Run certificate check in the background during Nginx config creation

Merge branch 'master' of https://git.format.hu/format/proxy-scheduler

.drone.yml

@@ -0,0 +1,50 @@
+kind: pipeline
+type: kubernetes
+name: default
+
+node_selector:
+  physical-node: dev2
+
+trigger:
+  branch:
+    - master
+  event:
+    - push
+workspace:
+  path: /drone/src
+
+steps:
+  - name: build multiarch proxy-scheduler
+    image: docker.io/owncloudci/drone-docker-buildx:4
+    privileged: true
+    environment:
+      BUILDKIT_NO_HTTP2: "1" 
+    settings:
+      cache-from: [ "registry.dev.format.hu/proxy-scheduler" ]
+      registry: registry.dev.format.hu
+      repo: registry.dev.format.hu/proxy-scheduler
+      tags: latest
+      dockerfile: Dockerfile
+      username:
+        from_secret: dev-hu-registry-username
+      password: 
+        from_secret: dev-hu-registry-password
+      platforms:
+        - linux/amd64
+        - linux/arm64
+    
+  - name: pull image to dockerhub
+    image: docker.io/owncloudci/drone-docker-buildx:4
+    privileged: true
+    settings:
+      cache-from: [ "safebox/proxy-scheduler" ]
+      repo: safebox/proxy-scheduler
+      tags: latest
+      username:
+        from_secret: dockerhub-username
+      password: 
+        from_secret: dockerhub-password
+      platforms:
+        - linux/amd64
+        - linux/arm64
+        

Dockerfile

@@ -1,5 +1,6 @@
-FROM proxy-scheduler:latest
+FROM alpine
-
+RUN apk add --update --no-cache docker-cli inotify-tools openssl jq curl ca-certificates busybox-extras
 COPY scripts /scripts
+COPY firewall-letsencrypt.json /firewall-files/
 
 ENTRYPOINT ["/scripts/scheduler.sh"]

README.md

@@ -0,0 +1,22 @@
+The proxy-scheduler is an file change intendent solution to control proxy services via docker containers (at the moment).
+
+It has two parts, one for loadbalancer service which it is necessary for a backend proxy solution.
+
+All the proxy services needed the proxy.json configuration file with proper content.
+
+The proxy-scheduler use inotify kernel solution to watch changes and execute action in the proxy processes at all.
+
+The proxy scheduler use Let's Encrypt service to certifying domains
+
+## PROXY.JSON keys explanation ##
+
+The proxy.json file must be filled in almost, exept two cases:
+1. "PROXY_TYPE" must be filled when the loadbalancer service use Haproxy applications in the backend (the configuration generating is another)
+2. "LETSENCRYPT_SERVICE_NAME": if it is empty, self signed certificates will made only
+
+| KEY| VALUE|
+|-|-|
+| DOCKER_REGISTRY_URL| Docker image pathes, not mandatory|
+| PROXY_TYPE| Filled as "haproxy" when it is a public loadbalancer|
+| LETSENCRYPT_URL| Path for letsencrypt service image|
+| LETSENCRYPT_SERVICE_NAME| Let's encrypt service name| 

domain.sample

@@ -0,0 +1,29 @@
+{
+"DEBUG": "true",
+"DOMAIN": "same_name_as_the_file",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_IP": "mandatory_IP",
+"HTTP_PORT": "",
+"HTTPS_PORT": "mandatory",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": "if_not_set_it_will_be_unlimited",
+"ALLOWED_NETWORK": [ "IP/subnet_if_not_32", "IP/subnet_if_not_32" ],
+"ALTERNATE_LOCATION_PATH":         
+	{
+        "LOCAL_PATH": "",
+        "LOCAL_IP": "mandatory_if_path_exists",
+        "LOCAL_PORT": "default_80_if_empty",
+	"LOCAL_ALLOWED_NETWORK": [ "IP/subnet_if_not_32", "IP/subnet_if_not_32" ]
+        },
+        {
+        "LOCAL_PATH": "",
+        "LOCAL_IP": "mandatory_if_path_exists",
+        "LOCAL_PORT": "default_80_if_empty",
+	"LOCAL_ALLOWED_NETWORK": [ "IP/subnet_if_not_32", "IP/subnet_if_not_32" ]
+        }
+	]
+
+}

firewall-letsencrypt.json

@@ -0,0 +1,70 @@
+{
+    "main": {
+        "SERVICE_NAME": "firewalls",
+        "DOMAIN": "null"
+    },
+    "containers": [
+        {
+            "IMAGE": "safebox/firewall",
+            "NAME": "firewall",
+            "MEMORY": "64M",
+            "NETWORK": "host",
+            "SCALE": "0",
+            "VOLUMES": [
+                {
+                    "SOURCE": "/run/",
+                    "DEST": "/run/",
+                    "TYPE": "rw"
+                },
+                {
+                    "SOURCE": "/etc/user/config/services",
+                    "DEST": "/services",
+                    "TYPE": "ro"
+                },
+                {
+                    "SOURCE": "/etc/system/data/dns/hosts.local",
+                    "DEST": "/etc/dns/hosts.local",
+                    "TYPE": "ro"
+                }
+            ],
+            "PORTS": [],
+            "READYNESS": [
+                {
+                    "tcp": ""
+                },
+                {
+                    "HTTP": ""
+                },
+                {
+                    "EXEC": "/ready.sh"
+                }
+            ],
+            "ENVS": [
+                {
+                    "CHAIN": "DOCKER-USER"
+                },
+                {
+                    "SOURCE": "smarthostloadbalancer"
+                },
+                {
+                    "TARGET": "letsencrypt"
+                },
+                {
+                    "TYPE": "tcp"
+                },
+                {
+                    "TARGET_PORT": "80"
+                },
+                {
+                    "COMMENT": "letsencrypt"
+                }
+            ],
+            "EXTRA": "--privileged --rm",
+            "DEPEND": "null",
+            "START_ON_BOOT": "false",
+            "CMD": "null",
+            "PRE_START": "null",
+            "POST_START": "null"
+        }
+    ]
+}

letsencrypt.json

@@ -0,0 +1,64 @@
+{
+    "main": {
+        "SERVICE_NAME": "letsencrypt",
+        "DOMAIN": "null"
+    },
+    "networks": [
+        {
+            "NAME": "letsencrypt",
+            "DRIVER": "bridge",
+            "SUBNET": "172.18.254.0/24",
+            "RANGE": "172.18.254.0/24",
+            "GATEWAY": "172.18.254.1"
+        }
+    ],
+    "containers": [
+        {
+            "IMAGE": "safebox/letsencrypt",
+            "NAME": "letsencrypt",
+            "MEMORY": "64M",
+            "IP": "172.18.254.254",
+            "NETWORK": "letsencrypt",
+            "VOLUMES": [
+                {
+                    "SOURCE": "/etc/system/data/ssl/keys/",
+                    "DEST": "/acme.sh/",
+                    "TYPE": "rw"
+                },
+                {
+                    "SOURCE": "SHARED",
+                    "DEST": "/var/tmp/shared",
+                    "TYPE": "rw"
+                },
+                {
+                    "SOURCE": "/etc/user/config/domains",
+                    "DEST": "/domains",
+                    "TYPE": "ro"
+                }
+            ],
+            "PORTS": [],
+            "ENV_FILES": [
+                "/etc/user/config/user.json"
+            ],
+            "READYNESS": [
+                {
+                    "tcp": ""
+                },
+                {
+                    "HTTP": ""
+                },
+                {
+                    "EXEC": "/ready.sh"
+                }
+            ],
+            "EXTRA": "",
+            "DEPEND": "null",
+            "START_ON_BOOT": "false",
+            "CMD": "null",
+            "PRE_START": "null",
+            "POST_START": [
+                "firewall-letsencrypt"
+            ]
+        }
+    ]
+}

