auto-ssl · ryokdy · Sep 4, 2017 · Sep 4, 2017 · Sep 4, 2017 · Sep 4, 2017
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -20,7 +20,7 @@ jobs:
           - centos
           - alpine
           - ubuntu
-          - openresty1.13
+          - openresty1.21
           - lua51
     steps:
       - uses: actions/checkout@v1

diff --git a/.luacheckrc b/.luacheckrc
@@ -3,7 +3,6 @@ globals = {
 }
 
 exclude_files = {
-  "lib/resty/auto-ssl/vendor/shell.lua",
 }
 
 max_line_length = false
diff --git a/Dockerfile-test b/Dockerfile-test
@@ -1,9 +1,8 @@
-FROM openresty/openresty:1.15.8.1-4-centos
+FROM openresty/openresty:1.21.4.1-0-centos
 
 # Runtime dependencies
 RUN yum -y install \
   bash \
-  coreutils \
   curl \
   diffutils \
   grep \
@@ -25,8 +24,10 @@ RUN yum -y install epel-release && \
     lua \
     procps-ng \
     redis \
-    sudo \
-    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
+    sudo
+RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \
+  tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
+  rm -f /tmp/ngrok.tar.gz
 
 RUN mkdir /app
 WORKDIR /app

diff --git a/Dockerfile-test-alpine b/Dockerfile-test-alpine
@@ -1,4 +1,4 @@
-FROM openresty/openresty:1.15.8.2-1-alpine-fat
+FROM openresty/openresty:1.21.4.1-0-alpine-fat
 
 RUN mkdir /app
 WORKDIR /app
@@ -27,11 +27,10 @@ RUN apk add --no-cache \
     redis \
     sudo \
     tzdata \
-    wget && \
-  curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/a/naDTyS8Kyxv/ngrok-2.3.34-linux-386.tar.gz && \
+    wget
+RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-386.tgz && \
   tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
-  rm -f /tmp/ngrok.tar.gz && \
-  chmod +x /usr/local/bin/ngrok
+  rm -f /tmp/ngrok.tar.gz
 
 COPY Makefile /app/Makefile
 RUN make install-test-deps

diff --git a/Dockerfile-test-lua51 b/Dockerfile-test-lua51
@@ -1,9 +1,8 @@
-FROM openresty/openresty:1.11.2.1-centos
+FROM openresty/openresty:1.21.4.1-0-centos
 
 # Runtime dependencies
 RUN yum -y install \
   bash \
-  coreutils \
   curl \
   diffutils \
   grep \
@@ -22,8 +21,10 @@ RUN yum -y install epel-release && \
     lua \
     procps-ng \
     redis \
-    sudo \
-    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
+    sudo
+RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \
+  tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
+  rm -f /tmp/ngrok.tar.gz
 
 ENV PATH /usr/local/openresty/luajit/bin:/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 ENV TEST_NGINX_RESOLVER 127.0.0.11 ipv6=off

diff --git a/Dockerfile-test-openresty1.13 → Dockerfile-test-openresty1.21 b/Dockerfile-test-openresty1.13 → Dockerfile-test-openresty1.21
@@ -1,9 +1,8 @@
-FROM openresty/openresty:1.13.6.2-2-centos
+FROM openresty/openresty:1.21.4.1-0-centos
 
 # Runtime dependencies
 RUN yum -y install \
   bash \
-  coreutils \
   curl \
   diffutils \
   grep \
@@ -22,8 +21,10 @@ RUN yum -y install epel-release && \
     lua \
     procps-ng \
     redis \
-    sudo \
-    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
+    sudo
+RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \
+  tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
+  rm -f /tmp/ngrok.tar.gz
 
 RUN mkdir /app
 WORKDIR /app

diff --git a/Dockerfile-test-ubuntu b/Dockerfile-test-ubuntu
@@ -1,12 +1,11 @@
-FROM openresty/openresty:1.15.8.2-1-bionic
+FROM openresty/openresty:1.21.4.1-0-jammy
 
