bastion/nginx-proxy-manager
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Certificates ui section and permissions

Browse Source
This commit is contained in:
Jamie Curnow
2018-08-02 19:48:47 +10:00
parent 66e25e315b
commit 1c57ccdc87
65 changed files with 1697 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend/index.js
View File

@ -9,6 +9,7 @@ function appStart () {
const setup = require('./setup');
const app = require('./app');
const apiValidator = require('./lib/validator/api');
const internalSsl = require('./internal/ssl');
return migrate.latest()
.then(() => {
@ -18,6 +19,9 @@ function appStart () {
return apiValidator.loadSchemas;
})
.then(() => {
internalSsl.initTimer();
const server = app.listen(81, () => {
logger.info('PID ' + process.pid + ' listening on port 81 ...');

183
src/backend/internal/certificate.js Normal file
View File

@ -0,0 +1,183 @@
'use strict';
const _ = require('lodash');
const error = require('../lib/error');
const certificateModel = require('../models/certificate');
function omissions () {
return ['is_deleted'];
}
const internalCertificate = {
/**
* @param {Access} access
* @param {Object} data
* @returns {Promise}
*/
create: (access, data) => {
return access.can('certificates:create', data)
.then(access_data => {
// TODO
return {};
});
},
/**
* @param {Access} access
* @param {Object} data
* @param {Integer} data.id
* @param {String} [data.email]
* @param {String} [data.name]
* @return {Promise}
*/
update: (access, data) => {
return access.can('certificates:update', data.id)
.then(access_data => {
// TODO
return {};
});
},
/**
* @param {Access} access
* @param {Object} data
* @param {Integer} data.id
* @param {Array} [data.expand]
* @param {Array} [data.omit]
* @return {Promise}
*/
get: (access, data) => {
if (typeof data === 'undefined') {
data = {};
}
if (typeof data.id === 'undefined' || !data.id) {
data.id = access.token.get('attrs').id;
}
return access.can('certificates:get', data.id)
.then(access_data => {
let query = certificateModel
.query()
.where('is_deleted', 0)
.andWhere('id', data.id)
.allowEager('[owner]')
.first();
if (access_data.permission_visibility !== 'all') {
query.andWhere('owner_user_id', access.token.get('attrs').id);
}
// Custom omissions
if (typeof data.omit !== 'undefined' && data.omit !== null) {
query.omit(data.omit);
}
if (typeof data.expand !== 'undefined' && data.expand !== null) {
query.eager('[' + data.expand.join(', ') + ']');
}
return query;
})
.then(row => {
if (row) {
return _.omit(row, omissions());
} else {
throw new error.ItemNotFoundError(data.id);
}
});
},
/**
* @param {Access} access
* @param {Object} data
* @param {Integer} data.id
* @param {String} [data.reason]
* @returns {Promise}
*/
delete: (access, data) => {
return access.can('certificates:delete', data.id)
.then(() => {
return internalCertificate.get(access, {id: data.id});
})
.then(row => {
if (!row) {
throw new error.ItemNotFoundError(data.id);
}
return certificateModel
.query()
.where('id', row.id)
.patch({
is_deleted: 1
});
})
.then(() => {
return true;
});
},
/**
* All Lists
*
* @param {Access} access
* @param {Array} [expand]
* @param {String} [search_query]
* @returns {Promise}
*/
getAll: (access, expand, search_query) => {
return access.can('certificates:list')
.then(access_data => {
let query = certificateModel
.query()
.where('is_deleted', 0)
.groupBy('id')
.omit(['is_deleted'])
.allowEager('[owner]')
.orderBy('name', 'ASC');
if (access_data.permission_visibility !== 'all') {
query.andWhere('owner_user_id', access.token.get('attrs').id);
}
// Query is used for searching
if (typeof search_query === 'string') {
query.where(function () {
this.where('name', 'like', '%' + search_query + '%');
});
}
if (typeof expand !== 'undefined' && expand !== null) {
query.eager('[' + expand.join(', ') + ']');
}
return query;
});
},
/**
* Report use
*
* @param {Integer} user_id
* @param {String} visibility
* @returns {Promise}
*/
getCount: (user_id, visibility) => {
let query = certificateModel
.query()
.count('id as count')
.where('is_deleted', 0);
if (visibility !== 'all') {
query.andWhere('owner_user_id', user_id);
}
return query.first()
.then(row => {
return parseInt(row.count, 10);
});
}
};
module.exports = internalCertificate;