proxy-scheduler.json

@@ -3,31 +3,37 @@
         "SERVICE_NAME": "proxy-scheduler",
         "DOMAIN": "null"
     },
-        "networks": [
-                {
-                        "NAME": "null",
-                        "DRIVER": "null",
-                        "SUBNET": "null",
-                        "RANGE": "null",
-                        "GATEWAY": "null"
-                }
-        ],
     "containers": [
         {
-                        "IMAGE": "registry.format.hu/proxy-scheduler:latest",
+            "IMAGE": "safebox/proxy-scheduler:latest",
-                        "NAME": "proxy_scheduler-ifhiwhhg",
+            "NAME": "proxy_scheduler",
             "MEMORY": "64M",
             "IP": "null",
             "NETWORK": "host",
             "VOLUMES": [
+                {
+                    "SOURCE": "SHARED",
+                    "DEST": "/var/tmp/shared",
+                    "TYPE": "rw"
+                },
+                {
+                    "SOURCE": "/etc/user/config/services",
+                    "DEST": "/etc/user/config/services",
+                    "TYPE": "rw"
+                },
                 {
                     "SOURCE": "/etc/user/config/domains",
                     "DEST": "/domains",
                     "TYPE": "ro"
                 },
                 {
-                                "SOURCE": "/tmp/keys",
+                    "SOURCE": "/etc/system/data/ssl/keys",
                     "DEST": "/keys",
+                    "TYPE": "rw"
+                },
+                {
+                    "SOURCE": "/etc/system/data/ssl/certs/",
+                    "DEST": "/etc/ssl/certs/",
                     "TYPE": "ro"
                 },
                 {
@@ -41,37 +47,32 @@
                     "TYPE": "ro"
                 },
                 {
-                                "SOURCE": "/etc/ssl/certs",
-                                "DEST": "/etc/ssl/certs",
-                                "TYPE": "ro"
-                                },
-                                {
                     "SOURCE": "/var/run/docker.sock",
                     "DEST": "/var/run/docker.sock",
                     "TYPE": "rw"
-                                },
-                                {
-                                "SOURCE": "/usr/bin/docker",
-                                "DEST": "/usr/bin/docker",
-                                "TYPE": "ro"
-                                },
-                                {
-                                "SOURCE": "/home/gyurix/proxy-scheduler/scripts/scheduler.sh",
-                                "DEST": "/scripts/scheduler.sh",
-                                "TYPE": "ro"
                 }
             ],
-                        "PORTS": [ ],
+            "PORTS": [],
             "READYNESS": [
-                                {"tcp": ""},
+                {
-                                {"HTTP": ""},
+                    "tcp": ""
-                                {"EXEC": "/ready.sh"}
+                },
+                {
+                    "HTTP": ""
+                },
+                {
+                    "EXEC": "/ready.sh"
+                }
             ],
-                        "ENVS": [
+            "ENVS": [],
+            "ENV_FILES": [
+                "/etc/system/config/proxy.json"
             ],
-			"ENV_FILES": [ "/etc/system/config/proxy.json" ],
             "EXTRA": "null",
-                        "DEPEND": "null",
+            "DEPEND": [
+                "public-proxy.networks.loadbalancer",
+                "public-proxy.containers.loadbalancer-27dhuwdh"
+            ],
             "START_ON_BOOT": "true",
             "CMD": "null",
             "PRE_START": "null",

proxy.json

@@ -20,9 +20,23 @@
         "COMMENT": "edeg3e98"
     },
     "proxy_scheduler": {
-		"DOCKER_REGISTRY_URL": "registry.format.hu",
+        "DOCKER_REGISTRY_URL": "safebox",
+        "CERT_DIR": "/keys",
+        "DOMAIN_DIR": "/domains",
+        "PROXY_SERVICE_FILE": "public-proxy.json",
+        "PROXY_CONFIG_DIR": "/proxy_config",
+        "PROXY_TYPE": "haproxy",
+        "TIMEOUT": "5",
+        "RESTART": "10",
+        "ROLE": "backend-proxy",
+        "SERVICE_NAME": "public-proxy"
+    },
+    "proxy_scheduler_local": {
+        "DOCKER_REGISTRY_URL": "safebox",
         "PROXY_TYPE": "",
+        "GENERATE_CERTIFICATE": "true",
         "LETSENCRYPT_URL": "letsencrypt.org",
+        "LETSENCRYPT_SERVICE_NAME": "letsencrypt.json",
         "CERT_DIR": "/keys",
         "DOMAIN_DIR": "/domains",
         "PROXY_SERVICE_FILE": "public-proxy.json",

scripts/awk

@@ -0,0 +1 @@
+awk '/-----BEGIN CERTIFICATE-----/ {show=1} /-----END CERTIFICATE-----/ {show=1} show {print}' keys/$ovpn.crt >> result

scripts/check_certificates.sh

@@ -2,76 +2,218 @@
 
 # Set env variables
 
-	DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL
+SERVICE_FILES=$SERVICE_FILES
-	LETSENCRYPT_URL=$LETSENCRYPT_URL
+GENERATE_CERTIFICATE=$GENERATE_CERTIFICATE
-	DOMAIN_DIR=$DOMAIN_DIR
+DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL
-	DOMAIN=$1
+LETSENCRYPT_URL=$LETSENCRYPT_URL
-	DOMAIN_CERT_DIR=$CERT_DIR/$DOMAIN
+LETSENCRYPT_SERVICE_NAME=$LETSENCRYPT_SERVICE_NAME
+CERT_DIR=$CERT_DIR
+DOMAIN_DIR=$DOMAIN_DIR
+DOMAIN=$1
+DOMAIN_CERT_DIR=$CERT_DIR/$DOMAIN
+TIMEOUT=$TIMEOUT
+RESTART=$RESTART
+
+SETUP_VERSION=${SETUP_VERSION:-latest}
+LOG_DIR=/var/tmp/shared/output
+LOG_FILE=$LOG_DIR/letsencrypt.txt
+LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json
+DATE=$(date +"%Y-%m-%d-%H-%M")
+
+create_json() {
+
+    if [ ! -f $LETSENCRYPT_OUTPUT ]; then
+        install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
+        echo '{}' >$LETSENCRYPT_OUTPUT
+    fi
+
+    TMP_FILE=$(mktemp)
+    jq '
+      if . == null or . == [] then 
+        {"'$DOMAIN'":{"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
+    else 
+      . + {"'$DOMAIN'": {"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
+      end
+    ' $LETSENCRYPT_OUTPUT >$TMP_FILE
+    cat $TMP_FILE >$LETSENCRYPT_OUTPUT
+    rm $TMP_FILE
+}
+
+# Setting service files path
+if [ "$SERVICE_FILES" == "" ]; then
+    SERVICE_FILES=/etc/user/config/services
+fi
+
+if [ "$SOURCE" == "" ]; then
+    SOURCE=/etc/user/config
+fi
 
 # Setup docker registry url path
-
+if [[ -n "$DOCKER_REGISTRY_URL" && "$DOCKER_REGISTRY_URL" != "null" ]]; then
-if [[ ! -n "$DOCKER_REGISTRY_URL" && "$DOCKER_REGISTRY_URL" != "null" ]] ; then
+    SETUP="/setup"
-	SETUP="'/setup'";
 else
-	SETUP="setup";
+    SETUP="setup"
-	DOCKER_REGISTRY_URL="";
+    DOCKER_REGISTRY_URL=""
+fi
+
+if [ "$SETUP_VERSION" == "latest" ]; then
+    VOLUME_MOUNTS="
+--mount src=SYSTEM_DATA,dst=/etc/ssl/certs,volume-subpath=ssl/certs,ro \
+--mount src=SYSTEM_DATA,dst=/etc/dns/hosts.local,volume-subpath=dns/hosts.local,ro \
+--mount src=USER_CONFIG,dst=/services,volume-subpath=services/tmp \
+--mount src=USER_CONFIG,dst=/etc/user/config/system.json,volume-subpath=system.json,ro \
+--mount src=USER_CONFIG,dst=/etc/user/config/user.json,volume-subpath=user.json,ro \
+"
+else
+    VOLUME_MOUNTS="
+ -v /etc/system/data/dns:/etc/dns:rw \
+ -v /etc/ssl/certs:/etc/ssl/certs:ro \
+ -v /etc/user/config/user.json:/etc/user/config/user.json:ro \
+ -v /etc/user/config/system.json:/etc/user/config/system.json:ro \
+ -v /etc/user/config/services/:/services/:ro \
+ -v /etc/user/config/services/tmp:/services/tmp:rw \
+"
 fi
 
 service_exec="docker run --rm \
- -v /etc/user/config/user.json:/etc/user/config/user.json:ro \
+-w /services/ \
- -v /etc/user/config/services/:/services/:ro \
+$VOLUME_MOUNTS
- -v /var/run/docker.sock:/var/run/docker.sock \
+-v /var/run/docker.sock:/var/run/docker.sock \
- -v /usr/bin/docker:/usr/bin/docker:ro $DOCKER_REGISTRY_URL$SETUP /scripts/service-exec"
+--env DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \
+$DOCKER_REGISTRY_URL$SETUP:$SETUP_VERSION"
 
 letsencrypt_certificates() {
 
-	local RUNNING_CONTAINERS;
+    #cd /
 
-	cd /
+    for retries in $(seq 0 $((RESTART + 1))); do
+        if [[ $retries -le $RESTART ]]; then
 
