diff --git a/roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2 b/roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2 index c4e5849d..8d971b76 100644 --- a/roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2 +++ b/roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2 @@ -1,5 +1,6 @@ -listen {{ WEB_PORT }} ssl http2; -listen [::]:{{ WEB_PORT }} ssl http2; +listen {{ WEB_PORT }} ssl; +listen [::]:{{ WEB_PORT }} ssl; +http2; ssl_protocols TLSv1.2 TLSv1.3; ssl_ecdh_curve X25519:P-256; diff --git a/roles/svc-prx-openresty/docs/DEBUG.md b/roles/svc-prx-openresty/docs/DEBUG.md new file mode 100644 index 00000000..8904d3dd --- /dev/null +++ b/roles/svc-prx-openresty/docs/DEBUG.md @@ -0,0 +1,107 @@ +# Debugging OpenResty Configuration + +This document provides commands and tips to validate and inspect the OpenResty (Nginx) configuration and the Docker Compose setup. + +--- + +## 1. Validate OpenResty / Nginx Configuration + +* **Quick syntax check (quiet):** + + ```bash + docker exec {{ openresty_container }} openresty -t -q + ``` + + *Returns only errors.* + +* **Detailed syntax check (show warnings):** + + ```bash + docker exec {{ openresty_container }} openresty -t + ``` + + or: + + ```bash + docker exec {{ openresty_container }} nginx -t + ``` + +--- + +## 2. Dump the Complete Merged Nginx Configuration + +To see the full configuration after all `include` directives are processed: + +```bash +# Within the running container +docker exec {{ openresty_container }} openresty -T +# or equivalently +docker exec {{ openresty_container }} nginx -T +``` + +This outputs every directive from `nginx.conf` and all files in `conf.d` in the order Nginx will use them. + +--- + +## 3. Inspect the Docker Compose Configuration + +To view the final, merged Docker Compose setup (combining all `docker-compose.yml` files and variable interpolation): + +```bash +docker-compose -f docker-compose.yml config +``` + +If you use a custom project name or multiple override files: + +```bash +docker-compose -p -f docker-compose.yml -f override.yml config +``` + +--- + +### 4. Verifying which domains your TLS certificate covers + +To see all hostnames (Subject Alternative Names) included in your certificate, you can inspect the issued `fullchain.pem` file with `openssl`: + +```bash +openssl x509 \ + -in /etc/letsencrypt/live//fullchain.pem \ + -noout \ + -text \ +| grep -A1 "Subject Alternative Name" +``` + +This will print something like: + +``` + X509v3 Subject Alternative Name: + DNS:example.com, DNS:www.example.com, DNS:api.example.com +``` + +Alternatively, you can query the live service directly: + +```bash +openssl s_client \ + -connect matrix.cymais.cloud:443 \ + -servername matrix.cymais.cloud \ + /dev/null \ +| openssl x509 -noout -text \ +| grep -A1 "Subject Alternative Name" +``` + +That way you’ll see exactly which domains your server is serving and which names are valid in the presented certificate. + +``` +::contentReference[oaicite:0]{index=0} +``` + +## 5. Common Troubleshooting Tips + +* Ensure that all volume mounts and file paths match your host layout. +* Confirm file permissions allow the container to read configuration files. +* Use `-q` for a concise error-only check, omit it to see warnings. +* After fixing issues, reload without downtime: + + ```bash + docker exec {{ openresty_container }} openresty -s reload + ``` \ No newline at end of file