17
src/backend/internal/dead-host.js
View File

@ -4,6 +4,7 @@ const _ = require('lodash');
const error = require('../lib/error');
const deadHostModel = require('../models/dead_host');
const internalHost = require('./host');
const internalNginx = require('./nginx');
const internalAuditLog = require('./audit-log');
function omissions () {
@ -49,6 +50,13 @@ const internalDeadHost = {
.omit(omissions())
.insertAndFetch(data);
})
.then(row => {
// Configure nginx
return internalNginx.configure(deadHostModel, 'dead_host', row)
.then(() => {
return internalDeadHost.get(access, {id: row.id, expand: ['owner']});
});
})
.then(row => {
// Add to audit log
return internalAuditLog.add(access, {
@ -58,7 +66,7 @@ const internalDeadHost = {
meta: data
})
.then(() => {
return _.omit(row, omissions());
return row;
});
});
},
@ -192,6 +200,13 @@ const internalDeadHost = {
.patch({
is_deleted: 1
})
.then(() => {
// Delete Nginx Config
return internalNginx.deleteConfig('dead_host', row)
.then(() => {
return internalNginx.reload();
});
})
.then(() => {
// Add to audit log
row.meta = internalHost.cleanMeta(row.meta);

124
src/backend/internal/nginx.js
View File

@ -1,18 +1,94 @@
'use strict';
const fs = require('fs');
const Liquid = require('liquidjs');
const logger = require('../logger').nginx;
const utils = require('../lib/utils');
const error = require('../lib/error');
const _ = require('lodash');
const fs = require('fs');
const Liquid = require('liquidjs');
const logger = require('../logger').nginx;
const utils = require('../lib/utils');
const error = require('../lib/error');
const internalSsl = require('./ssl');
const debug_mode = process.env.NODE_ENV !== 'production';
const internalNginx = {
/**
* This will:
* - test the nginx config first to make sure it's OK
* - create / recreate the config for the host
* - test again
* - IF OK: update the meta with online status
* - IF BAD: update the meta with offline status and remove the config entirely
* - then reload nginx
*
* @param {Object} model
* @param {String} host_type
* @param {Object} host
* @returns {Promise}
*/
configure: (model, host_type, host) => {
return internalNginx.test()
.then(() => {
// Nginx is OK
// We're deleting this config regardless.
return internalNginx.deleteConfig(host_type, host); // Don't throw errors, as the file may not exist at all
})
.then(() => {
if (host.ssl && !internalSsl.hasValidSslCerts(host_type, host)) {
return internalSsl.configureSsl(host_type, host);
}
})
.then(() => {
return internalNginx.generateConfig(host_type, host);
})
.then(() => {
// Test nginx again and update meta with result
return internalNginx.test()
.then(() => {
// nginx is ok
return model
.query()
.where('id', host.id)
.patch({
meta: _.assign({}, host.meta, {
nginx_online: true,
nginx_err: null
})
});
})
.catch(err => {
if (debug_mode) {
logger.error('Nginx test failed:', err.message);
}
// config is bad, update meta and delete config
return model
.query()
.where('id', host.id)
.patch({
meta: _.assign({}, host.meta, {
nginx_online: false,
nginx_err: err.message
})
})
.then(() => {
return internalNginx.deleteConfig(host_type, host, true);
});
});
})
.then(() => {
return internalNginx.reload();
});
},
/**
* @returns {Promise}
*/
test: () => {
logger.info('Testing Nginx configuration');
if (debug_mode) {
logger.info('Testing Nginx configuration');
}
return utils.exec('/usr/sbin/nginx -t');
},
@ -43,8 +119,13 @@ const internalNginx = {
* @returns {Promise}
*/
generateConfig: (host_type, host) => {
host_type = host_type.replace(new RegExp('-', 'g'), '_');
if (debug_mode) {
logger.info('Generating ' + host_type + ' Config:', host);
}
let renderEngine = Liquid();
host_type = host_type.replace(new RegExp('-', 'g'), '_');
return new Promise((resolve, reject) => {
let template = null;
@ -56,14 +137,23 @@ const internalNginx = {
return;
}
return renderEngine
renderEngine
.parseAndRender(template, host)
.then(config_text => {
fs.writeFileSync(filename, config_text, {encoding: 'utf8'});
return true;
if (debug_mode) {
logger.success('Wrote config:', filename, config_text);
}
resolve(true);
})
.catch(err => {
throw new error.ConfigurationError(err.message);
if (debug_mode) {
logger.warn('Could not write ' + filename + ':', err.message);
}
reject(new error.ConfigurationError(err.message));
});
});
},
@ -75,10 +165,22 @@ const internalNginx = {
* @returns {Promise}
*/
deleteConfig: (host_type, host, throw_errors) => {
host_type = host_type.replace(new RegExp('-', 'g'), '_');
return new Promise((resolve, reject) => {
try {
fs.unlinkSync(internalNginx.getConfigName(host_type, host.id));
let config_file = internalNginx.getConfigName(host_type, host.id);
if (debug_mode) {
logger.warn('Deleting nginx config: ' + config_file);
}
fs.unlinkSync(config_file);
} catch (err) {
if (debug_mode) {
logger.warn('Could not delete config:', err.message);
}
if (throw_errors) {
reject(err);
}