-	# Check services with running containers by roles
+            LETS_ENCRYPT_VALUE="$(docker ps | grep letsencrypt | grep Up | wc -l)"
-	for CONTAINER in $(jq -r --arg ROLE $ROLE '.containers[] | select(.ROLES==$ROLE)' /$PROXY_SERVICE_FILE | jq -r .NAME) ; do
+            if [[ $LETS_ENCRYPT_VALUE -eq 0 ]]; then
-		UP=$(docker ps | grep $CONTAINER | grep Up | wc -l)
+                echo "Starting letsencrypt process"
-		RUNNING_CONTAINERS=$((RUNNING_CONTAINERS + UP))
+                mkdir -p $SERVICE_FILES/tmp/tmp
-	done;
+                cp -av /firewall-files/firewall-letsencrypt.json $SERVICE_FILES/tmp/
+                LETSENCRYPT_TEMP_SERVICE_FILE=$(mktemp -p $SERVICE_FILES/tmp/)
+                ENVS='[                                                              
+                                        {"DOMAIN": "'$DOMAIN'"},                                     
+                                        {"TIMEOUT": "'$TIMEOUT'"},                                   
+                                        {"RESTART": "'$RESTART'"}                                    
+                                ]'
+                VOLUMES='                                                            
+                                        {                                                            
+                                                "SOURCE": "/etc/user/config/user.json",              
+                                                "DEST": "/etc/user/config/user.json",                
+                                                "TYPE": "ro"                                         
+                                        }                                                            
+                                '
+                jq '.containers[0].ENVS |='"$ENVS"' | .containers[0].VOLUMES[.containers[0].VOLUMES|length]|='"$VOLUMES" $SERVICE_FILES/$LETSENCRYPT_SERVICE_NAME >$LETSENCRYPT_TEMP_SERVICE_FILE.json
+                $service_exec $(basename $LETSENCRYPT_TEMP_SERVICE_FILE) start info prechecked
+                rm -v $SERVICE_FILES/tmp/firewall-letsencrypt.json
+                break
+            else
+                echo "Waiting "$TIMEOUT" second for previous letsencrypt process ending"
+                sleep $TIMEOUT
 
-	# In case of no running proxies found, try to start the service
+                echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
-	if [[ "$RUNNING_CONTAINERS" -eq 0 ]] ; then 
+            fi
-		echo "No running proxies found, create self signed cetificate";
+        else
-		create_self_signed_certificate;
+            echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate"
-	fi;
+        fi
+
+    done
 
-	$service_exec /services/letsencrypt.json start
 }
 
 create_self_signed_certificate() {
 
-# generate key
+    # Check any certificate exists
-openssl req -x509 -newkey rsa:4096 -keyout $DOMAIN_CERT_DIR/key.pem -out $DOMAIN_CERT_DIR/cert.pem -days 365 -sha256 -nodes -subj "/CN=$DOMAIN";
+
-cp -a $DOMAIN_CERT_DIR/cert.pem $DOMAIN_CERT_DIR/fullchain.pem;
+    if [[ ! -f $DOMAIN_CERT_DIR/key.pem && ! -f $DOMAIN_CERT_DIR/fullchain.pem && ! -f $DOMAIN_CERT_DIR/cert.pem ]]; then
+
+        # generate key
+        echo "No any certificates found, generate self signed"
+        openssl req -x509 -newkey rsa:4096 -keyout $DOMAIN_CERT_DIR/key.pem -out $DOMAIN_CERT_DIR/cert.pem -days 365 -sha256 -nodes -subj "/CN=$DOMAIN"
+        cp -a $DOMAIN_CERT_DIR/cert.pem $DOMAIN_CERT_DIR/fullchain.pem
+
+    fi
 
 }
 
 if [ ! -d "$DOMAIN_CERT_DIR" ]; then
     echo "$DOMAIN not contains certificates, creates new."
-	mkdir -p $DOMAIN_CERT_DIR;
+    mkdir -p $DOMAIN_CERT_DIR
 fi
 
 if [ ! -f "$DOMAIN_CERT_DIR/dhparam.pem" ]; then
     # generate dhparam file
-	openssl dhparam -dsaparam -out $DOMAIN_CERT_DIR/dhparam.pem 4096; 
+    openssl dhparam -dsaparam -out $DOMAIN_CERT_DIR/dhparam.pem 4096
+    create_self_signed_certificate
+
+    PROXY_NAMES=""
+    # Check services with running containers by roles
+    for CONTAINER in $(jq -r --arg ROLE $ROLE '.containers[] | select(.ROLES==$ROLE)' /$PROXY_SERVICE_FILE | jq -r .NAME); do
+        PROXY_NAMES=$PROXY_NAMES" "$CONTAINER
+    done
+
+    for NAME in $(echo $PROXY_NAMES); do
+        RUNNING_CONTAINER=$(docker ps | grep $NAME | grep Up)
+        if [ "$RUNNING_CONTAINER" != "" ]; then
+            echo "Restarting $NAME"
+            docker restart $NAME
+        else
+            echo "Starting $NAME"
+            docker start $NAME
+        fi
+        docker ps | grep $NAME
+    done
+
 fi
 
-CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$LETSENCRYPT_URL";
+if [ "$GENERATE_CERTIFICATE" == "true" ] && [ "$DOMAIN" != "localhost" ]; then
+
+    CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$LETSENCRYPT_URL"
+
+    if [[ "$(eval $CURL_CHECK)" == "200" ]]; then
 
-if [[ "$(eval $CURL_CHECK)" != "200" ]] ; then
-	create_self_signed_certificate;
-else
         file="$DOMAIN_CERT_DIR/letsencrypt"
         {
             echo "{ \"DOMAIN\": \"$DOMAIN\" }"
-	} >> "$file"
+        } >>"$file"
-	letsencrypt_certificates;
+
+        if [ ! -f $LETSENCRYPT_OUTPUT ]; then
+            install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
+            echo '{}' >$LETSENCRYPT_OUTPUT
+        fi
+        DOMAIN_CHECK="curl -s -o /dev/null -w "%{http_code}" http://$DOMAIN"
+        if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then
+            echo "DOMAIN CHECK: $(eval $DOMAIN_CHECK)"
+            letsencrypt_certificates
+            echo "Started letsencrypt for domain: $DOMAIN first time"
+        else
+            echo "Not starting letsencrypt, waiting $TIMEOUT seconds"
+            for retries in $(seq 0 $((RESTART + 1))); do
+                if [[ $retries -le $RESTART ]]; then
+                    sleep $TIMEOUT
+                    echo "Starting letsencrypt process again"
+                    if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then
+                        echo "DOMAIN CHECK: $(eval $DOMAIN_CHECK)"
+                        letsencrypt_certificates
+                        echo "Started letsencrypt for domain: $DOMAIN second time"
+                        break
+                    else
+                        echo "Waiting "$TIMEOUT" second for starting proxies"
+                        sleep $TIMEOUT
+                        echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
+                    fi
+                else
+                    LOG=$(echo "The domain '$DOMAIN' could not reachable. Reached retrying limit: '$RESTART', giving up to start lets encrypt process, try self sign the certificate" | base64 -w0)
+                    STATUS="failed"
+                    create_json $DOMAIN $STATUS "$LOG"
+                fi
+
+            done
+        fi
+    fi
+
 fi
-
-

scripts/check_proxy_state.sh

@@ -7,50 +7,115 @@ RESTART_COUNTER=0
 REGISTRY_URL=$DOCKER_REGISTRY_URL
 
 # Set env variables
-DOMAIN="$1"
+FILENAME="$1"
+DOMAIN_DIR=$DOMAIN_DIR
+if [ -f $DOMAIN_DIR"/"$FILENAME ]; then
+	DOMAIN=$(jq -r .DOMAIN $DOMAIN_DIR"/"$FILENAME)
+else
+	# in case of CERT_DIR
+	DOMAIN=$FILENAME
+fi;
 PROXY_SERVICE_FILE=$PROXY_SERVICE_FILE
 ROLE=$ROLE
 SERVICE_NAME=$SERVICE_NAME
 PROXY_CONFIG_DIR=$PROXY_CONFIG_DIR
 
+SETUP_VERSION=${SETUP_VERSION:-latest};
+
 # Setup docker registry url path
 
-if [[ $REGISTRY_URL != "" ]] || [[ $REGISTRY_URL != "null" ]] ; then
+if [[ -n "$DOCKER_REGISTRY_URL" && "$DOCKER_REGISTRY_URL" != "null" ]] ; then
 	SETUP="/setup";
 else
+	SETUP="setup";
+	DOCKER_REGISTRY_URL="";
+fi
+# SPECIAL MOUNTS CHEKING
 
-        echo "Docker registry URL not defined in configuration";
+DNS_DIR=$DNS_DIR
-	exit;
+if [ "$DNS_DIR" == "" ] ; then
+        DNS_DIR="/etc/system/data/dns";
+else
+        DNS="--env DNS_DIR=$DNS_DIR";
+        DNS_PATH="--volume $DNS_DIR:/etc/dns:rw";
 fi
 
-service_exec="docker run --rm -v /etc/user/config/services/:/services/:ro -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker:ro $REGISTRY_URL$SETUP /scripts/service-exec"
+USER_INIT_PATH=$USER_INIT_PATH
+
+if [ "$USER_INIT_PATH" == "" ]; then
+        USER_INIT_PATH=/etc/user/config;
+else
+        USER_ENV="--env $USER_INIT_PATH=/etc/user/config";
+        USER_PATH="--volume $USER_INIT_PATH:/etc/user/config:ro";
+fi
+
+# Setting service files path
+
+SERVICE_FILES=$SERVICE_FILES
+
+if [ "$SERVICE_FILES" == "" ]; then
+        SERVICE_FILES=/etc/user/config/services
+fi
+
+CA_PATH=$CA_PATH
+if [ "$CA_PATH" == "" ]; then
+        CA_PATH=/etc/ssl/certs;
+else
+        CA="--env CA_PATH=$CA_PATH";
+        CA_FILE="--volume $CA_PATH:$CA_PATH:ro";
+fi
+
+
+service_exec="docker run --rm \
+ $DNS $DNS_PATH \
+ $CA $CA_FILE \
+ $USER_ENV $USER_PATH \
+ -w /services/ \
+ -v $SERVICE_FILES/:/services/:ro \
+ -v $SERVICE_FILES/tmp/:/services/tmp/:rw \
+ -w /services/ \
+ -v /etc/user/config/services/:/services/:ro \
+ -v /etc/user/config/services/tmp/:/services/tmp/:rw \
+ -v /var/run/docker.sock:/var/run/docker.sock \
+ --env DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \
+ $DOCKER_REGISTRY_URL$SETUP:$SETUP_VERSION"
 
 do_proxy_restart() { 
 
         local NAMES="$1"
 
