Added built-in certificates autorenewal

[fabriziofiorucci]

Proposed changes

This PR adds automated certificates renewal. Adding one internal server {} and upstream {} enables a self-contained solution to periodically send GET requests to /acme/auto

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING document
• If applicable, I have added tests that prove my fix is effective or that my feature works
• If applicable, I have checked that any relevant tests pass after adding my changes
• I have updated any relevant documentation (README.md and CHANGELOG.md)

[zsteinkamp]

Great idea @fabriziofiorucci ! When I try this on my server (nginx-1.25.1) I get this error:

web-proxy-nginx-1  | nginx: [emerg] unknown directive "health_check" in /etc/nginx/nginx.conf:49

Looks like this may only be a non-OSS feature?

[fabriziofiorucci]

Active health checks are a NGINX Plus feature only and I found a bug in this, fixing now

[zsteinkamp]

Targeting OSS users is an important part of this project. NGINX is losing mindshare/marketshare due to the relative difficulty of doing basic things like HTTPS and auto-cert-renewal in OSS.

[fabriziofiorucci]

That makes sense, there could be a fully automated option for those who wanted to use NGINX Plus, while OSS users might rely on k8s/crontab.

[zsteinkamp]

There are some NJS features nearing release that will let us run JS code on a time interval, so I think that solution will work for all :)

[ivanitskiy]

I can offer to add a separate plus-specific file under examples/nginx_plus.conf and have a separate section about the differences between OSS and plus wrt this auto-acme configuration.

[zsteinkamp]

Yeah IMO we should be OSS-first in our solution posture here.

[fabriziofiorucci]

@ivanitskiy @zsteinkamp if that works for you I can amend this PR with a dedicated nginx_plus.conf file.

[ivanitskiy]

it would be nice to separate OSS and Plus and don't mix them in a single example. (e.g. in Plus we can use KV instead of shared_dict and so on...)

[ivanitskiy]

Ok. LGTM. we always can revisit examples and how to reduce duplication

[ivanitskiy]

I'm wondering if this current PR is beneficial as there is @zsteinkamp's WIP #38 that would use the new capabilities of NJS to schedule periodic work.

[zsteinkamp]

Agreed that the solution in #38 (which depends on njs-0.8.1 capabilities, to be released Sep 12) is overall better for customers since it's completely self-contained.

[zsteinkamp]

Thanks @fabriziofiorucci! We have merged #38 which implements auto-renewal.