 ENV DEBIAN_FRONTEND noninteractive
 
 # Runtime dependencies
 RUN apt-get update && \
   apt-get -y install \
     bash \
-    coreutils \
     curl \
     diffutils \
     grep \
@@ -22,13 +21,17 @@ RUN apt-get update && \
   apt-get -y install \
     git \
     lsof \
-    lua5.2 \
+    lua5.4 \
     redis-server \
     sudo \
-    tzdata && \
-  curl -fsSL -o /tmp/ngrok.deb https://bin.equinox.io/a/b2wQezFbsHk/ngrok-2.3.34-linux-amd64.deb && \
-  dpkg -i /tmp/ngrok.deb || apt-get -fy install && \
-  rm -f /tmp/ngrok.deb
+    tzdata \
+    bsdmainutils
+RUN curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | \
+    sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && \
+    echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | \
+    sudo tee /etc/apt/sources.list.d/ngrok.list && \
+    sudo apt update && \
+    sudo apt install ngrok
 
 RUN mkdir /app
 WORKDIR /app

diff --git a/Makefile b/Makefile
@@ -1,9 +1,7 @@
 ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 BUILD_DIR?=$(ROOT_DIR)/build
 
-DEHYDRATED_VERSION:=05eda91a2fbaed1e13c733230238fc68475c535e
-LUA_RESTY_SHELL_VERSION:=955243d70506c21e7cc29f61d745d1a8a718994f
-SOCKPROC_VERSION:=92aba736027bb5d96e190b71555857ac5bb6b2be
+DEHYDRATED_VERSION:=ea841998631561543357f032fa7c06598c34d517
 
 RUNTIME_DEPENDENCIES:=bash curl cut date diff grep mktemp openssl sed
 
@@ -18,9 +16,7 @@ RUNTIME_DEPENDENCIES:=bash curl cut date diff grep mktemp openssl sed
 
 all: \
 	check-dependencies \
-	$(BUILD_DIR)/stamp-dehydrated-2-$(DEHYDRATED_VERSION) \
-	$(BUILD_DIR)/stamp-lua-resty-shell-$(LUA_RESTY_SHELL_VERSION) \
-	$(BUILD_DIR)/stamp-sockproc-2-$(SOCKPROC_VERSION)
+	$(BUILD_DIR)/stamp-dehydrated-2-$(DEHYDRATED_VERSION)
 
 check-dependencies:
 	$(foreach bin,$(RUNTIME_DEPENDENCIES),\
@@ -51,14 +47,9 @@ install: check-dependencies
 	install -m 644 lib/resty/auto-ssl/utils/random_seed.lua $(INST_LUADIR)/resty/auto-ssl/utils/random_seed.lua
 	install -m 644 lib/resty/auto-ssl/utils/shell_execute.lua $(INST_LUADIR)/resty/auto-ssl/utils/shell_execute.lua
 	install -m 644 lib/resty/auto-ssl/utils/shuffle_table.lua $(INST_LUADIR)/resty/auto-ssl/utils/shuffle_table.lua
-	install -m 644 lib/resty/auto-ssl/utils/start_sockproc.lua $(INST_LUADIR)/resty/auto-ssl/utils/start_sockproc.lua
-	install -d $(INST_LUADIR)/resty/auto-ssl/vendor
-	install -m 644 lib/resty/auto-ssl/vendor/shell.lua $(INST_LUADIR)/resty/auto-ssl/vendor/shell.lua
 	install -d $(INST_BINDIR)/resty-auto-ssl
 	install -m 755 bin/letsencrypt_hooks $(INST_BINDIR)/resty-auto-ssl/letsencrypt_hooks
-	install -m 755 bin/start_sockproc $(INST_BINDIR)/resty-auto-ssl/start_sockproc
 	install -m 755 $(BUILD_DIR)/bin/dehydrated $(INST_BINDIR)/resty-auto-ssl/dehydrated
-	install -m 755 $(BUILD_DIR)/bin/sockproc $(INST_BINDIR)/resty-auto-ssl/sockproc
 