-	for proxies in $NAMES ; do 
+
-		docker stop $proxies;
+	for PROXY_NAME in $NAMES ; do 
+		
+		DO_RESTART="true";
+		if [ "$FORCE_RESTART" != "true" ]; then
+			docker stop $PROXY_NAME;
+			docker start $PROXY_NAME;
 			sleep $TIMEOUT;
-		$service_exec $SERVICE_NAME.containers.$proxies start
+			
-		if docker ps | grep $proxies ; then
+			if docker ps | grep $PROXY_NAME | grep Up ; then
-			if [ -z "$DOMAIN" ] ; then
+				echo "$PROXY_NAME restarted successful";
-				echo "$proxies restarted successful";
+				DO_RESTART="false";
 			fi
-		else 
+		fi
-			PROXY_NAME=$proxies
+		
+		if [ "$DO_RESTART" == "true" ]; then
 			for retries in $(seq 0 $((RESTART + 1))); do
 				if [[ $retries -le $RESTART ]] ; then
 					echo "Proxy "$PROXY_NAME" restarting in progress";
-					docker stop $PROXY_NAME;
+					$service_exec $SERVICE_NAME.containers.$PROXY_NAME stop force;
-					sleep $TIMEOUT;
+					
+					## finding network name for starting affected network
+					#NETWORK_NAME=$(jq -r --arg NAME $PROXY_NAME '.containers[] | select(.NAME==$NAME)' $PROXY_SERVICE_FILE | jq -r .NETWORK)
+					#$service_exec $SERVICE_NAME.networks.$NETWORK_NAME start
+					
 					$service_exec $SERVICE_NAME.containers.$PROXY_NAME start
-						if docker ps | grep $PROXY_NAME ; then
+					sleep $TIMEOUT;
+					if docker ps | grep $PROXY_NAME | grep Up ; then
 						echo "$PROXY_NAME restarted successful";
 						break ;
 					else	
 						echo "Restarting number is only: "$retries" so try again"
-							sleep $TIMEOUT;
 					fi
 				else
 					echo "Reached retrying limit: "$RESTART" ,giving up, starting recocer previous state"
@@ -59,20 +124,11 @@ do_proxy_restart() {
 			done
 		fi
 	done
-	
-	# in case of new proxy configuration generated needed to copy the domain name  to the configs file.then remove new_config flag.
-	if [[ -f $PROXY_CONFIG_DIR/new_config ]] ; then 
-		if [[ ! -f $PROXY_CONFIG_DIR/config || "$(grep $DOMAIN $PROXY_CONFIG_DIR/config 2>/dev/null)" == "" ]] ; then 
-			cat $PROXY_CONFIG_DIR/new_config >> $PROXY_CONFIG_DIR/config;
-		fi
-		
-		rm $PROXY_CONFIG_DIR/new_config;
-	fi
 }
 
 check_domain() {
 	echo "Checking $DOMAIN name";
-	CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$DOMAIN";
+	CURL_CHECK="curl -m 5 -s -o /dev/null -w "%{http_code}" https://$DOMAIN";
 	if [[ "$(eval $CURL_CHECK)" == "200" ]] ; then 
 		echo "$DOMAIN accessed successful";
 	else 
@@ -80,7 +136,15 @@ check_domain() {
 	fi
 }
 
-recover_process() { echo "Recovering previous state"
+recover_process() { 
+	echo "Recovering previous state";
+	rm $DOMAIN_DIR/$FILENAME;
+
+	echo "#############################################################################"
+	echo "########    DOMAIN    #####    $DOMAIN   ####   DELETED      ################"
+	echo "#############################################################################"
+	exit;
+		
 }
 
 send_error_msg () { echo "Sending error messages"
@@ -117,12 +181,11 @@ if [[ "$RUNNING_CONTAINERS" == "$CONTAINERS_BY_ROLE" || "$RUNNING_CONTAINERS" -g
 elif [[ "$RUNNING_CONTAINERS" -eq 0 ]] ; then 
 	echo "No running proxies found, starting all";
 	
-	$service_exec /services/$SERVICE_NAME.json stop;
+	do_proxy_restart "$CONTAINERS";
-	$service_exec /services/$SERVICE_NAME.json start;
 	
 	for proxies in $CONTAINERS ; do 
 
-		if docker ps | grep $proxies ; then
+		if docker ps | grep $proxies | grep Up; then
 			echo "$proxies started successful";
 		else 
 			echo "$proxies starting was unsuccesful";
@@ -140,7 +203,7 @@ elif [[ "$RUNNING_CONTAINERS" -eq 1 ]] ; then
 			
 			do_proxy_restart $proxies;
 			
-			if docker ps | grep $proxies ; then
+			if docker ps | grep $proxies | grep Up ; then
 				echo "$proxies started successful";
 			else 
 				echo "$proxies starting was unsuccesful";
@@ -155,7 +218,7 @@ elif [[ "$RUNNING_CONTAINERS" -eq 1 ]] ; then
 	# At last need to restart the only one running proxy when the others started successful.
 	for CHECK_PROXIES in $CONTAINERS ; do
 		if [[ $CHECK_PROXIES != $ONLY_RUNNING_PROXY_NAME ]] ; then
-			if docker ps | grep $CHECK_PROXIES ; then
+			if docker ps | grep $CHECK_PROXIES | grep Up ; then
 				echo "Not running proxies successfuly started, let's start the only running one.";
 				do_proxy_restart $ONLY_RUNNING_PROXY_NAME;
 			else
@@ -171,6 +234,16 @@ fi
 # call method
 check_proxy_state
 
+echo "PROXY RESTARTED SUCCESSFULY"
+# in case of new proxy configuration generated needed to copy the domain name  to the configs file.then remove new_config flag.
+if [[ -f $PROXY_CONFIG_DIR/new_config ]] ; then 
+	if [[ ! -f $PROXY_CONFIG_DIR/config || "$(grep $DOMAIN $PROXY_CONFIG_DIR/config 2>/dev/null)" == "" ]] ; then 
+		cat $PROXY_CONFIG_DIR/new_config >> $PROXY_CONFIG_DIR/config;
+	fi
+	
+	rm $PROXY_CONFIG_DIR/new_config;
+fi
+
 # At last check the previously settings of domain.
 check_domain
 

scripts/config_haproxy_create.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # Initial parameters
-DATE=`date +%F-%H-%M-%S`
+DATE=$(date +%F-%H-%M-%S)
 
 DOMAIN=$1
 
@@ -19,113 +19,162 @@ cp -a /scripts/haproxy_template.cfg $PROXY_CONFIG_DIR/haproxy.cfg
 
 {
 
-echo "frontend http
+    echo "frontend http
-";
+"
 
-cat "$global_http"
+    cat "$global_http"
-echo 
+    echo
 
-#echo "acl letsencrypt path_beg /.well-known/acme-challenge/";
+    #echo "acl letsencrypt path_beg /.well-known/acme-challenge/";
 
-echo 
+    echo
 
-for i in `ls $DOMAIN_DIR|cut -d / -f2` ;  do
+    for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
 
-        if [[ "$(jq -r .REDIRECT_HTTPS $i)" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]]
+        DOMAIN_NAME=$(jq -r .DOMAIN $i)
-        then    
+        if [[ "$(jq -r .REDIRECT_HTTPS $i)" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
-            echo "redirect prefix https://$(jq -r .REDIRECT_HTTPS $i) code 301 if { hdr(host) -i $(jq -r .DOMAIN $i) }";
+            echo "redirect prefix https://$(jq -r .REDIRECT_HTTPS $i) code 301 if { hdr(host) -i $DOMAIN_NAME }"
         fi
-done
+    done
-echo
+    echo
 
-for i in `ls $DOMAIN_DIR|cut -d / -f2` ;  do
+    for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
 
-	if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]]
+        DOMAIN_NAME=$(jq -r .DOMAIN $i)
-	then
+        if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
-		echo "acl $(jq -r .DOMAIN $i)_http hdr(host) -i $(jq -r .DOMAIN $i)";
+
+            TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
+            WILDCARD=$(echo $DOMAIN_NAME | grep '*')
+
+            if [ "$WILDCARD" != "" ]; then
+                HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
+                echo "acl $HOST."$TLD"_http hdr(host) -m reg -i ^[^\.]+\."$HOST"\."$TLD"$"
+            else
+                echo "acl "$DOMAIN_NAME"_http hdr(host) -i $DOMAIN_NAME"
+            fi
         fi
 
