From 1a73877305f32ff158173878dda6b86f378ff3c8 Mon Sep 17 00:00:00 2001
From: Dave Nicponski <dave.nicponski@gmail.com>
Date: Wed, 12 Oct 2022 19:47:36 -0400
Subject: Tweak nginx config for Let's Encrypt ACME challenges
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently, this is using a "URI prefix match", but per nginx docs,

```
[...] the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used.
```
which means a config like this (from wordpress service) will override that
```
locations = {
          "~ /\\." = {
            priority = 800;
            extraConfig = "deny all;";
          };
};
```
😱
Luckily, from nginx docs:
```
If the longest matching prefix location has the “^~” modifier then regular expressions are not checked.
```

Whew!
---
 nixos/modules/services/web-servers/nginx/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'nixos/modules/services/web-servers')

diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index aa782b4267e..9cbac370612 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -275,7 +275,10 @@ let
         redirectListen = filter (x: !x.ssl) defaultListen;
 
         acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) ''
-          location /.well-known/acme-challenge {
+          # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
+          # We use ^~ here, so that we don't check any regexes (which could
+          # otherwise easily override this intended match accidentally).
+          location ^~ /.well-known/acme-challenge/ {
             ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
             ${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"}
             auth_basic off;
-- 
cgit 1.4.1