 $(BUILD_DIR):
 	mkdir -p $@
@@ -70,21 +61,6 @@ $(BUILD_DIR)/stamp-dehydrated-2-$(DEHYDRATED_VERSION): | $(BUILD_DIR)
 	chmod +x $(BUILD_DIR)/bin/dehydrated
 	touch $@
 
-$(BUILD_DIR)/stamp-lua-resty-shell-$(LUA_RESTY_SHELL_VERSION): | $(BUILD_DIR)
-	rm -f $(BUILD_DIR)/stamp-lua-resty-shell-*
-	curl -sSLo $(ROOT_DIR)/lib/resty/auto-ssl/vendor/shell.lua "https://raw.githubusercontent.com/juce/lua-resty-shell/$(LUA_RESTY_SHELL_VERSION)/lib/resty/shell.lua"
-	touch $@
-
-$(BUILD_DIR)/stamp-sockproc-2-$(SOCKPROC_VERSION): | $(BUILD_DIR)
-	rm -f $(BUILD_DIR)/stamp-sockproc-*
-	mkdir -p $(BUILD_DIR)/bin
-	cd $(BUILD_DIR) && curl -sSLo sockproc-$(SOCKPROC_VERSION).tar.gz "https://github.com/juce/sockproc/archive/$(SOCKPROC_VERSION).tar.gz"
-	cd $(BUILD_DIR) && tar -xf sockproc-$(SOCKPROC_VERSION).tar.gz
-	cd $(BUILD_DIR)/sockproc-$(SOCKPROC_VERSION) && make
-	cp $(BUILD_DIR)/sockproc-$(SOCKPROC_VERSION)/sockproc $(BUILD_DIR)/bin/sockproc
-	chmod +x $(BUILD_DIR)/bin/sockproc
-	touch $@
-
 #
 # Testing
 #
@@ -95,11 +71,11 @@ install-test-deps:
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install busted 2.0.0-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install etlua 1.3.0-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install inspect 3.1.1-0
-	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install lua-resty-http 0.15-0
+	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install lua-resty-http 0.17.1-0
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install luacheck 0.23.0-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install luaposix 34.1.1-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install penlight 1.5.4-1
-	luarocks install luarocks-fetch-gitrec && luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install process 1.9.0-1
+	luarocks install luarocks-fetch-gitrec && luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install process 1.9.1-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install shell-games 1.0.1-1
 
 lint:

diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ This OpenResty plugin automatically and transparently issues SSL certificates fr
 - If the system already has a SSL certificate for that domain, it is immediately returned (with OCSP stapling).
 - If the system does not yet have an SSL certificate for this domain, it issues a new SSL certificate from Let's Encrypt. Domain validation is handled for you. After receiving the new certificate (usually within a few seconds), the new certificate is saved, cached, and returned to the client (without dropping the original request).
 
-This uses the `ssl_certificate_by_lua` functionality in OpenResty 1.9.7.2+.
+This uses the `ssl_certificate_by_lua` functionality.
 
 By using lua-resty-auto-ssl to register SSL certificates with Let's Encrypt, you agree to the [Let's Encrypt Subscriber Agreement](https://letsencrypt.org/repository/).
 
@@ -22,9 +22,7 @@ Used in production (but the internal APIs might still be in flux).
 
