sample files for testing

if allowed networks has changed then do not skip duplicated location but replace it (limit_except GET HEAD)
remove_location: remove / tmp filename fix
2023-02-22 11:44:05 +00:00 · 2023-02-22 09:37:45 +00:00
7 changed files with 215 additions and 21 deletions
--- a/scripts/awk
+++ b/scripts/awk
@@ -0,0 +1 @@
+awk '/-----BEGIN CERTIFICATE-----/ {show=1} /-----END CERTIFICATE-----/ {show=1} show {print}' keys/$ovpn.crt >> result
--- a/scripts/domain.example.conf
+++ b/scripts/domain.example.conf
@@ -0,0 +1,87 @@
+server {
+listen 80 proxy_protocol;
+server_name domain.example;
+set_real_ip_from 0.0.0.0/0;
+real_ip_header proxy_protocol;
+rewrite_log on;
+return 301 https://domain.example;
+}
+server {
+listen 443 ssl proxy_protocol;
+set_real_ip_from 0.0.0.0/0;
+real_ip_header proxy_protocol;
+server_name domain.example;
+client_max_body_size 0;
+rewrite_log on;
+proxy_ssl_server_name on; 
+ ssl_dhparam /etc/ssl/keys/domain.example/dhparam.pem;
+ssl_certificate /etc/ssl/keys/fullchain.pem;
+ ssl_certificate_key /etc/ssl/keys/key.pem;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !kDHE";
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
+ssl_stapling on;
+location / {
+ limit_except GET HEAD {
+ 	allow 192.168.109.1;
+ 	allow 192.168.109.2;
+ 	deny  all;
+ }
+ proxy_pass http://domain-app:80;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_cookie_path / /;
+ proxy_set_header Connection $http_connection;
+ proxy_connect_timeout      300;
+ proxy_send_timeout         300;
+ proxy_read_timeout         300;
+ proxy_next_upstream off;
+ proxy_redirect off;
+ proxy_buffering off;
+}
+location example2 {
+ proxy_pass http://example-app2-modified:80;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_cookie_path example2 example2;
+ proxy_set_header Connection $http_connection;
+ proxy_connect_timeout      300;
+ proxy_send_timeout         300;
+ proxy_read_timeout         300;
+ proxy_next_upstream off;
+ proxy_redirect off;
+ proxy_buffering off;
+}
+# location end
+location example {
+ limit_except GET HEAD {
+ 	allow 192.168.105.1
+ 	allow 192.168.106.1
+ 	allow 192.168.107.1
+ 	deny all;
+ }
+ proxy_pass http://example-app:80;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_cookie_path example example;
+ proxy_set_header Connection $http_connection;
+ proxy_connect_timeout      300;
+ proxy_send_timeout         300;
+ proxy_read_timeout         300;
+ proxy_next_upstream off;
+ proxy_redirect off;
+ proxy_buffering off;
+}
+# location end
+}
--- a/scripts/domains/app.domain.example
+++ b/scripts/domains/app.domain.example
@@ -0,0 +1,23 @@
+{
+"DEBUG": "true",
+"DOMAIN": "domain.example",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_NAME": "domain-app",
+"HTTP_PORT": "",
+"HTTPS_PORT": "80",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": "",
+"ALLOWED_NETWORK": [ "192.168.109.1", "192.168.109.2", "192.168.110.2" ],
+"OPERATION": "CREATE",
+"ALTERNATE_LOCATION_PATH": [
+	{
+        "LOCAL_PATH": "example",
+        "LOCAL_NAME": "example-app",
+        "LOCAL_PORT": "",
+	"LOCAL_ALLOWED_NETWORK": [ "192.168.105.1", "192.168.106.1", "192.168.107.1" ]
+        }
+]
+}
--- a/scripts/domains/app2.domain.example
+++ b/scripts/domains/app2.domain.example
@@ -0,0 +1,24 @@
+{
+"DEBUG": "true",
+"DOMAIN": "domain.example",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_NAME": "domain-app2",
+"HTTP_PORT": "",
+"HTTPS_PORT": "80",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": "",
+"ALLOWED_NETWORK": [ ],
+"OPERATION": "MODIFY",
+"ALTERNATE_LOCATION_PATH": [
+	{
+        "LOCAL_PATH": "example2",
+        "LOCAL_NAME": "example-app2-modified",
+        "LOCAL_PORT": "",
+	"LOCAL_ALLOWED_NETWORK": [ ]
+        }
+	]
+
+}
--- a/scripts/domains/app3.domain.example
+++ b/scripts/domains/app3.domain.example
@@ -0,0 +1,23 @@
+{
+"DEBUG": "true",
+"DOMAIN": "domain.example",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_NAME": "domain-app",
+"HTTP_PORT": "",
+"HTTPS_PORT": "80",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": "",
+"ALLOWED_NETWORK": [ ],
+"ALTERNATE_LOCATION_PATH": [
+	{
+        "LOCAL_PATH": "example3",
+        "LOCAL_NAME": "example-app3",
+        "LOCAL_PORT": "",
+	"LOCAL_ALLOWED_NETWORK": [ ]
+        }
+	]
+
+}
--- a/scripts/domains/domain.sample
+++ b/scripts/domains/domain.sample
@@ -0,0 +1,13 @@
+{
+"DEBUG": "true",
+"DOMAIN": "domain.example",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_NAME": "domain-app",
+"HTTP_PORT": "",
+"HTTPS_PORT": "80",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": ""
+}
--- a/scripts/nginx_config_create.sh
+++ b/scripts/nginx_config_create.sh
@@ -25,6 +25,7 @@ LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null);
 if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then
        LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null);
 fi
+RELOAD_LOCATIONS="";

