safebox/proxy-scheduler
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: safebox:853755533a956941785654ff67417e7bd64be076
Branches Tags
safebox:master
...
compare: safebox:master
Branches Tags
safebox:master

68 Commits
853755533a ... master

Author SHA1 Message Date
gyurix
c3d881122c Run certificate check in the background during Nginx config creation
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-07-31 11:48:01 +02:00
gyurix
b5676c8ce6 Allow domain configuration deletion in Nginx script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-05-26 12:29:33 +02:00
gyurix
8f23ff58ac Update basic authentication messages in Nginx configuration script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-21 10:33:00 +02:00
gyurix
18ff17af6a Enhance error handling in certificate generation and improve logging for better debugging
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-21 09:42:47 +02:00
gyurix
61047a8913 Add BUILDKIT_NO_HTTP2 environment variable and improve domain check logging in certificate script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-15 09:29:42 +02:00
gyurix
67ea15291c Increase restart attempts in proxy configuration and add domain check logging in certificate script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-15 08:31:25 +02:00
gyurix
9ebbed0696 Restrict certificate generation to non-localhost domains
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-14 12:20:01 +02:00
Gyorgy Berenyi
0c841706a8 Update letsencrypt.json
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-30 06:44:12 +00:00
gyurix
4b86c3067f Update LETSENCRYPT_OUTPUT initialization to use empty JSON object for improved structure
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-18 08:58:19 +01:00
gyurix
c402e960be Refactor JSON handling in check_certificates.sh to simplify domain entry updates
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-15 00:20:02 +01:00
gyurix
6f2a6ed610 Refactor JSON creation in check_certificates.sh to use from_entries for improved data structure
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-14 20:37:53 +01:00
gyurix
6359f9a4cf Refactor JSON output structure in check_certificates.sh for improved data handling
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-14 18:15:40 +01:00
gyurix
9073684f44 Remove base64 encoding of log content in check_certificates.sh for improved clarity
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-13 08:39:01 +01:00
gyurix
9a96b891f8 Enhance check_certificates.sh to initialize output file and improve JSON handling for domain status logging
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-12 23:12:12 +01:00
Gyorgy Berenyi
bf94d01c0f Update scripts/check_certificates.sh
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-12 20:05:33 +00:00
gyurix
3100110e23 adding debug volume and log conent
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-12 07:52:12 +01:00
gyurix
ba3be0fbd0 merged
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Merge branch 'master' of https://git.format.hu/format/proxy-scheduler
 2025-03-05 23:06:03 +01:00
gyurix
3dded502e7 update letsencrypt and firewall configurations to use 'safebox' registry and improve formatting 2025-03-05 23:05:39 +01:00
Gyorgy Berenyi
86d57693f6 Update .drone.yml
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-05 10:42:38 +00:00
Gyorgy Berenyi
e443266f75 Update .drone.yml 2025-03-05 10:41:59 +00:00
Gyorgy Berenyi
435237009a add drone.yml 2025-03-05 10:41:16 +00:00
Gyurix
f4f696ccd6 VOLUME_MOUNTS 2025-03-03 17:16:48 +01:00
hael
e3371457f3 SETUP_VERSION 2025-03-03 17:11:06 +01:00
gyurix
4f048de3bc missing variable check 2024-11-25 14:38:49 +01:00
gyurix
abb46b2426 typo 2024-11-25 14:32:54 +01:00
gyurix
f8e2aab2c4 removed host_ tag 2024-11-25 14:22:37 +01:00
gyurix
390d2cad75 correcting some typo 2024-11-25 13:20:17 +01:00
gyurix