19
src/backend/internal/proxy-host.js
View File

@ -4,6 +4,7 @@ const _ = require('lodash');
const error = require('../lib/error');
const proxyHostModel = require('../models/proxy_host');
const internalHost = require('./host');
const internalNginx = require('./nginx');
const internalAuditLog = require('./audit-log');
function omissions () {
@ -50,6 +51,15 @@ const internalProxyHost = {
.insertAndFetch(data);
})
.then(row => {
// Configure nginx
return internalNginx.configure(proxyHostModel, 'proxy_host', row)
.then(() => {
return internalProxyHost.get(access, {id: row.id, expand: ['owner']});
});
})
.then(row => {
data.meta = _.assign({}, data.meta || {}, row.meta);
// Add to audit log
return internalAuditLog.add(access, {
action: 'created',
@ -58,7 +68,7 @@ const internalProxyHost = {
meta: data
})
.then(() => {
return _.omit(row, omissions());
return row;
});
});
},
@ -192,6 +202,13 @@ const internalProxyHost = {
.patch({
is_deleted: 1
})
.then(() => {
// Delete Nginx Config
return internalNginx.deleteConfig('proxy_host', row)
.then(() => {
return internalNginx.reload();
});
})
.then(() => {
// Add to audit log
row.meta = internalHost.cleanMeta(row.meta);

17
src/backend/internal/redirection-host.js
View File

@ -4,6 +4,7 @@ const _ = require('lodash');
const error = require('../lib/error');
const redirectionHostModel = require('../models/redirection_host');
const internalHost = require('./host');
const internalNginx = require('./nginx');
const internalAuditLog = require('./audit-log');
function omissions () {
@ -49,6 +50,13 @@ const internalRedirectionHost = {
.omit(omissions())
.insertAndFetch(data);
})
.then(row => {
// Configure nginx
return internalNginx.configure(redirectionHostModel, 'redirection_host', row)
.then(() => {
return internalRedirectionHost.get(access, {id: row.id, expand: ['owner']});
});
})
.then(row => {
// Add to audit log
return internalAuditLog.add(access, {
@ -58,7 +66,7 @@ const internalRedirectionHost = {
meta: data
})
.then(() => {
return _.omit(row, omissions());
return row;
});
});
},
@ -192,6 +200,13 @@ const internalRedirectionHost = {
.patch({
is_deleted: 1
})
.then(() => {
// Delete Nginx Config
return internalNginx.deleteConfig('redirection_host', row)
.then(() => {
return internalNginx.reload();
});
})
.then(() => {
// Add to audit log
row.meta = internalHost.cleanMeta(row.meta);

3
src/backend/internal/ssl.js
View File

@ -17,6 +17,7 @@ const internalSsl = {
interval_processing: false,
initTimer: () => {
logger.info('Let\'s Encrypt Renewal Timer initialized');
internalSsl.interval = setInterval(internalSsl.processExpiringHosts, internalSsl.interval_timeout);
},
@ -51,7 +52,7 @@ const internalSsl = {
*/
hasValidSslCerts: (host_type, host) => {
host_type = host_type.replace(new RegExp('-', 'g'), '_');
let le_path = '/etc/letsencrypt/live/' + host_type + '_' + host.id;
let le_path = '/etc/letsencrypt/live/' + host_type + '-' + host.id;
return fs.existsSync(le_path + '/fullchain.pem') && fs.existsSync(le_path + '/privkey.pem');
},