-	if [[ "$(jq -r .DOMAIN $i)" != "letsencrypt"  && "$(jq -r .HTTP_PORT $i)" != "" && "$(jq -r .ALIASES_HTTP[] $i)" != "" ]]
+        if [[ "$DOMAIN_NAME" != "letsencrypt" && "$(jq -r .HTTP_PORT $i)" != "" && "$(jq -r .ALIASES_HTTP[] $i)" != "" ]]; then
-	then
             ALIASES_LIST=$(jq -r .ALIASES_HTTP[] $i)
-		for ALIAS in $ALIASES_LIST
+            for ALIAS in $ALIASES_LIST; do
-		do
+                echo "acl "$DOMAIN_NAME"_http hdr(host) -i $ALIAS"
-		 	echo "acl $(jq -r .DOMAIN $i)_http hdr(host) -i $ALIAS";
             done
         fi
 
-done
+    done
 
-echo 
+    echo
 
-#echo "use_backend letsencrypt_http if letsencrypt"
+    #echo "use_backend letsencrypt_http if letsencrypt"
 
-for i in `ls $DOMAIN_DIR|cut -d / -f2` ;  do
+    for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
 
-	if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTP_PORTS $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]]
+        DOMAIN_NAME=$(jq -r .DOMAIN $i)
-	then
+        TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
-		echo "use_backend $(jq -r .DOMAIN $i)_http if $(jq -r .DOMAIN $i)_http"; 
+        WILDCARD=$(echo $DOMAIN_NAME | grep '*')
+
+        if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
+            if [ "$WILDCARD" != "" ]; then
+                HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
+                echo "use_backend $HOST."$TLD"_http if $HOST."$TLD"_http"
+            else
+                echo "use_backend "$DOMAIN_NAME"_http if "$DOMAIN_NAME"_http"
             fi
-done
-
-echo
-
-for i in `ls $DOMAIN_DIR|cut -d / -f2` ;  do
-
-      	if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTP_PORT $i)" != "" ]]
-      	then
-      		echo "backend $(jq -r .DOMAIN $i)_http";
-		echo "	mode http";
-		echo "	server $(jq -r .DOMAIN $i) $(jq -r .LOCAL_IP $i):$(jq -r .HTTP_PORT $i)";
         fi
-done
+    done
 
-echo
+    echo
 
-echo "frontend https
+    for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
-";
 
-cat "$global_https"
+        DOMAIN_NAME=$(jq -r .DOMAIN $i)
-echo 
+        TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
+        WILDCARD=$(echo $DOMAIN_NAME | grep '*')
 
-for i in `ls $DOMAIN_DIR|cut -d / -f2` ;  do
+        if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTP_PORT $i)" != "" ]]; then
-
+            if [ "$WILDCARD" != "" ]; then
-	if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]]
+                HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
-	then
+                echo "backend $HOST."$TLD"_http"
-		echo "acl $(jq -r .DOMAIN $i)_https req_ssl_sni -i $(jq -r .DOMAIN $i)";
+                echo " mode http"
+                echo " server $HOST.$TLD $(jq -r .LOCAL_NAME $i):$(jq -r .HTTP_PORT $i) send-proxy"
+            else
+                echo "backend "$DOMAIN_NAME"_http"
+                echo " mode http"
+                echo " server $DOMAIN_NAME $(jq -r .LOCAL_NAME $i):$(jq -r .HTTP_PORT $i) send-proxy"
             fi
-	if [[ "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .ALIASES_HTTPS[] $i)" != "" ]]
+        fi
-	then
+    done
+
+    echo
+
+    echo "frontend https"
+
+    echo
+
+    cat "$global_https"
+    echo
+
+    for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
+        DOMAIN_NAME=$(jq -r .DOMAIN $i)
+        TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
+        WILDCARD=$(echo $DOMAIN_NAME | grep '*')
+
+        if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
+
+            if [ "$WILDCARD" != "" ]; then
+                HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
+                echo "acl $HOST."$TLD"_https req_ssl_sni -i ^[^\.]+\.$HOST\."$TLD"$"
+            else
+                echo "acl "$DOMAIN_NAME"_https req_ssl_sni -i $DOMAIN_NAME"
+            fi
+        fi
+        if [[ "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .ALIASES_HTTPS[] $i)" != "" ]]; then
             ALIASES_LIST=$(jq -r .ALIASES_HTTPS[] $i)
-	         for ALIAS in $ALIASES_LIST
+            for ALIAS in $ALIASES_LIST; do
-	         do
+                echo "acl $HOST."$TLD"_https req_ssl_sni -i $ALIAS"
-	                   echo "acl $(jq -r .DOMAIN $i)_https req_ssl_sni -i $ALIAS";
             done
         fi
-done
+    done
 
-echo 
+    echo
 
-for i in `ls $DOMAIN_DIR|cut -d / -f2` ;  do
+    for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
+        DOMAIN_NAME=$(jq -r .DOMAIN $i)
+        TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
+        WILDCARD=$(echo $DOMAIN_NAME | grep '*')
 
-	if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]]
+        if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
-	then
+            if [ "$WILDCARD" != "" ]; then
-		echo "use_backend $(jq -r .DOMAIN $i)_https if $(jq -r .DOMAIN $i)_https"; 
+                HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
+                echo "use_backend $HOST."$TLD"_https if $HOST."$TLD"_https"
+            else
+                echo "use_backend "$DOMAIN_NAME"_https if "$DOMAIN_NAME"_https"
             fi
-done
-
-echo 
-
-for i in `ls $DOMAIN_DIR|cut -d / -f2` ;  do
-
-      	if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]]
-      	then
-      		echo "backend $(jq -r .DOMAIN $i)_https";
-		echo "	option ssl-hello-chk";
-		echo "	mode tcp";
-		echo "	server $(jq -r .DOMAIN $i) $(jq -r .LOCAL_IP $i):$(jq -r .HTTPS_PORT $i) check";
         fi
-done
+    done
 
-} >> "$file";
+    echo
-echo "$DOMAIN" >> $PROXY_CONFIG_DIR/new_config
+
+    for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
+
+        if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
+            DOMAIN_NAME=$(jq -r .DOMAIN $i)
+            TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
+            WILDCARD=$(echo $DOMAIN_NAME | grep '*')
+            if [ "$WILDCARD" != "" ]; then
+                HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
+                echo "backend $HOST."$TLD"_https"
+                echo "	option ssl-hello-chk"
+                echo "	mode tcp"
+                echo "	server $HOST.$TLD $(jq -r .LOCAL_NAME $i):$(jq -r .HTTPS_PORT $i) check send-proxy"
+            else
+                echo "backend "$DOMAIN_NAME"_https"
+                echo "	option ssl-hello-chk"
+                echo "	mode tcp"
+                echo "	server $DOMAIN_NAME $(jq -r .LOCAL_NAME $i):$(jq -r .HTTPS_PORT $i) check send-proxy"
+            fi
+        fi
+    done
+
+} >>"$file"
+echo "$DOMAIN" >>$PROXY_CONFIG_DIR/new_config

scripts/domain.example.conf

@@ -0,0 +1,87 @@
+server {
+listen 80 proxy_protocol;
+server_name domain.example;
+set_real_ip_from 0.0.0.0/0;
+real_ip_header proxy_protocol;
+rewrite_log on;
+return 301 https://domain.example;
+}
+server {
+listen 443 ssl proxy_protocol;
+set_real_ip_from 0.0.0.0/0;
+real_ip_header proxy_protocol;
+server_name domain.example;
+client_max_body_size 0;
+rewrite_log on;
+proxy_ssl_server_name on; 
+ ssl_dhparam /etc/ssl/keys/domain.example/dhparam.pem;
+ssl_certificate /etc/ssl/keys/fullchain.pem;
+ ssl_certificate_key /etc/ssl/keys/key.pem;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !kDHE";
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
+ssl_stapling on;
+location / {
+ limit_except GET HEAD {
+ 	allow 192.168.109.1;
+ 	allow 192.168.109.2;
+ 	deny  all;
+ }
+ proxy_pass http://domain-app:80;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_cookie_path / /;
+ proxy_set_header Connection $http_connection;
+ proxy_connect_timeout      300;
+ proxy_send_timeout         300;
+ proxy_read_timeout         300;
+ proxy_next_upstream off;
+ proxy_redirect off;
+ proxy_buffering off;
+}
+location example2 {
+ proxy_pass http://example-app2-modified:80;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_cookie_path example2 example2;
+ proxy_set_header Connection $http_connection;
+ proxy_connect_timeout      300;
+ proxy_send_timeout         300;
+ proxy_read_timeout         300;
+ proxy_next_upstream off;
+ proxy_redirect off;
+ proxy_buffering off;
+}
+# location end
+location example {
+ limit_except GET HEAD {
+ 	allow 192.168.105.1
+ 	allow 192.168.106.1
+ 	allow 192.168.107.1
+ 	deny all;
+ }
+ proxy_pass http://example-app:80;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_cookie_path example example;
+ proxy_set_header Connection $http_connection;
+ proxy_connect_timeout      300;
+ proxy_send_timeout         300;
+ proxy_read_timeout         300;
+ proxy_next_upstream off;
+ proxy_redirect off;
+ proxy_buffering off;
+}
+# location end
+}