 if [ -n "$2" ]; then
 	echo "$DOMAIN_NAME DELETED";
@@ -60,6 +61,14 @@ add_location() {
 				# do not duplicate locations
 				EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf);
 				if [ -n "$EXISTS" ]; then
+					ROW_NUMBER=$(echo $EXISTS | cut -d ':' -f1);
+					START=$(($ROW_NUMBER + 2));
+					OFFSET=$(tail -n+$START $DOMAIN_NAME.conf | grep -n '}' -m 1 | cut -d ':' -f1);
+					OFFSET=$(($OFFSET - 2));
+					ALP_ALLOWED=$(echo $(tail -n+$START $DOMAIN_NAME.conf | head -n $OFFSET | awk '{print $2}')); # echo removes space at the end
+					if [ "$ALP_LOCAL_ALLOWED_NETWORK" != "$ALP_ALLOWED" ]; then
+						RELOAD_LOCATIONS=$RELOAD_LOCATIONS$ALP_LOCAL_PATH" "
+					fi;
 					# skip if exists
 					continue;
 				fi;
@@ -75,11 +84,12 @@ add_location() {
 				echo "location $ALP_LOCAL_PATH {"

 				if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then
-
-				for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK) ; do
-						echo "     allow "$i";"
-				done
-						echo "     deny  all;"
+					echo " limit_except GET HEAD {";
+					for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK) ; do
+						echo " 	allow $i";
+					done;
+					echo " 	deny all;";
+					echo " }";
 				fi

 				if [[ "$ALP_LOCAL_PORT" != "" ]]; then
@@ -131,22 +141,24 @@ remove_alternate_location() {
 remove_location() {
 	local LOCATION=$1

-	LOCATION_ROW="location /$LOCATION {";
+	LOCATION_ROW="location $LOCATION {";
 	ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1);
-	OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1);
-	START=$(($ROW_NUMBER - 1));
-	END=$(($ROW_NUMBER + $OFFSET));
+	if [ -n "$ROW_NUMBER" ]; then
+		OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1);
+		START=$(($ROW_NUMBER - 1));
+		END=$(($ROW_NUMBER + $OFFSET));

-	{
-		head -n$START $DOMAIN_NAME.conf
-		tail -n+$END $DOMAIN_NAME.conf
-	} >> $file
+		{
+			head -n$START $DOMAIN_NAME.conf
+			tail -n+$END $DOMAIN_NAME.conf
+		} >> $file

-	mv $file $DOMAIN_NAME.conf;
+		mv $file $DOMAIN_NAME.conf;
+	fi;
 }


-file="/tmp/$DOMAIN.conf"
+file="/tmp/$DOMAIN_NAME.conf"

 # check whether certificates exist or not

@@ -166,6 +178,13 @@ if [ -f $DOMAIN_NAME.conf ]; then
 	else
 		# default CREATE, append location
 		add_alternate_location;
+
+		# reload alternate locations if allowed networks has changed
+		if [ -n "$RELOAD_LOCATIONS" ]; then
+			rm $file;
+			remove_alternate_location;
+			add_alternate_location;
+		fi;
 	fi;
 else

@@ -223,12 +242,14 @@ if [[ "$HTTP_PORT" != "" && "$HTTP_PORT" != "80" ]]; then
 				ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
 				ALLOWED_NETWORK_IDX=$(( $ALLOWED_NETWORK_IDX - 1 ))
 				
+				echo " limit_except GET HEAD {";
 				for i in $(seq 0 $ALLOWED_NETWORK_IDX) ; do
-						AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
-						echo "     allow "$AN";"
+					AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
+					echo " 	allow "$AN";"
 				done
-				echo "     deny  all;"
-		 	fi	
+				echo " 	deny  all;"
+				echo " }";
+		 	fi
 	
 			if [[ "$HTTP_PORT" != "" ]]; then
 	 			echo " proxy_pass http://$LOCAL_NAME:$HTTP_PORT;"
@@ -322,11 +343,13 @@ location = /$ERROR_PAGE {
 			ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
 			ALLOWED_NETWORK_IDX=$(( $ALLOWED_NETWORK_IDX - 1 ))
 			
+			echo " limit_except GET HEAD {";
 			for i in $(seq 0 $ALLOWED_NETWORK_IDX) ; do
 					AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
-					echo "     allow "$AN";"
+					echo " 	allow "$AN";"
 			done
-			echo "     deny  all;"
+			echo " 	deny  all;"
+			echo " }";
 	 	fi	
 echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
Author	SHA1	Message	Date
hael	dbf7bc82ea	sample files for testing	2023-02-22 11:44:05 +00:00
hael	55f0ebdd89	if allowed networks has changed then do not skip duplicated location but replace it (limit_except GET HEAD) remove_location: remove / tmp filename fix	2023-02-22 09:37:45 +00:00
				`@@ -0,0 +1 @@`
				`awk '/-----BEGIN CERTIFICATE-----/ {show=1} /-----END CERTIFICATE-----/ {show=1} show {print}' keys/$ovpn.crt >> result`