17
src/backend/internal/stream.js
View File

@ -3,6 +3,7 @@
const _ = require('lodash');
const error = require('../lib/error');
const streamModel = require('../models/stream');
const internalNginx = require('./nginx');
const internalAuditLog = require('./audit-log');
function omissions () {
@ -31,6 +32,13 @@ const internalStream = {
.omit(omissions())
.insertAndFetch(data);
})
.then(row => {
// Configure nginx
return internalNginx.configure(streamModel, 'stream', row)
.then(() => {
return internalStream.get(access, {id: row.id, expand: ['owner']});
});
})
.then(row => {
// Add to audit log
return internalAuditLog.add(access, {
@ -40,7 +48,7 @@ const internalStream = {
meta: data
})
.then(() => {
return _.omit(row, omissions());
return row;
});
});
},
@ -153,6 +161,13 @@ const internalStream = {
.patch({
is_deleted: 1
})
.then(() => {
// Delete Nginx Config
return internalNginx.deleteConfig('stream', row)
.then(() => {
return internalNginx.reload();
});
})
.then(() => {
// Add to audit log
return internalAuditLog.add(access, {

3
src/backend/internal/user.js
View File

@ -70,7 +70,8 @@ const internalUser = {
redirection_hosts: 'manage',
dead_hosts: 'manage',
streams: 'manage',
access_lists: 'manage'
access_lists: 'manage',
certificates: 'manage'
})
.then(() => {
return internalUser.get(access, {id: user.id, expand: ['permissions']});

3
src/backend/lib/access.js
View File

@ -262,7 +262,8 @@ module.exports = function (token_string) {
permission_redirection_hosts: permissions.redirection_hosts,
permission_dead_hosts: permissions.dead_hosts,
permission_streams: permissions.streams,
permission_access_lists: permissions.access_lists
permission_access_lists: permissions.access_lists,
permission_certificates: permissions.certificates
}
};

23
src/backend/lib/access/certificates-create.json Normal file
View File

@ -0,0 +1,23 @@
{
"anyOf": [
{
"$ref": "roles#/definitions/admin"
},
{
"type": "object",
"required": ["permission_certificates", "roles"],
"properties": {
"permission_certificates": {
"$ref": "perms#/definitions/manage"
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": ["user"]
}
}
}
}
]
}

23
src/backend/lib/access/certificates-delete.json Normal file
View File

@ -0,0 +1,23 @@
{
"anyOf": [
{
"$ref": "roles#/definitions/admin"
},
{
"type": "object",
"required": ["permission_certificates", "roles"],
"properties": {
"permission_certificates": {
"$ref": "perms#/definitions/manage"
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": ["user"]
}
}
}
}
]
}

23
src/backend/lib/access/certificates-get.json Normal file
View File

@ -0,0 +1,23 @@
{
"anyOf": [
{
"$ref": "roles#/definitions/admin"
},
{
"type": "object",
"required": ["permission_certificates", "roles"],
"properties": {
"permission_certificates": {
"$ref": "perms#/definitions/view"
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": ["user"]
}
}
}
}
]
}

23
src/backend/lib/access/certificates-list.json Normal file
View File

@ -0,0 +1,23 @@
{
"anyOf": [
{
"$ref": "roles#/definitions/admin"
},
{
"type": "object",
"required": ["permission_certificates", "roles"],
"properties": {
"permission_certificates": {
"$ref": "perms#/definitions/view"
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": ["user"]
}
}
}
}
]
}

23
src/backend/lib/access/certificates-update.json Normal file
View File

@ -0,0 +1,23 @@
{
"anyOf": [
{
"$ref": "roles#/definitions/admin"
},
{
"type": "object",
"required": ["permission_certificates", "roles"],
"properties": {
"permission_certificates": {
"$ref": "perms#/definitions/manage"
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": ["user"]
}
}
}
}
]
}

