Configuration generation fixes for nchan

2024-12-22 16:25:17 +00:00 · 2017-04-14 11:06:09 +00:00 · 2017-04-14 11:06:09 +00:00 · b9ac55fe26
commit b9ac55fe26
parent d6265c10d6
2 changed files with 33 additions and 21 deletions
--- a/certidude/templates/certidude-server.conf
+++ b/certidude/templates/certidude-server.conf
@ -87,15 +87,20 @@ renewal allowed = false
 ;renewal allowed = true

 [push]
+# This should occasionally be regenerated
 event source token = {{ push_token }}
-event source subscribe =
-;event source subscribe = {{ push_server }}/ev/sub/%s
-event source publish =
-;event source publish = {{ push_server }}/ev/pub/%s
-long poll subscribe =
-;long poll subscribe = {{ push_server }}/lp/sub/%s
-long poll publish =
-;long poll publish = {{ push_server }}/lp/pub/%s
+
+# For local nchan
+event source publish = http://localhost/ev/pub/%s
+long poll publish = http://localhost/lp/pub/%s
+event source subscribe = /ev/sub/%s
+long poll subscribe = /lp/sub/%s
+
+# For remote nchan
+;event source publish = //push.example.com/ev/pub/%s
+;long poll publish = http://push.example.com/lp/pub/%s
+;event source subscribe = //push.example.com/ev/sub/%s
+;long poll subscribe = http://push.example.com/lp/sub/%s

 [authority]
 # Present form for CSR submission for logged in users
--- a/certidude/templates/nginx.conf
+++ b/certidude/templates/nginx.conf
@ -41,19 +41,6 @@ server {
 {% if not push_server %}
    # This only works with nchan, for Debian 9 just apt install libnginx-mod-nchan
    # For Ubuntu and older Debian releases install nchan from https://nchan.io/
-    location ~ "^/lp/pub/(.*)" {
-        allow 127.0.0.1;
-        nchan_publisher;
-        nchan_channel_id $1;
-        nchan_message_buffer_length 0;
-    }
-
-    location ~ "^/ev/pub/(.*)" {
-        allow 127.0.0.1;
-        nchan_publisher;
-        nchan_channel_id $1;
-        nchan_message_buffer_length 0;
-    }

    location ~ "^/lp/sub/(.*)" {
        nchan_channel_id $1;
@ -68,3 +55,23 @@ server {

 }

+{% if not push_server %}
+server {
+    # Allow publishing only from localhost to prevent abuse
+    server_name localhost;
+    listen 127.0.0.1:80;
+
+    location ~ "^/lp/pub/(.*)" {
+        nchan_publisher;
+        nchan_channel_id $1;
+        nchan_message_buffer_length 0;
+    }
+
+    location ~ "^/ev/pub/(.*)" {
+        nchan_publisher;
+        nchan_channel_id $1;
+        nchan_message_buffer_length 0;
+    }
+}
+{% endif %}
+