How do I get ssl_preread_alpn_protocols for acme-tls request working with nginx 1.14?

Wayne Werner asked:

I’m trying to configure Nginx to support Let’s Encrypt with TLS-ALPN-01 using dehydrated. In their documentation they have the following for telling Nginx load balancing to direct the request to a server that can serve up the TLS-ALPN-01 challenge. This is the Nginx config:

stream {
  server {
    map $ssl_preread_alpn_protocols $tls_port {
      ~\bacme-tls/1\b 10443;
      default 443;
    }

    server {
      listen 443;
      listen [::]:443;
      proxy_pass 10.13.37.42:$tls_port;
      ssl_preread on;
    }
  }
}

When I put that in my /etc/nginx/nginx.conf it complained about the stream directive. I found some information that said to add this line to the top of my config:

load_module /usr/lib/nginx/modules/ngx_stream_module.so;

That got rid of that complaint, but with this config:

load_module /usr/lib/nginx/modules/ngx_stream_module.so;
user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

stream {
  server {
    map $ssl_preread_alpn_protocols $tls_port {
      ~\bacme-tls/1\b 10443;
      default 443;
    }

    server {
      listen 443;
      listen [::]:443;
      proxy_pass 10.13.37.42:$tls_port;
      ssl_preread on;
    }
  }
}

I get this error

nginx: [emerg] "map" directive is not allowed here in /etc/nginx/nginx.conf:13
nginx: configuration file /etc/nginx/nginx.conf test failed

So what do I need to do to correctly get this map working? Do I have to load another module?

My answer:


map must be in the stream block, not in the server block.

It also looks like you have a server block inside another server block, which also won’t work.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.