9318cea882 corrected domain name variable usage even it contains asterisk character 2024-11-25 12:22:44 +01:00
Gyurix
3466187280 added external volume mounts and removes some 2024-11-23 12:40:45 +01:00
gyurix
4e8db26524 added force create mode 2024-10-17 11:53:33 +02:00
Gyurix
196d1d0bb9 corrected ssl content path 2024-10-14 13:30:31 +02:00
Gyurix
061e0b8099 removed docker binary mounts 2024-09-09 16:47:05 +02:00
gyurix
d9eaf7bfac format syntax for statement 2024-01-05 10:10:47 +00:00
gyurix
afab68d7de format syntax error 2024-01-05 10:58:18 +01:00
gyurix
0cbc75473b Added individual domain flag if user uses wildcard domain 2024-01-05 10:52:11 +01:00
gyurix
c50e1a6ff4 added asterisk character manage to haproxy config create 2024-01-05 10:18:40 +01:00
Gyorgy Berenyi
5a9a72275c Update proxy-scheduler.json 2023-12-11 07:16:48 +00:00
Gyorgy Berenyi
158cc48e92 Update proxy-scheduler.json 2023-11-09 06:54:26 +00:00
gyurix
a3f616e326 Added prechecked flag to service file start 2023-11-08 16:28:26 +00:00
gyurix
ce45a3545e Added json arg to service file 2023-11-08 16:22:43 +00:00
Gyorgy Berenyi
4a94d1d4fe Update scripts/check_certificates.sh 2023-11-07 13:10:35 +00:00
Gyorgy Berenyi
6034b81758 Update scripts/check_certificates.sh 2023-11-07 12:51:23 +00:00
gyurix
783fb41830 Added exact pattern for excluding changes 2023-08-17 11:48:41 +00:00
gyurix
30d094b442 Added exact pattern for excluding changes 2023-08-17 11:37:08 +00:00
Gyorgy Berenyi
5f92463d69 Update 'scripts/check_proxy_state.sh' 
Check whether containers in running but not up state
 2023-08-01 20:16:15 +00:00
gyurix
3be0ce5c32 Added firewall service file 2023-06-13 11:30:05 +00:00
gyurix
8b9d83fff7 Added firewall service file 2023-06-13 11:29:19 +00:00
gyurix
eb446cefed Added multiple arrays into temporary service file 2023-06-13 09:18:29 +00:00
gyurix
23beab8a6d Added multiple arrays into temporary service file 2023-06-13 09:01:21 +00:00
gyurix
fd3d8cf1db Added letsencrypt additional values 2023-06-12 14:06:48 +00:00
gyurix
653ae296ab Added letsencrypt additional values 2023-06-12 13:52:42 +00:00
gyurix
2f56105ec5 Added letsencrypt additional values 2023-06-12 13:35:40 +00:00
gyurix
e7ab2f7ea2 Added letsencrypt additional values 2023-06-12 13:26:02 +00:00
gyurix
8bc47ad120 Added letsencrypt additional values 2023-06-12 13:03:16 +00:00
gyurix
4657296579 Added letsencrypt additional values 2023-06-11 08:46:58 +00:00
gyurix
8f2a9e50cb restarting proxies when any certificate created 2023-06-09 07:51:34 +00:00
gyurix
9c51ea802e restarting proxies when any certificate created 2023-06-08 14:37:35 +00:00
gyurix
2e64b67aaf restarting proxies when any certificate created 2023-06-08 14:25:03 +00:00
Gyorgy Berenyi
9fc8949429 Update 'scripts/check_certificates.sh' 
Added exit rule once self signed certificate created at first time and added self sign certificate create when no any backend proxies found
 2023-06-08 07:38:10 +00:00
hael
a744f92f9f rewrite operation if nginx config file doesn't exists 2023-05-16 19:04:34 +00:00
root
7abe197967 MODIFY base data 2023-04-17 06:17:05 +00:00
Gyorgy Berenyi
55f06298df Update 'scripts/check_proxy_state.sh' 
Removed network restart process
 2023-04-11 09:40:40 +00:00
gyurix
c600c78d76 Change statement when proxies restarting 2023-03-13 20:48:38 +00:00
gyurix
33356f4b98 Introducing FORCE_RESTART variable and manage the proxy restart processes 2023-03-13 08:23:24 +00:00
hael
dbf7bc82ea sample files for testing 2023-02-22 11:44:05 +00:00
hael
55f0ebdd89 if allowed networks has changed then do not skip duplicated location but replace it (limit_except GET HEAD) 
remove_location: remove /
tmp filename fix
 2023-02-22 09:37:45 +00:00
hael
8c59ed2ce9 remove leading / in duplicate check 2023-02-14 13:48:43 +00:00
gyurix
aa6a84090a Completing proxy pass url with a hash 2023-02-03 11:39:50 +00:00
17 changed files with 1119 additions and 600 deletions
Expand all files Collapse all files

