I'm trying to configure Nginx to support Let's Encrypt with TLS-ALPN-01 using dehydrated. In their documentation they have the following for telling Nginx load balancing to direct the request to a server that can serve up the TLS-ALPN-01 challenge. This is the Nginx config:
stream {
server {
map $ssl_preread_alpn_protocols $tls_port {
~\bacme-tls/1\b 10443;
default 443;
}
server {
listen 443;
listen [::]:443;
proxy_pass 10.13.37.42:$tls_port;
ssl_preread on;
}
}
}
When I put that in my /etc/nginx/nginx.conf it complained about the stream directive. I found some information that said to add this line to the top of my config:
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
That got rid of that complaint, but with this config:
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
stream {
server {
map $ssl_preread_alpn_protocols $tls_port {
~\bacme-tls/1\b 10443;
default 443;
}
server {
listen 443;
listen [::]:443;
proxy_pass 10.13.37.42:$tls_port;
ssl_preread on;
}
}
}
I get this error
nginx: [emerg] "map" directive is not allowed here in /etc/nginx/nginx.conf:13
nginx: configuration file /etc/nginx/nginx.conf test failed
So what do I need to do to correctly get this map working? Do I have to load another module?
I found the solution on another site.
If you want to have nginx load balance the ALPN requests to your ALPN responder, and normal https traffic elsewhere, you have to start telling your normal https servers to listen on an alternate port (i.e. not :443).
Following the guide, in all my server declarations in
/etc/nginx/sites-enabledI changed:443to:3443. Then I updated the added config:Now everything works A-OK, and I can generate/renew certs with no downtime!
mapmust be in thestreamblock, not in theserverblock.It also looks like you have a
serverblock inside anotherserverblock, which also won't work.