15
src/backend/migrations/20180618015850_initial.js
View File

@ -55,6 +55,7 @@ exports.up = function (knex/*, Promise*/) {
table.string('dead_hosts').notNull();
table.string('streams').notNull();
table.string('access_lists').notNull();
table.string('certificates').notNull();
table.unique('user_id');
});
})
@ -147,6 +148,20 @@ exports.up = function (knex/*, Promise*/) {
.then(() => {
logger.info('[' + migrate_name + '] access_list Table created');
return knex.schema.createTable('certificate', table => {
table.increments().primary();
table.dateTime('created_on').notNull();
table.dateTime('modified_on').notNull();
table.integer('owner_user_id').notNull().unsigned();
table.integer('is_deleted').notNull().unsigned().defaultTo(0);
table.string('name').notNull();
// TODO
table.json('meta').notNull();
});
})
.then(() => {
logger.info('[' + migrate_name + '] certificate Table created');
return knex.schema.createTable('access_list_auth', table => {
table.increments().primary();
table.dateTime('created_on').notNull();

52
src/backend/models/certificate.js Normal file
View File

@ -0,0 +1,52 @@
// Objection Docs:
// http://vincit.github.io/objection.js/
'use strict';
const db = require('../db');
const Model = require('objection').Model;
const User = require('./user');
Model.knex(db);
class Certificate extends Model {
$beforeInsert () {
this.created_on = Model.raw('NOW()');
this.modified_on = Model.raw('NOW()');
}
$beforeUpdate () {
this.modified_on = Model.raw('NOW()');
}
static get name () {
return 'Certificate';
}
static get tableName () {
return 'certificate';
}
static get jsonAttributes () {
return ['meta'];
}
static get relationMappings () {
return {
owner: {
relation: Model.HasOneRelation,
modelClass: User,
join: {
from: 'certificate.owner_user_id',
to: 'user.id'
},
modify: function (qb) {
qb.where('user.is_deleted', 0);
qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']);
}
}
};
}
}
module.exports = Certificate;

1
src/backend/routes/api/main.js
View File

@ -36,6 +36,7 @@ router.use('/nginx/redirection-hosts', require('./nginx/redirection_hosts'));
router.use('/nginx/dead-hosts', require('./nginx/dead_hosts'));
router.use('/nginx/streams', require('./nginx/streams'));
router.use('/nginx/access-lists', require('./nginx/access_lists'));
router.use('/nginx/certificates', require('./nginx/certificates'));
/**
* API 404 for all other routes

150
src/backend/routes/api/nginx/certificates.js Normal file
View File

@ -0,0 +1,150 @@
'use strict';
const express = require('express');
const validator = require('../../../lib/validator');
const jwtdecode = require('../../../lib/express/jwt-decode');
const internalCertificate = require('../../../internal/certificate');
const apiValidator = require('../../../lib/validator/api');
let router = express.Router({
caseSensitive: true,
strict: true,
mergeParams: true
});
/**
* /api/nginx/certificates
*/
router
.route('/')
.options((req, res) => {
res.sendStatus(204);
})
.all(jwtdecode()) // preferred so it doesn't apply to nonexistent routes
/**
* GET /api/nginx/certificates
*
* Retrieve all certificates
*/
.get((req, res, next) => {
validator({
additionalProperties: false,
properties: {
expand: {
$ref: 'definitions#/definitions/expand'
},
query: {
$ref: 'definitions#/definitions/query'
}
}
}, {
expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
query: (typeof req.query.query === 'string' ? req.query.query : null)
})
.then(data => {
return internalCertificate.getAll(res.locals.access, data.expand, data.query);
})
.then(rows => {
res.status(200)
.send(rows);
})
.catch(next);
})
/**
* POST /api/nginx/certificates
*
* Create a new certificate
*/
.post((req, res, next) => {
apiValidator({$ref: 'endpoints/certificates#/links/1/schema'}, req.body)
.then(payload => {
return internalCertificate.create(res.locals.access, payload);
})
.then(result => {
res.status(201)
.send(result);
})
.catch(next);
});
/**
* Specific certificate
*
* /api/nginx/certificates/123
*/
router
.route('/:host_id')
.options((req, res) => {
res.sendStatus(204);
})
.all(jwtdecode()) // preferred so it doesn't apply to nonexistent routes
/**
* GET /api/nginx/certificates/123
*
* Retrieve a specific certificate
*/
.get((req, res, next) => {
validator({
required: ['host_id'],
additionalProperties: false,
properties: {
host_id: {
$ref: 'definitions#/definitions/id'
},
expand: {
$ref: 'definitions#/definitions/expand'
}
}
}, {
host_id: req.params.host_id,
expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
})
.then(data => {
return internalCertificate.get(res.locals.access, {
id: parseInt(data.host_id, 10),
expand: data.expand
});
})
.then(row => {
res.status(200)
.send(row);
})
.catch(next);
})
/**
* PUT /api/nginx/certificates/123
*
* Update and existing certificate
*/
.put((req, res, next) => {
apiValidator({$ref: 'endpoints/certificates#/links/2/schema'}, req.body)
.then(payload => {
payload.id = parseInt(req.params.host_id, 10);
return internalCertificate.update(res.locals.access, payload);
})
.then(result => {
res.status(200)
.send(result);
})
.catch(next);
})
/**
* DELETE /api/nginx/certificates/123
*
* Update and existing certificate
*/
.delete((req, res, next) => {
internalCertificate.delete(res.locals.access, {id: parseInt(req.params.host_id, 10)})
.then(result => {
res.status(200)
.send(result);
})
.catch(next);
});
module.exports = router;

