive of type directive_name in directives """ diff --git a/certbot-nginx/certbot_nginx/tls_sni_01.py b/certbot-nginx/certbot_nginx/tls_sni_01.py index 72e488d09..7f597ac4a 100644 --- a/certbot-nginx/certbot_nginx/tls_sni_01.py +++ b/certbot-nginx/certbot_nginx/tls_sni_01.py @@ -69,6 +69,10 @@ class NginxTlsSni01(common.TLSSNI01): ipv6_addr = ipv6_addr + " ipv6only=on" addresses.append([obj.Addr.fromstring(default_addr), obj.Addr.fromstring(ipv6_addr)]) + logger.info(("Using default addresses %s and %s for " + + "TLSSNI01 authentication."), + default_addr, + ipv6_addr) else: addresses.append([obj.Addr.fromstring(default_addr)]) logger.info("Using default address %s for TLSSNI01 authentication.", |