Module on Rickyhttps://linzeyan.github.io/categories/module/Recent content in Module on RickyHugo -- gohugo.ioenMon, 20 Oct 2025 16:31:00 +0800NGINX Native ACME Support: Rethinking TLS Automation from the Ground Uphttps://linzeyan.github.io/posts/2025/20251020-nginx-acme-module/Mon, 20 Oct 2025 16:31:00 +0800https://linzeyan.github.io/posts/2025/20251020-nginx-acme-module/<ul> <li><a href="https://sconts.com/post/nginx-native-acme-support/" target="_blank" rel="noopener">NGINX Native ACME Support: Rethinking TLS Automation from the Ground Up</a></li> </ul> <h2 id="ngx_http_acme_module"><code>ngx_http_acme_module</code></h2> <ul> <li>NGINX 1.25.1</li> </ul> <h2 id="pre-install">Pre-install</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Install build tools and NGINX dependencies on Debian/Ubuntu</span> </span></span><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install build-essential libpcre3-dev zlib1g-dev libssl-dev pkg-config libclang-dev git -y </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Install the Rust toolchain (cargo and rustc)</span> </span></span><span style="display:flex;"><span>curl --proto <span style="color:#e6db74">&#39;=https&#39;</span> --tlsv1.2 -sSf https://sh.rustup.rs | sh </span></span><span style="display:flex;"><span>source $HOME/.cargo/env </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>mkdir -pv /app/nginx/<span style="color:#f92672">{</span>logs,conf,cache, acme<span style="color:#f92672">}</span> /app/nginx-build </span></span><span style="display:flex;"><span>cd /app/nginx-build </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Clone the ACME module source</span> </span></span><span style="display:flex;"><span>git clone https://github.com/nginx/nginx-acme.git /app/nginx-build/nginx-acme </span></span><span style="display:flex;"><span><span style="color:#75715e"># Or</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># git clone git@github.com:nginx/nginx-acme.git /app/nginx-build/nginx-acme</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Download the NGINX source (replace with the version you need)</span> </span></span><span style="display:flex;"><span>wget https://nginx.org/download/nginx-1.28.0.tar.gz </span></span><span style="display:flex;"><span>tar -zxf nginx-1.28.0.tar.gz </span></span></code></pre></div><h2 id="compile">Compile</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd nginx-1.28.0 </span></span><span style="display:flex;"><span>./configure <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --prefix<span style="color:#f92672">=</span>/app/nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --error-log-path<span style="color:#f92672">=</span>/app/nginx/error.log <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-log-path<span style="color:#f92672">=</span>/app/nginx/access.log <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --pid-path<span style="color:#f92672">=</span>/app/nginx/nginx.pid <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --lock-path<span style="color:#f92672">=</span>/app/nginx/nginx.lock <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-client-body-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/client_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-proxy-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/proxy_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-fastcgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/fastcgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-uwsgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/uwsgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-scgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/scgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --user<span style="color:#f92672">=</span>nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --group<span style="color:#f92672">=</span>nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-compat <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-file-aio <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-threads <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_addition_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_auth_request_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_dav_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_flv_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_gunzip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_gzip_static_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_mp4_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_random_index_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_realip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_secure_link_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_slice_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_stub_status_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_sub_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_v2_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_v3_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-mail <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-mail_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_realip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_ssl_preread_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-cc-opt<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;-g -O2 -ffile-prefix-map=/home/builder/debuild/nginx-1.28.0/debian/debuild-base/nginx-1.28.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-ld-opt<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --add-dynamic-module<span style="color:#f92672">=</span>/app/nginx-build/nginx-acme </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>make <span style="color:#f92672">&amp;&amp;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> make modules <span style="color:#f92672">&amp;&amp;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> make install </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Run the configure script; the key is --add-dynamic-module</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Note: include all existing NGINX build flags; see nginx -V</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Build the module; note it is make modules, not make install</span> </span></span></code></pre></div><h2 id="config">Config</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e"># /app/nginx/conf/nginx.conf </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">user</span> <span style="color:#e6db74">nginx</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">error_log</span> <span style="color:#e6db74">error.log</span> <span style="color:#e6db74">debug</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">pid</span> <span style="color:#e6db74">nginx.pid</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">load_module</span> <span style="color:#e6db74">modules/ngx_http_acme_module.so</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">events</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">worker_connections</span> <span style="color:#ae81ff">1024</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">multi_accept</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">include</span> <span style="color:#e6db74">mime.types</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">application/octet-stream</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">log_format</span> <span style="color:#e6db74">main</span> <span style="color:#e6db74">&#39;</span>$remote_addr <span style="color:#e6db74">-</span> $remote_user <span style="color:#e6db74">[</span>$time_local] <span style="color:#e6db74">&#34;</span>$host&#34; <span style="color:#e6db74">&#34;</span>$request&#34; <span style="color:#e6db74">&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;</span>$status $body_bytes_sent <span style="color:#e6db74">&#34;</span>$http_referer&#34; <span style="color:#e6db74">&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;</span>$http_user_agent&#34; <span style="color:#e6db74">&#34;</span>$http_x_forwarded_for&#34;&#39;; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">access_log</span> <span style="color:#e6db74">access.log</span> <span style="color:#e6db74">main</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">sendfile</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">tcp_nopush</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">charset</span> <span style="color:#e6db74">utf-8</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">keepalive_timeout</span> <span style="color:#ae81ff">65</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">gzip</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">resolver</span> 8.8.8.8 1.1.1.1; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Define an ACME issuer instance named letsencrypt </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_issuer</span> <span style="color:#e6db74">letsencrypt</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Set the ACME directory URL; this is Let&#39;s Encrypt production </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">uri</span> <span style="color:#e6db74">https://acme-v02.api.letsencrypt.org/directory</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Provide a contact email for CA notices (e.g., expiration) </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">contact</span> <span style="color:#e6db74">mailto:security-alerts@aidig.co</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># State file path for ACME account key material </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">state_path</span> <span style="color:#e6db74">acme/letsencrypt</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Accept the terms of service; required for Let&#39;s Encrypt </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">accept_terms_of_service</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Optional acme_shared_zone stores certs, keys, and challenges for issuers. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e"># Default size is 256K; increase as needed. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_shared_zone</span> <span style="color:#e6db74">zone=acme_shared:1M</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">ssl.aidig.co</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Step 1: enable ACME for this server and select the letsencrypt issuer </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_certificate</span> <span style="color:#e6db74">letsencrypt</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Step 2: use dynamic variables managed in memory by the ACME module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_certificate</span> $acme_certificate; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> $acme_certificate_key; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_cache</span> <span style="color:#e6db74">max=2</span>; <span style="color:#75715e"># required ngx 1.27.4+ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">text/plain</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">200</span> <span style="color:#e6db74">&#39;OK&#39;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span> <span style="color:#e6db74">default_server</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">_</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ACME handles /.well-known/acme-challenge/ automatically; this is for all other requests </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">301</span> <span style="color:#e6db74">https://</span>$host$request_uri; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div>