4
src/backend/schema/endpoints/users.json
View File

@ -243,6 +243,10 @@
"streams": {
"type": "string",
"pattern": "^(hidden|view|manage)$"
},
"certificates": {
"type": "string",
"pattern": "^(hidden|view|manage)$"
}
}
},

3
src/backend/setup.js
View File

@ -91,7 +91,8 @@ module.exports = function () {
redirection_hosts: 'manage',
dead_hosts: 'manage',
streams: 'manage',
access_lists: 'manage'
access_lists: 'manage',
certificates: 'manage'
});
});
});

26
src/backend/templates/dead_host.conf
View File

@ -1,19 +1,23 @@
# <%- hostname %>
# {{ domain_names | join: ", " }}
server {
listen 80;
<%- typeof ssl !== 'undefined' && ssl ? 'listen 443 ssl;' : '' %>
{%- if ssl_enabled == 1 or ssl_enabled == true -%}
listen 443 ssl;
{%- endif %}
server_name {{ domain_names | join: " " }};
access_log /data/logs/proxy_host-{{ id }}.log proxy;
server_name <%- hostname %>;
access_log /config/logs/<%- hostname %>.log proxy;
<% if (typeof ssl !== 'undefined' && ssl) { -%>
{%- if ssl_enabled == 1 or ssl_enabled == true -%}
{%- if ssl_provider == "letsencrypt" %}
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/<%- hostname %>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<%- hostname %>/privkey.pem;
<% } -%>
ssl_certificate /etc/letsencrypt/live/proxy_host-{{ id }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/proxy_host-{{ id }}/privkey.pem;
{%- endif -%}
{%- endif %}
<%- typeof advanced !== 'undefined' && advanced ? advanced : '' %>
# TODO: Advanced config options
return 404;
}

9
src/backend/templates/letsencrypt.conf
View File

@ -1,11 +1,10 @@
# Letsencrypt Verification Temporary Host: <%- hostname %>
# Letsencrypt Verification Temporary Host: {{ domain_names | join: ", " }}
server {
listen 80;
server_name <%- hostname %>;
access_log /config/logs/letsencrypt.log proxy;
server_name {{ domain_names | join: " " }};
access_log /data/logs/letsencrypt.log proxy;
location / {
root /config/letsencrypt-acme-challenge;
root /data/letsencrypt-acme-challenge;
}
}