 Requirements:
 
-- [OpenResty](http://openresty.org/#Download) 1.9.7.2 or higher
-  - **Recommended:** OpenResty 1.15.8.1 or higher is recommended for best performance and stability.
-  - Or nginx patched with [ssl_cert_cb_yield](https://github.com/openresty/openresty/blob/v1.11.2.2/patches/nginx-1.11.2-ssl_cert_cb_yield.patch) and built with [ngx_lua](https://github.com/openresty/lua-nginx-module#installation) 0.10.0 or higher
+- [OpenResty](http://openresty.org/#Download) 1.15.8.1 or higher
 - OpenSSL 1.0.2e or higher
 - [LuaRocks](http://openresty.org/#UsingLuaRocks)
 - gcc, make (for initial install via LuaRocks)
@@ -413,4 +411,4 @@ To release a new version to LuaRocks:
 - Document and formalize the API for other storage adapters.
 - Open source the MongoDB storage adapter we're using in API Umbrella.
 - Add the ability to encrypt data at rest for any storage adapter (based on what we built for API Umbrella's MongoDB storage adapter).
-- We currently rely on [dehydrated](https://github.com/lukas2511/dehydrated) as our Let's Encrypt client. It's called in a non-blocking fashion via [lua-resty-shell](https://github.com/juce/lua-resty-shell) and [sockproc](https://github.com/juce/sockproc), however it might be simpler to eventually replace this approach with a native OpenResty Let's Encrypt client someday.
+- We currently rely on [dehydrated](https://github.com/lukas2511/dehydrated) as our Let's Encrypt client. It's called in a non-blocking fashion via [lua-resty-shell](https://github.com/openresty/lua-resty-shell), however it might be simpler to eventually replace this approach with a native OpenResty Let's Encrypt client someday.
diff --git a/bin/start_sockproc b/bin/start_sockproc
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -36,13 +36,13 @@ services:
       - ubuntu_build_cache:/app/build
     sysctls:
       net.core.somaxconn: 1024
-  openresty1.13:
+  openresty1.21:
     build:
       context: .
-      dockerfile: Dockerfile-test-openresty1.13
+      dockerfile: Dockerfile-test-openresty1.21
     volumes:
       - .:/app
-      - openresty1.13_build_cache:/app/build
+      - openresty1.21_build_cache:/app/build
     sysctls:
       net.core.somaxconn: 1024
   lua51:
@@ -59,5 +59,5 @@ volumes:
   centos_build_cache:
   alpine_build_cache:
   ubuntu_build_cache:
-  openresty1.13_build_cache:
+  openresty1.21_build_cache:
   lua51_build_cache:
diff --git a/lib/resty/auto-ssl/init_worker.lua b/lib/resty/auto-ssl/init_worker.lua
@@ -1,7 +1,6 @@
 local random_seed = require "resty.auto-ssl.utils.random_seed"
 local renewal_job = require "resty.auto-ssl.jobs.renewal"
 local shell_blocking = require "shell-games"
-local start_sockproc = require "resty.auto-ssl.utils.start_sockproc"
 
 return function(auto_ssl_instance)
   local base_dir = auto_ssl_instance:get("dir")
@@ -19,18 +18,6 @@ return function(auto_ssl_instance)
   -- call in the init_worker phase.
   random_seed()
 
-  -- Startup sockproc. This background process allows for non-blocking shell
-  -- commands with resty.shell.
-  --
-  -- We do this in the init_worker phase, so that it will always be started
-  -- with the same permissions as the nginx workers (and not the elevated
-  -- permissions of the nginx master process).
-  --
-  -- If we implement a native resty Let's Encrypt ACME client (rather than
-  -- relying on dehydrated), then we could get rid of the need for this
-  -- background process, which would be nice.
-  start_sockproc()
-
   local storage = auto_ssl_instance.storage
   local storage_adapter = storage.adapter
   if storage_adapter.setup_worker then
-Original file line number
+Diff line change
@@ Expand Up / @@ -20,7 +20,7 @@ jobs: @@
               - centos
               - alpine
               - ubuntu
-              - openresty1.13
+              - openresty1.21
               - lua51
         steps:
           - uses: actions/checkout@v1
@@ Expand Down @@