scripts/domains/app.domain.example

@@ -0,0 +1,23 @@
+{
+"DEBUG": "true",
+"DOMAIN": "domain.example",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_NAME": "domain-app",
+"HTTP_PORT": "",
+"HTTPS_PORT": "80",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": "",
+"ALLOWED_NETWORK": [ "192.168.109.1", "192.168.109.2", "192.168.110.2" ],
+"OPERATION": "CREATE",
+"ALTERNATE_LOCATION_PATH": [
+	{
+        "LOCAL_PATH": "example",
+        "LOCAL_NAME": "example-app",
+        "LOCAL_PORT": "",
+	"LOCAL_ALLOWED_NETWORK": [ "192.168.105.1", "192.168.106.1", "192.168.107.1" ]
+        }
+]
+}

scripts/domains/app2.domain.example

@@ -0,0 +1,24 @@
+{
+"DEBUG": "true",
+"DOMAIN": "domain.example",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_NAME": "domain-app2",
+"HTTP_PORT": "",
+"HTTPS_PORT": "80",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": "",
+"ALLOWED_NETWORK": [ ],
+"OPERATION": "MODIFY",
+"ALTERNATE_LOCATION_PATH": [
+	{
+        "LOCAL_PATH": "example2",
+        "LOCAL_NAME": "example-app2-modified",
+        "LOCAL_PORT": "",
+	"LOCAL_ALLOWED_NETWORK": [ ]
+        }
+	]
+
+}

scripts/domains/app3.domain.example

@@ -0,0 +1,23 @@
+{
+"DEBUG": "true",
+"DOMAIN": "domain.example",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_NAME": "domain-app",
+"HTTP_PORT": "",
+"HTTPS_PORT": "80",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": "",
+"ALLOWED_NETWORK": [ ],
+"ALTERNATE_LOCATION_PATH": [
+	{
+        "LOCAL_PATH": "example3",
+        "LOCAL_NAME": "example-app3",
+        "LOCAL_PORT": "",
+	"LOCAL_ALLOWED_NETWORK": [ ]
+        }
+	]
+
+}

scripts/domains/domain.sample

@@ -0,0 +1,13 @@
+{
+"DEBUG": "true",
+"DOMAIN": "domain.example",
+"ALIASES_HTTP": [ ],
+"ALIASES_HTTPS": [ ],
+"LOCAL_NAME": "domain-app",
+"HTTP_PORT": "",
+"HTTPS_PORT": "80",
+"ERROR_PAGE": "",
+"REDIRECT_HTTP": "",
+"REDIRECT_HTTPS": "",
+"MAX_BODY_SIZE": ""
+}

scripts/global_http

@@ -1,4 +1,4 @@
-bind :80
+bind :80 accept-proxy
   mode http
   option forwardfor  
   option httplog

scripts/global_https

@@ -1,4 +1,4 @@
-bind :443
+bind :443 accept-proxy
   mode tcp
   option tcplog
   option dontlognull

scripts/haproxy_template.cfg

@@ -1,11 +1,13 @@
 global
-  log stdout format raw local0 debug
+  log stdout format raw local0 info
 defaults
-  timeout client 30s
-  timeout server 30s
-  timeout connect 5s
   mode http
   option redispatch
   option http-server-close
   log global
+  timeout connect 5s
+  timeout client 24h
+  timeout server 24h
+  option srvtcpka
+  option clitcpka
 

scripts/nginx_config_create.sh

@@ -1,69 +1,258 @@
 #!/bin/sh
 
+GENERATE_CERTIFICATE=$GENERATE_CERTIFICATE
+
 cd /proxy_config
 
-DOMAIN=$1
+FILENAME="$1"
-if [ -n "$2" ]; then
-	echo "$DOMAIN DELETED";
-	rm $DOMAIN.conf;
-	exit;
-fi
-
-DOMAIN_SOURCE=/domains/$DOMAIN
 
+DOMAIN_SOURCE=/domains/$FILENAME
+#DOMAIN_SOURCE=./domains/$FILENAME #TEMP
 DOMAIN_NAME=$(jq -r .DOMAIN $DOMAIN_SOURCE)
 HTTP_PORT=$(jq -r .HTTP_PORT $DOMAIN_SOURCE)
 HTTPS_PORT=$(jq -r .HTTPS_PORT $DOMAIN_SOURCE)
-LOCAL_IP=$(jq -r .LOCAL_IP $DOMAIN_SOURCE)
+ALIASES_HTTP=$(jq -r '.ALIASES_HTTP | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
-ALIASES_HTTP=$(jq -r .ALIASES_HTTP $DOMAIN_SOURCE)
+ALIASES_HTTPS=$(jq -r '.ALIASES_HTTPS | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
-ALIASES_HTTPS=$(jq -r .ALIASES_HTTPS $DOMAIN_SOURCE)
 REDIRECT_HTTP=$(jq -r .REDIRECT_HTTP $DOMAIN_SOURCE)
 REDIRECT_HTTPS=$(jq -r .REDIRECT_HTTPS $DOMAIN_SOURCE)
 ERROR_PAGE=$(jq -r .ERROR_PAGE $DOMAIN_SOURCE)
+MAX_BODY_SIZE=$(jq -r .MAX_BODY_SIZE $DOMAIN_SOURCE)
+DEBUG=$(jq -r .DEBUG $DOMAIN_SOURCE)
+ALLOWED_NETWORK=$(jq -r '.ALLOWED_NETWORK | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
+OPERATION=$(jq -r '.OPERATION' $DOMAIN_SOURCE)
+BASIC_AUTH=$(jq -r .BASIC_AUTH $DOMAIN_SOURCE)
+ALTERNATE_LOCATION_PATH=$(jq -r .ALTERNATE_LOCATION_PATH $DOMAIN_SOURCE)
+LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null)
+if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then
+    LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null)
+fi
+RELOAD_LOCATIONS=""
 
-# check whether certificates exist or not
+if [ -n "$2" ] || [ "$OPERATION" == "DELETE" ]; then
-
+    echo "$DOMAIN_NAME DELETED"
-if [[ $HTTPS_PORT != "" ]]; then
+    rm $DOMAIN_NAME.conf
-	/scripts/check_certificates.sh "$DOMAIN";
+    exit
 fi
 
-echo "created domain name: "$DOMAIN;
+add_alternate_location() {
+    {
+        cat $DOMAIN_NAME.conf | head -n -1
+        add_location
+        echo "}"
 