56
src/backend/templates/proxy_host.conf
View File

@ -1,33 +1,51 @@
# <%- hostname %>
# {{ domain_names | join: ", " }}
server {
listen 80;
<%- typeof ssl !== 'undefined' && ssl ? 'listen 443 ssl;' : '' %>
{%- if ssl_enabled == 1 or ssl_enabled == true -%}
listen 443 ssl;
{%- endif %}
server_name {{ domain_names | join: " " }};
access_log /data/logs/proxy_host-{{ id }}.log proxy;
server_name <%- hostname %>;
set $server {{ forward_ip }};
set $port {{ forward_port }};
access_log /config/logs/<%- hostname %>.log proxy;
{% if caching_enabled == 1 or caching_enabled == true -%}
# Asset Caching
include conf.d/include/assets.conf;
{%- endif %}
{% if block_exploits == 1 or block_exploits == true -%}
# Block Exploits
include conf.d/include/block-exploits.conf;
{%- endif -%}
set $server <%- forward_server %>;
set $port <%- forward_port %>;
<%- typeof asset_caching !== 'undefined' && asset_caching ? 'include conf.d/include/assets.conf;' : '' %>
<%- typeof block_exploits !== 'undefined' && block_exploits ? 'include conf.d/include/block-exploits.conf;' : '' %>
<% if (typeof ssl !== 'undefined' && ssl) { -%>
{%- if ssl_enabled == 1 or ssl_enabled == true -%}
{%- if ssl_provider == "letsencrypt" %}
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/<%- hostname %>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<%- hostname %>/privkey.pem;
<% } -%>
ssl_certificate /etc/letsencrypt/live/proxy_host-{{ id }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/proxy_host-{{ id }}/privkey.pem;
{%- endif -%}
{%- endif %}
<%- typeof advanced !== 'undefined' && advanced ? advanced : '' %>
# TODO: Advanced config options
location / {
<% if (typeof access_list_id !== 'undefined' && access_list_id) { -%>
{%- if access_list_id > 0 -%}
# Access List
auth_basic "Authorization required";
auth_basic_user_file /config/access/<%- access_list_id %>;
<% } -%>
<%- typeof force_ssl !== 'undefined' && force_ssl ? 'include conf.d/include/force-ssl.conf;' : '' %>
auth_basic_user_file /config/access/{{ access_list_id }};
{%- endif %}
{%- if ssl_enabled == 1 or ssl_enabled == true -%}
{%- if ssl_forced == 1 or ssl_forced == true -%}
# Force SSL
include conf.d/include/force-ssl.conf;
{%- endif -%}
{%- endif %}
# Proxy!
include conf.d/include/proxy.conf;
}
}

40
src/backend/templates/redirection_host.conf
View File

@ -1,22 +1,34 @@
# <%- hostname %>
# {{ domain_names | join: ", " }}
server {
listen 80;
<%- typeof ssl !== 'undefined' && ssl ? 'listen 443 ssl;' : '' %>
{%- if ssl_enabled == 1 or ssl_enabled == true -%}
listen 443 ssl;
{%- endif %}
server_name {{ domain_names | join: " " }};
access_log /data/logs/proxy_host-{{ id }}.log proxy;
server_name <%- hostname %>;
{%- if caching_enabled == 1 or caching_enabled == true %}
# Asset Caching
include conf.d/include/assets.conf;
{%- endif %}
{%- if block_exploits == 1 or block_exploits == true %}
# Block Exploits
include conf.d/include/block-exploits.conf;
{%- endif -%}
access_log /config/logs/<%- hostname %>.log proxy;
<%- typeof asset_caching !== 'undefined' && asset_caching ? 'include conf.d/include/assets.conf;' : '' %>
<%- typeof block_exploits !== 'undefined' && block_exploits ? 'include conf.d/include/block-exploits.conf;' : '' %>
<% if (typeof ssl !== 'undefined' && ssl) { -%>
{%- if ssl_enabled == 1 or ssl_enabled == true -%}
{%- if ssl_provider == "letsencrypt" %}
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/<%- hostname %>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<%- hostname %>/privkey.pem;
<% } -%>
ssl_certificate /etc/letsencrypt/live/proxy_host-{{ id }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/proxy_host-{{ id }}/privkey.pem;
{%- endif -%}
{%- endif %}
<%- typeof advanced !== 'undefined' && advanced ? advanced : '' %>
# TODO: Advanced config options
return 301 $scheme://<%- forward_host %>$request_uri;
# TODO: Preserve Path Option
return 301 $scheme://{{ forward_domain_name }}$request_uri;
}

21
src/backend/templates/stream.conf
View File

@ -1,11 +1,14 @@
# <%- incoming_port %> - <%- protocols.join(',').toUpperCase() %>
<%
protocols.forEach(function (protocol) {
%>
# {{ incoming_port }} TCP: {{ tcp_forwarding }} UDP: {{ udp_forwarding }}
{% if tcp_forwarding == 1 or tcp_forwarding == true -%}
server {
listen <%- incoming_port %> <%- protocol === 'tcp' ? '' : protocol %>;
proxy_pass <%- forward_server %>:<%- forward_port %>;
listen {{ incoming_port }};
proxy_pass {{ forward_ip }}:{{ forwarding_port }};
}
<%
});
%>
{% endif %}
{% if udp_forwarding == 1 or udp_forwarding == true %}
server {
listen {{ incoming_port }} udp;
proxy_pass {{ forward_ip }}:{{ forwarding_port }};
}
{% endif %}