Add hands-off ACMEv2 + SSL support #101
Labels
No labels
Android
CS::needs customer feedback
CS::needs follow up
CS::needs on prem installation
CS::waiting
Chrome
Design:: Ready
Design:: in progress
Design::UX
E2EE
Edge
Firefox
GDPR
Iteration 13 IM
Linux
MacOS
Need::Discussion
Need::Steps to reproduce
Need::Upstream fix
Needs:: Planning
Needs::Dev-Team
Needs::More information
Needs::Priority
Needs::Product
Needs::Refinement
Needs::Severity
Priority::1-Critical
Priority::2-Max
Priority::3-Impending
Priority::4-High
Priority::5-Medium
Priority::6-Low
Priority::7-None
Progress::Backlog
Progress::Review
Progress::Started
Progress::Testing
Progress::Triage
Progress::Waiting
Reporter::Sentry
Safari
Target::Community
Target::Customer
Target::Internal
Target::PoC
Target::Security
Team:Customer-Success
Team:Design
Team:Infrastructure
Team:Instant-Messaging
Team:Product
Team:Workflows
Type::Bug
Type::Design
Type::Documentation
Type::Feature
Type::Improvement
Type::Support
Type::Tests
Windows
blocked
blocked-by-spec
cla-signed
conduit
contribution::advanced
contribution::easy
contribution::help needed
from::review
iOS
p::ti-tenant
performance
product::triage
proposal
refactor
release-blocker
s: dart_openapi_codegen
s::Famedly-Patient
s::Org-Directory
s::Passport-Generator
s::Requeuest
s:CRM
s:Famedly-App
s:Famedly-Web
s:Fhiroxide
s:Fhiroxide-cli
s:Fhiroxide-client
s:Fhirs
s:Hedwig
s:LISA
s:Matrix-Dart-SDK
s:Role-Manager
s:Synapse
s:User-Directory
s:WFS-Matrix
s:Workflow Engine
s:dtls
s:famedly-error
s:fcm-shared-isolate
s:matrix-api-lite
s:multiple-tab-detector
s:native-imaging
severity::1
severity::2
severity::3
severity::4
technical-debt
voip
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Matthias/conduit#101
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This'll make deploying conduit way easier, as no reverse proxy gets in the way or has to be installed alongside it. Conduit will maintain it's own set of SSL certificates, and make them work through rocket, so that a user only has to point a domain at it, open 80 and 443, set the correct domain in the config, and conduit will do the rest. Conduit will then also refresh the certificates automatically if the current ones have less than 30 days left (similar to how certbot does it)
I'm eying https://crates.io/crates/acme2 for this.
changed the description
This will mean that users can't run apache or nginx if they already run conduit like this, because port 80 and 443 are already used. I think this confuses the user and should not be implemented
I don't think it'll confuse the user, as it'll be less stuff to deploy. I imagine some users would never even hear of nginx, apache, or caddy as reverse proxies, and only wanna set this up on their own raspberry pi, or their own cloud server. It'll lower the barrier to entry.
This will definitely be useful for people who want to run just conduit and if you can turn it off it's still perfectly fine for people who want to run more stuff behind a reverse proxy.
It would also mean I have to run conduit as root, which - at this point - I would be very hesitant to do.
P.S. yes, I know about capabilities and the network one specifically...
P.P.S. I'd rather provide an easy and detailed description on how to set up https://packages.debian.org/bullseye/stunnel4 for those wanting a minimal solution.
You don’t have to run conduit as root, you can also just give it elevated network interface permissions (I’m sure that exists via systemd service files)
Honestly I feel like if you're going to be hosting one or more webservers you ought to know how to set up a reverse proxy. It's just a matter of time before you decide to host more than one thing. There are already other good tools for automating cert renewals as well. I think the experience of using those existing tools alongside Conduit will be better than experiencing problems with edge cases of directly-in-Conduit implementations of these things. Also I'd imagine reverse proxies have better handling of various network problems that you get for free by using one.
— The HTTP crash course nobody asked for, fasterthanlime