-file="/tmp/$DOMAIN.conf"
+    } >>"$file"
+}
 
-#cp -a /scripts/nginx_template.conf /tmp/$DOMAIN.conf
+add_location() {
 
-{
+    if [[ "$ALTERNATE_LOCATION_PATH" != "" ]]; then
 
-if [[ $HTTP_PORT != "" ]]; then
+        ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE)
+        ALP_IDX=$(($ALP_IDX - 1))
+
+        for i in $(seq 0 $ALP_IDX); do
+            ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
+
+            ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH)
+            ALP_LOCAL_NAME=$(echo $ALP | jq -rc .LOCAL_NAME)
+            ALP_LOCAL_PORT=$(echo $ALP | jq -rc .LOCAL_PORT)
+            ALP_LOCAL_ALLOWED_NETWORK=$(echo $ALP | jq -rc '.LOCAL_ALLOWED_NETWORK | select(.!="null") | join(" ")')
+
+            # do not duplicate locations
+            EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf)
+            if [ -n "$EXISTS" ]; then
+                ROW_NUMBER=$(echo $EXISTS | cut -d ':' -f1)
+                START=$(($ROW_NUMBER + 2))
+                OFFSET=$(tail -n+$START $DOMAIN_NAME.conf | grep -n '}' -m 1 | cut -d ':' -f1)
+                OFFSET=$(($OFFSET - 2))
+                ALP_ALLOWED=$(echo $(tail -n+$START $DOMAIN_NAME.conf | head -n $OFFSET | awk '{print $2}')) # echo removes space at the end
+                if [ "$ALP_LOCAL_ALLOWED_NETWORK" != "$ALP_ALLOWED" ]; then
+                    RELOAD_LOCATIONS=$RELOAD_LOCATIONS$ALP_LOCAL_PATH" "
+                fi
+                # skip if exists
+                continue
+            fi
+
+            if [[ "$ALP_LOCAL_NAME" = "" ]]; then
+                ALP_LOCAL_NAME=$LOCAL_NAME
+            fi
+
+            if [[ "$ALP_LOCAL_PORT" = "" ]]; then
+                ALP_LOCAL_PORT=$HTTP_PORT
+            fi
+
+            echo "location $ALP_LOCAL_PATH {"
+
+            if [ "$BASIC_AUTH" == "TRUE" ]; then
+                echo '  auth_basic           "SAFEBOX AUTHORIZATION";
+     auth_basic_user_file htpasswd;
+                        '
+            fi
+
+            if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then
+                echo " limit_except GET HEAD {"
+                for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK); do
+                    echo " 	allow $i"
+                done
+                echo " 	deny all;"
+                echo " }"
+            fi
+
+            if [[ "$ALP_LOCAL_PORT" != "" ]]; then
+                echo " proxy_pass http://$ALP_LOCAL_NAME:$ALP_LOCAL_PORT/;"
+            else
+                echo " proxy_pass http://$ALP_LOCAL_NAME:80;"
+            fi
+
+            echo " proxy_set_header Host "'$http_host'";
+ proxy_set_header X-Real-IP "'$remote_addr'";
+ proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'";
+ proxy_set_header X-Forwarded-Proto "'$scheme'";
+ proxy_set_header Upgrade "'$http_upgrade;'"
+ proxy_cookie_path $ALP_LOCAL_PATH $ALP_LOCAL_PATH;
+ proxy_set_header Connection "'$http_connection'";
+ proxy_connect_timeout      300;
+ proxy_send_timeout         300;
+ proxy_read_timeout         300;
+ proxy_next_upstream off;"
+
+            if [[ "$DEBUG" != "true" ]]; then
+                echo " access_log off;"
+            fi
+            echo " proxy_redirect off;"
+            echo " proxy_buffering off;"
+            echo "}"
+            echo "# location end"
+        done
+    fi
+
+}
+
+remove_alternate_location() {
+
+    if [[ "$ALTERNATE_LOCATION_PATH" != "" ]]; then
+
+        ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE)
+        ALP_IDX=$(($ALP_IDX - 1))
+
+        for i in $(seq 0 $ALP_IDX); do
+            ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
+            ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH)
+            remove_location $ALP_LOCAL_PATH
+        done
+    fi
+}
+
+remove_location() {
+    local LOCATION=$1
+
+    LOCATION_ROW="location $LOCATION {"
+    ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1)
+    if [ -n "$ROW_NUMBER" ]; then
+        OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1)
+        START=$(($ROW_NUMBER - 1))
+        END=$(($ROW_NUMBER + $OFFSET))
+
+        {
+            head -n$START $DOMAIN_NAME.conf
+            tail -n+$END $DOMAIN_NAME.conf
+        } >>$file
+
+        mv $file $DOMAIN_NAME.conf
+    fi
+}
+
+# create new nginx config
+create_new_config() {
+    {
+
+        REGENERATE="$1"
+
+        if [[ "$HTTP_PORT" != "80" ]]; then
             echo "server {
-listen $HTTP_PORT;
+listen 80 proxy_protocol;"
-server_name $DOMAIN_NAME;
+            if [[ "$ALIASES_HTTP" != "" ]]; then
-rewrite_log on;"
+                echo "server_name $DOMAIN_NAME $ALIASES_HTTP;"
+            else
+                echo "server_name $DOMAIN_NAME;"
+            fi
+            echo "set_real_ip_from 0.0.0.0/0;
+real_ip_header proxy_protocol;
+rewrite_log on;
+return 301 https://$DOMAIN_NAME;
+}"
 
+        fi
 
-	if [[ $REDIRECT_HTTP != "" && $HTTP_PORT != "" ]]; then
+        if [[ "$HTTP_PORT" != "" && "$HTTP_PORT" != "80" ]]; then
+            echo "server {
+	listen $HTTP_PORT proxy_protocol;
+	set_real_ip_from 0.0.0.0/0;
+	real_ip_header proxy_protocol;"
+
+            if [[ "$ALIASES_HTTP" != "" ]]; then
+                echo "server_name $DOMAIN_NAME $ALIASES_HTTP;"
+            else
+                echo "server_name $DOMAIN_NAME;"
+            fi
+
+            if [[ "$MAX_BODY_SIZE" != "" ]]; then
+                echo "client_max_body_size "$MAX_BODY_SIZE";"
+
+            else
+
+                echo "client_max_body_size 0;"
+            fi
+
+            echo "rewrite_log on;"
+
+            if [[ "$REDIRECT_HTTP" != "" ]]; then
                 echo "return 301 $REDIRECT_HTTP;"
-
+            elif [[ "$HTTP_PORT" == "" ]]; then
+                echo "return 301 https://"$DOMAIN_NAME
 
             else
                 echo "location / {"
 
-		if [[ $HTTP_PORT != "" ]]; then
+                if [ "$BASIC_AUTH" == "TRUE" ]; then
- 			echo "proxy_pass http://$LOCAL_IP:$HTTP_PORT;"
+                    echo '  auth_basic           "SAFEBOX AUTHORIZATION";
-		else
+     auth_basic_user_file htpasswd;
- 			echo "proxy_pass http://$LOCAL_IP:80;"
+                        '
                 fi
 
-		 echo "proxy_redirect off;
+                if [[ "$ALLOWED_NETWORK" != "" ]]; then
-		 proxy_buffering off;
+                    ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
-		 proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'";
+                    ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1))
-		 proxy_set_header Upgrade "'$http_upgrade'";
-		 proxy_set_header Connection "'$http_connection'";
-		 proxy_cookie_path / /;
-		 access_log off;"
 
-			if [[ $ERROR_PAGE != "" && $HTTP_PORT != "" ]]; then
+                    echo " limit_except GET HEAD {"
+                    for i in $(seq 0 $ALLOWED_NETWORK_IDX); do
+                        AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
+                        echo " 	allow "$AN";"
+                    done
+                    echo " 	deny  all;"
+                    echo " }"
+                fi
+
+                if [[ "$HTTP_PORT" != "" ]]; then
+                    echo " proxy_pass http://$LOCAL_NAME:$HTTP_PORT;"
+                fi
+
+                echo " proxy_set_header Host "'$http_host'";
+	 proxy_set_header X-Real-IP "'$remote_addr'";
+	 proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'";
+	 proxy_set_header X-Forwarded-Proto "'$scheme'";
+	 proxy_set_header Upgrade "'$http_upgrade;'"
+	 proxy_cookie_path / /;
+	 proxy_set_header Connection "'$http_connection'" ;"
+
+                if [[ "$DEBUG" != "true" ]]; then
+                    echo " access_log off;"
+                fi
+                echo " proxy_redirect off;"
+                echo " proxy_buffering off;"
+                echo "}"
+
+                if [[ "$ERROR_PAGE" != "" && "$HTTP_PORT" != "" ]]; then
                     echo "error_page 404 /$ERROR_PAGE;
 				location = /$ERROR_PAGE {
 				      root    html;
@@ -72,64 +261,180 @@ rewrite_log on;"
 				      rewrite ^ "'$scheme'" http://$ERROR_PAGE"'$request_uri'" permanent;
 					      }"
                 fi
+            fi
             echo "}"
         fi
-echo "}"
-fi
 
-if [[ $HTTPS_PORT != "" ]]; then
+        if [[ "$HTTPS_PORT" != "" ]]; then
             echo "server {
-listen $HTTPS_PORT ssl;
+listen 443 ssl proxy_protocol;
-server_name $DOMAIN_NAME;
+set_real_ip_from 0.0.0.0/0;
-rewrite_log on;
+real_ip_header proxy_protocol;"
+
+            if [[ "$ALIASES_HTTPS" != "" ]]; then
+                echo "server_name $DOMAIN_NAME $ALIASES_HTTPS;"
+            else
+                echo "server_name $DOMAIN_NAME;"
+            fi
+
+            if [[ "$MAX_BODY_SIZE" != "" ]]; then
+                echo "client_max_body_size "$MAX_BODY_SIZE";"
+            else
+                echo "client_max_body_size 0;"
+            fi
+
+            echo "rewrite_log on;
 proxy_ssl_server_name on; 
- ssl_dhparam /etc/ssl/keys/$DOMAIN/dhparam.pem;
+ ssl_dhparam /etc/ssl/keys/$DOMAIN_NAME/dhparam.pem;"
- ssl_certificate /etc/ssl/keys/$DOMAIN/fullchain.pem;
+
- ssl_certificate_key /etc/ssl/keys/$DOMAIN/key.pem;
+            if [ "$GENERATE_CERTIFICATE" == "true" ]; then
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+                echo "ssl_certificate /etc/ssl/keys/$DOMAIN_NAME/fullchain.pem;
+ ssl_certificate_key /etc/ssl/keys/$DOMAIN_NAME/key.pem;"
+
+            else
+                echo "ssl_certificate /etc/ssl/keys/fullchain.pem;
+ ssl_certificate_key /etc/ssl/keys/key.pem;"
+
+            fi
+
+            echo "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "'"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !kDHE"'";
 ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 5m;
 ssl_stapling on;"
 
-
+            if [[ "$ERROR_PAGE" != "" && "$HTTPS_PORT" != "" ]]; then
-	if [[ $ERROR_PAGE != "" && $HTTPS_PORT != "" ]]; then
                 echo "error_page 404 /$ERROR_PAGE;
 location = /$ERROR_PAGE {
       root    html;
       allow   all;
       index   404.html;
-      rewrite ^ "'$scheme'":http://$ERROR_PAGE"'$request_uri'" permanent;
+      rewrite ^ "'$scheme' "http://$ERROR_PAGE"'$request_uri'" permanent;
 	      }"
             fi
 
-	if [[ $REDIRECT_HTTPS != ""  ]]; then
+            if [[ "$REDIRECT_HTTPS" != "" ]]; then
                 echo "return 301 $REDIRECT_HTTPS;"
             else
                 echo "location / {"
 
