Increase the suggested body buffer size for the HTTP hook server.

This eliminates potential issues if the HTTP POST size to the hook
server containing the cert exceeded nginx's default buffer size (which
would prevent the hook server from being able to parse the POST args):
auto-ssl#65

Based on some quick tests, it looks like the POST to `/deploy-cert`,
containing the certificate chain and private key was the largest POST.
These look to be in the neighborhood of 10KB, while nginx's default
`client_body_buffer_size` might be either 8KB or 16KB depending on the
exact system architecture. To address this, increase the suggested
configuration in the README to 128KB (which is probably overkill, but
provides plenty of space in case Let's Encrypt's full certificate chain
ever becomes bigger).

This also adds some better error logging and error handling to the hook
server, and adds more specific tests around the hook server.

Author: GUI

README.md

@@ -116,6 +116,12 @@ http {
   # Internal server running on port 8999 for handling certificate tasks.
   server {
     listen 127.0.0.1:8999;
+
+    # Increase the body buffer size, to ensure the internal POSTs can always
+    # parse the full POST contents into memory.
+    client_body_buffer_size 128k;
+    client_max_body_size 128k;
+
     location / {
       content_by_lua_block {
         auto_ssl:hook_server()

lib/resty/auto-ssl/servers/hook.lua

@@ -4,14 +4,19 @@
 -- that can be shared across multiple servers, so this can work in a
 -- multi-server, load-balanced environment).
 return function(auto_ssl_instance)
-  ngx.req.read_body()
-  local path = ngx.var.request_uri
-  local params = ngx.req.get_post_args()
-
   if ngx.var.http_x_hook_secret ~= ngx.shared.auto_ssl_settings:get("hook_server:secret") then
-    return ngx.exit(ngx.HTTP_FORBIDDEN)
+    ngx.log(ngx.ERR, "auto-ssl: unauthorized access to hook server (hook secret did not match)")
+    return ngx.exit(ngx.HTTP_UNAUTHORIZED)
   end
 
+  ngx.req.read_body()
+  local params, params_err = ngx.req.get_post_args()
+  if not params then
+    ngx.log(ngx.ERR, "auto-ssl: failed to parse POST args: ", params_err)
+    return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+  end
+
+  local path = ngx.var.request_uri
   local storage = auto_ssl_instance:get("storage")
   if path == "/deploy-challenge" then
     assert(params["domain"])
@@ -20,13 +25,15 @@ return function(auto_ssl_instance)
     local _, err = storage:set_challenge(params["domain"], params["token_filename"], params["token_value"])
     if err then
       ngx.log(ngx.ERR, "auto-ssl: failed to set challenge: ", err)
+      return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
     end
   elseif path == "/clean-challenge" then
     assert(params["domain"])
     assert(params["token_filename"])
     local _, err = storage:delete_challenge(params["domain"], params["token_filename"])
     if err then
       ngx.log(ngx.ERR, "auto-ssl: failed to delete challenge: ", err)
+      return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
     end
   elseif path == "/deploy-cert" then
     assert(params["domain"])
@@ -35,6 +42,10 @@ return function(auto_ssl_instance)
     local _, err = storage:set_cert(params["domain"], params["fullchain"], params["privkey"], params["cert"])
     if err then
       ngx.log(ngx.ERR, "auto-ssl: failed to set cert: ", err)
+      return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
     end
+  else
+    ngx.log(ngx.ERR, "auto-ssl: unknown request to hook server: ", path)
+    return ngx.exit(ngx.HTTP_NOT_FOUND)
   end
 end

t/file.t

@@ -64,6 +64,8 @@ __DATA__
 
   server {
     listen 127.0.0.1:8999;
+    client_body_buffer_size 128k;
+    client_max_body_size 128k;
     location / {
       content_by_lua_block {
         auto_ssl:hook_server()
@@ -190,6 +192,8 @@ auto-ssl: issuing new certificate for
 
   server {
     listen 127.0.0.1:8999;
+    client_body_buffer_size 128k;
+    client_max_body_size 128k;
     location / {
       content_by_lua_block {
         auto_ssl:hook_server()