tixie/nixcfg
1
0
Fork 0
forked from Deuxfleurs/nixcfg
Code Pull requests Activity

prod: garage: Enable on-demand-tls check for *.garage S3 endpoint

Browse source 
We were hitting Let's Encrypt rate limits because we were generating
thousands of non-sense certificates like "foo.bar.baz.garage.deuxfleurs.fr"

See https://crt.sh

Subdomains of garage.deuxfleurs.fr only make sense when accessing buckets
through S3 with vhost-style, so let's enable the on-demand-tls check to
make sure that the bucket exists in Garage.

In the long term, we might want to have a wildcard certificate for this
usage, or simply stop supporting vhost-style S3 access.
This commit is contained in:
Baptiste Jonglez 2024-06-08 17:14:44 +02:00
parent 9fc22d72d4
commit 7e88a88e04
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
cluster/prod/app/garage/deploy/garage.hcl
View file

@ -104,6 +104,7 @@ job "garage" {
"garage_api", "garage_api",
"tricot garage.deuxfleurs.fr", "tricot garage.deuxfleurs.fr",
"tricot *.garage.deuxfleurs.fr", "tricot *.garage.deuxfleurs.fr",
"tricot-on-demand-tls-ask http://garage-admin.service.prod.consul:3903/check",
"tricot-site-lb", "tricot-site-lb",
] ]
port = "s3" port = "s3"