-			if [[ $HTTP_PORT != "" ]]; then
+                if [ "$BASIC_AUTH" == "TRUE" ]; then
-				echo "proxy_pass http://$LOCAL_IP:$HTTP_PORT;"
+                    echo '  auth_basic           "SAFEBOX AUTHORIZATION";
-			else
+     auth_basic_user_file htpasswd;
-				echo "proxy_pass http://$LOCAL_IP:80;"
+                        '
                 fi
 
-		echo "proxy_redirect off;
+                if [[ "$ALLOWED_NETWORK" != "" ]]; then
- proxy_buffering off;
+                    ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
+                    ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1))
+
+                    echo " limit_except GET HEAD {"
+                    for i in $(seq 0 $ALLOWED_NETWORK_IDX); do
+                        AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
+                        echo " 	allow "$AN";"
+                    done
+                    echo " 	deny  all;"
+                    echo " }"
+                fi
+                echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
+
+                echo " proxy_set_header Host "'$http_host'";
+ proxy_set_header X-Real-IP "'$remote_addr'";
  proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'";
- proxy_set_header Upgrade "'$http_upgrade'";
+ proxy_set_header X-Forwarded-Proto "'$scheme'";
- proxy_set_header Connection "'$http_connection'";
+ proxy_set_header Upgrade "'$http_upgrade;'"
  proxy_cookie_path / /;
- access_log off;
+ proxy_set_header Connection "'$http_connection'";
-}"
+ proxy_connect_timeout      300;
+ proxy_send_timeout         300;
+ proxy_read_timeout         300;
+ proxy_next_upstream off;"
+
+                if [[ "$DEBUG" != "true" ]]; then
+                    echo " access_log off;"
+                fi
+                echo " proxy_redirect off;"
+                echo " proxy_buffering off;"
+                echo "}"
+
+                echo "# first location end"
+
+                add_location
+
             fi
 
-echo "}"
+            if [ "$REGENERATE" == "" ]; then
+                echo "}"
+            fi
 
+        fi
+
+    } >>"$file"
+}
+
+regenerate_config() {
+
+    mv $file $DOMAIN_NAME.conf
+
+    # regenerates nginx config into $file
+    create_new_config "regenerate"
+
+    #  append existing alternate locations to new config file
+    OFFSET=$(cat $DOMAIN_NAME.conf | grep -n '# first location end' -m 1 | cut -d ':' -f1)
+    OFFSET=$(($OFFSET + 1))
+    {
+        tail -n+$OFFSET $DOMAIN_NAME.conf
+    } >>$file
+}
+
+file="/tmp/$DOMAIN_NAME.conf"
+
+# check whether certificates exist or not
+
+echo "created domain name: "$DOMAIN_NAME
+
+#cp -a /scripts/nginx_template.conf /tmp/$DOMAIN.conf
+
+# if domain already exists as a config file append alternate location there
+if [ -f $DOMAIN_NAME.conf ]; then
+
+    if [ "$OPERATION" = "DELETE" ]; then
+        remove_alternate_location
+    elif [ "$OPERATION" = "MODIFY" ]; then
+        # must be before create_new_config
+        remove_alternate_location
+        add_alternate_location
+
+        regenerate_config
+
+    else
+        # default CREATE, append location
+        add_alternate_location
+
+        regenerate_config
+
+        # reload alternate locations if allowed networks has changed
+        if [ -n "$RELOAD_LOCATIONS" ]; then
+            rm $file
+            remove_alternate_location
+            add_alternate_location
+        fi
+    fi
+else
+
+    # rewrite operation if nginx config file doesn't exists
+    OPERATION="CREATE"
+    create_new_config
+
+fi # end of create new nginx config
+
+if [ "$OPERATION" != "DELETE" ]; then
+    mv $file $DOMAIN_NAME.conf
 fi
+echo "$DOMAIN" >>new_config
 
-} >> "$file"
+if [ "$HTTPS_PORT" != "" ]; then
-
+    /scripts/check_certificates.sh "$DOMAIN_NAME" &
-mv /tmp/$DOMAIN.conf $DOMAIN.conf;
+fi
-echo "$DOMAIN" >> new_config

scripts/scheduler.sh

@@ -10,70 +10,65 @@ DOMAIN_DIR=$DOMAIN_DIR
 CERT_DIR=$CERT_DIR
 PROXY_CONFIG_DIR=$PROXY_CONFIG_DIR
 
+# If not exits CERT_DIR, create it
+mkdir -p $CERT_DIR
+
 # Triggers by certificate or domain config changes
 
 unset IFS
 
-inotifywait --exclude .sw -m -e CREATE,CLOSE_WRITE,DELETE -r $DOMAIN_DIR $CERT_DIR | \
+inotifywait --exclude "\.(swp|tmp)" -m -e CREATE,CLOSE_WRITE,DELETE,MOVED_TO -r $DOMAIN_DIR $CERT_DIR $PROXY_CONFIG_DIR | \
 while read dir op file
 
 do 
 
+ echo "DEBUG: $dir $file $op";
+
  parent="/"$(echo $dir|cut -d / -f2)
 
  if [[ "${parent}" == "${CERT_DIR}" && "${op}" == "CLOSE_WRITE,CLOSE" ]] ; then
 		DOMAIN=$(echo $dir|cut -d / -f3);
-		if [[ -f $CERT_DIR/$DOMAIN/renew_certificate && ! -f $PROXY_CONFIG_DIR/new_config ]]; then
+		if [[ -f $CERT_DIR/$DOMAIN/new_certificate ]]; then
-			rm $CERT_DIR/$DOMAIN/renew_certificate;
-			echo "New cert created: '$DOMAIN'";
-			echo "newcert check proxy";
-			/scripts/check_proxy_state.sh $DOMAIN;
-		
-		elif [[ -f $CERT_DIR/$DOMAIN/new_certificate && ! -f $PROXY_CONFIG_DIR/new_config ]]; then
 			rm $CERT_DIR/$DOMAIN/new_certificate;
 			echo "New cert created: '$DOMAIN'";
 			echo "newcert check proxy";
 			/scripts/check_proxy_state.sh $DOMAIN;
 		fi
  
- elif [[ "${parent}" == "${DOMAIN_DIR}" && "${op}" == "CLOSE_WRITE,CLOSE" ]]; then
+ elif [ "${parent}" == "${DOMAIN_DIR}" ] && [[ "${op}" == "CLOSE_WRITE,CLOSE" || "${op}" == "MOVED_TO" ]]; then
-		DOMAIN=$(echo $file);
 
 	if [[ "${PROXY_TYPE}" == "haproxy" ]]; then                                               
+		DOMAIN=$(cat $DOMAIN_DIR"/"$file | jq -r .DOMAIN);
+		if [ "$DOMAIN" == "$file" ]; then
 			echo "haproxy config created, changed";                                           
-		/scripts/config_haproxy_create.sh $DOMAIN;                                                
+			/scripts/config_haproxy_create.sh $file; 
-		
+		fi;
-		if [ -f "$PROXY_CONFIG_DIR/new_config" ] ; then                                   
-			/scripts/check_proxy_state.sh "$DOMAIN";                                  
-		fi                                                                                
 	else                                                                                      
 		echo "domain config created, changed";
-		/scripts/nginx_config_create.sh "$DOMAIN";                                        
+		/scripts/nginx_config_create.sh "$file";
+	fi	
 
+elif [[ "${parent}" == "${PROXY_CONFIG_DIR}" && "${op}" == "CLOSE_WRITE,CLOSE" ]]; then
+
+	if [[ $file != "new_config" && $file != "config" ]]; then
+		DOMAIN=$(echo "${file%.*}");
 		if [ -f "$PROXY_CONFIG_DIR/new_config" ] ; then                                   
 			/scripts/check_proxy_state.sh "$DOMAIN";                                  
 		fi 
-	fi
+	fi;
 
- elif [[ "${parent}" == "${DOMAIN_DIR}" && "${op}" == "DELETE" ]] ; then
+elif [[ "${parent}" == "${DOMAIN_DIR}" && "${op}" == "DELETE" ]] ; then
-		DOMAIN=$(echo $file);
+
-		echo "domain deleted";
+	echo "domain file: $file deleted";
 		
 	if [[ "${PROXY_TYPE}" == "haproxy" ]]; then                                               
 		echo "haproxy config deleted";                                           
 		/scripts/config_haproxy_create.sh;
 
-		if [ -f "$PROXY_CONFIG_DIR/new_config" ] ; then                                   
+	elif [ ! -f "$DOMAIN_DIR/$file" ]; then
-			/scripts/check_proxy_state.sh;                                  
+		/scripts/nginx_config_create.sh "$file" "DEL";
+		/scripts/check_proxy_state.sh "$file" "DEL";
  	fi
-	else                                                                                      
+fi
-		if [ ! -f "$DOMAIN_DIR/$DOMAIN" ]; then
-			/scripts/nginx_config_create.sh "$DOMAIN" "DEL";
-			/scripts/check_proxy_state.sh "$DOMAIN" "DEL";
- 		fi
-	fi
-
- fi
-
 
 done