mish/evo-sync
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases 5 Wiki Activity

fix: correct punycode for мои-товары.рф and add IDN support to generate-nginx-conf.sh

Browse Source 
xn--e1afmapc4af.xn--p1af was wrong; correct punycode is xn----8sbfwtmcso8g.xn--p1ai.
generate-nginx-conf.sh now converts IDN domains to punycode before expanding the
template, so cert paths and server_name directives are always ASCII-safe.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
mguschin
2026-05-13 14:06:54 +03:00
parent 23e175d9a8
commit dbb1f48da7
2 changed files with 24 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
nginx/nginx.conf
View File

@@ -10,7 +10,7 @@ upstream web {
server { server {
listen 80; listen 80;
server_name xn--e1afmapc4af.xn--p1af www.xn--e1afmapc4af.xn--p1af; server_name xn----8sbfwtmcso8g.xn--p1ai www.xn----8sbfwtmcso8g.xn--p1ai;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /var/www/certbot; root /var/www/certbot;
@@ -23,10 +23,10 @@ server {
server { server {
listen 443 ssl; listen 443 ssl;
server_name xn--e1afmapc4af.xn--p1af www.xn--e1afmapc4af.xn--p1af; server_name xn----8sbfwtmcso8g.xn--p1ai www.xn----8sbfwtmcso8g.xn--p1ai;
ssl_certificate /etc/letsencrypt/live/xn--e1afmapc4af.xn--p1af/fullchain.pem; ssl_certificate /etc/letsencrypt/live/xn----8sbfwtmcso8g.xn--p1ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xn--e1afmapc4af.xn--p1af/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/xn----8sbfwtmcso8g.xn--p1ai/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers HIGH:!aNULL:!MD5;

24
scripts/generate-nginx-conf.sh
View File

@@ -30,11 +30,26 @@ if [ -z "${DOMAIN:-}" ]; then
exit 1 exit 1
fi fi
CONF_FILE="/etc/nginx/sites-available/${DOMAIN}.conf" # Convert IDN/Cyrillic domain to punycode for cert paths and server_name
ENABLED_LINK="/etc/nginx/sites-enabled/${DOMAIN}.conf" PUNYCODE=$(python3 -c "
import sys
d = sys.argv[1]
try:
parts = d.split('.')
print('.'.join(p.encode('idna').decode('ascii') for p in parts))
except Exception:
print(d)
" "$DOMAIN" 2>/dev/null || echo "$DOMAIN")
echo "==> Generating nginx config for: $DOMAIN" if [ "$PUNYCODE" != "$DOMAIN" ]; then
DOMAIN="$DOMAIN" envsubst '$DOMAIN' < "$TEMPLATE" | sudo tee "$CONF_FILE" > /dev/null echo "==> IDN domain detected: $DOMAIN$PUNYCODE"
fi
CONF_FILE="/etc/nginx/sites-available/${PUNYCODE}.conf"
ENABLED_LINK="/etc/nginx/sites-enabled/${PUNYCODE}.conf"
echo "==> Generating nginx config for: $DOMAIN ($PUNYCODE)"
DOMAIN="$PUNYCODE" envsubst '$DOMAIN' < "$TEMPLATE" | sudo tee "$CONF_FILE" > /dev/null
if [ ! -L "$ENABLED_LINK" ]; then if [ ! -L "$ENABLED_LINK" ]; then
sudo ln -s "$CONF_FILE" "$ENABLED_LINK" sudo ln -s "$CONF_FILE" "$ENABLED_LINK"
@@ -48,4 +63,5 @@ sudo nginx -t
echo "" echo ""
echo "==> Config written to: $CONF_FILE" echo "==> Config written to: $CONF_FILE"
echo " Cert path: /etc/letsencrypt/live/$PUNYCODE/"
echo " Reload nginx to apply: sudo systemctl reload nginx" echo " Reload nginx to apply: sudo systemctl reload nginx"