50
.drone.yml Normal file
View File

@@ -0,0 +1,50 @@
kind: pipeline
type: kubernetes
name: default
node_selector:
physical-node: dev2
trigger:
branch:
- master
event:
- push
workspace:
path: /drone/src
steps:
- name: build multiarch proxy-scheduler
image: docker.io/owncloudci/drone-docker-buildx:4
privileged: true
environment:
BUILDKIT_NO_HTTP2: "1"
settings:
cache-from: [ "registry.dev.format.hu/proxy-scheduler" ]
registry: registry.dev.format.hu
repo: registry.dev.format.hu/proxy-scheduler
tags: latest
dockerfile: Dockerfile
username:
from_secret: dev-hu-registry-username
password:
from_secret: dev-hu-registry-password
platforms:
- linux/amd64
- linux/arm64
- name: pull image to dockerhub
image: docker.io/owncloudci/drone-docker-buildx:4
privileged: true
settings:
cache-from: [ "safebox/proxy-scheduler" ]
repo: safebox/proxy-scheduler
tags: latest
username:
from_secret: dockerhub-username
password:
from_secret: dockerhub-password
platforms:
- linux/amd64
- linux/arm64

4
Dockerfile
View File

@@ -1,4 +1,6 @@
FROM proxy-scheduler:latest FROM alpine
RUN apk add --update --no-cache docker-cli inotify-tools openssl jq curl ca-certificates busybox-extras
COPY scripts /scripts COPY scripts /scripts
COPY firewall-letsencrypt.json /firewall-files/
ENTRYPOINT ["/scripts/scheduler.sh"] ENTRYPOINT ["/scripts/scheduler.sh"]

70
firewall-letsencrypt.json Normal file
View File

@@ -0,0 +1,70 @@
{
"main": {
"SERVICE_NAME": "firewalls",
"DOMAIN": "null"
},
"containers": [
{
"IMAGE": "safebox/firewall",
"NAME": "firewall",
"MEMORY": "64M",
"NETWORK": "host",
"SCALE": "0",
"VOLUMES": [
{
"SOURCE": "/run/",
"DEST": "/run/",
"TYPE": "rw"
},
{
"SOURCE": "/etc/user/config/services",
"DEST": "/services",
"TYPE": "ro"
},
{
"SOURCE": "/etc/system/data/dns/hosts.local",
"DEST": "/etc/dns/hosts.local",
"TYPE": "ro"
}
],
"PORTS": [],
"READYNESS": [
{
"tcp": ""
},
{
"HTTP": ""
},
{
"EXEC": "/ready.sh"
}
],
"ENVS": [
{
"CHAIN": "DOCKER-USER"
},
{
"SOURCE": "smarthostloadbalancer"
},
{
"TARGET": "letsencrypt"
},
{
"TYPE": "tcp"
},
{
"TARGET_PORT": "80"
},
{
"COMMENT": "letsencrypt"
}
],
"EXTRA": "--privileged --rm",
"DEPEND": "null",
"START_ON_BOOT": "false",
"CMD": "null",
"PRE_START": "null",
"POST_START": "null"
}
]
}

109
letsencrypt.json
View File

@@ -1,49 +1,64 @@
{ {
"main": { "main": {
"SERVICE_NAME": "letsencrypt", "SERVICE_NAME": "letsencrypt",
"DOMAIN": "null" "DOMAIN": "null"
}, },
"networks": [ "networks": [
{ {
"NAME": "letsencrypt", "NAME": "letsencrypt",
"DRIVER": "bridge", "DRIVER": "bridge",
"SUBNET": "172.18.254.0/24", "SUBNET": "172.18.254.0/24",
"RANGE": "172.18.254.0/24", "RANGE": "172.18.254.0/24",
"GATEWAY": "172.18.254.1" "GATEWAY": "172.18.254.1"
} }
], ],
"containers": [ "containers": [
{ {
"IMAGE": "registry.format.hu/letsencrypt", "IMAGE": "safebox/letsencrypt",
"NAME": "letsencrypt", "NAME": "letsencrypt",
"MEMORY": "64M", "MEMORY": "64M",
"IP": "172.18.254.254", "IP": "172.18.254.254",
"NETWORK": "letsencrypt", "NETWORK": "letsencrypt",
"VOLUMES": [ "VOLUMES": [
{ {
"SOURCE": "/etc/ssl/keys/", "SOURCE": "/etc/system/data/ssl/keys/",
"DEST": "/acme.sh/", "DEST": "/acme.sh/",
"TYPE": "rw" "TYPE": "rw"
}, },
{ {
"SOURCE": "/etc/user/config/domains", "SOURCE": "SHARED",
"DEST": "/domains", "DEST": "/var/tmp/shared",
"TYPE": "ro" "TYPE": "rw"
} },
], {
"PORTS": [ ], "SOURCE": "/etc/user/config/domains",
"ENV_FILES": [ "/etc/user/config/user.json" ], "DEST": "/domains",
"READYNESS": [ "TYPE": "ro"
{"tcp": ""}, }
{"HTTP": ""}, ],
{"EXEC": "/ready.sh"} "PORTS": [],
], "ENV_FILES": [
"EXTRA": "", "/etc/user/config/user.json"
"DEPEND": "null", ],
"START_ON_BOOT": "false", "READYNESS": [
"CMD": "null", {
"PRE_START": "null", "tcp": ""
"POST_START": [ "firewall-29eexhrh" ] },
} {
] "HTTP": ""
},
{
"EXEC": "/ready.sh"
}
],
"EXTRA": "",
"DEPEND": "null",
"START_ON_BOOT": "false",
"CMD": "null",
"PRE_START": "null",
"POST_START": [
"firewall-letsencrypt"
]
}
]
} }

141
proxy-scheduler.json
View File

@@ -1,67 +1,82 @@
{ {
"main": { "main": {
"SERVICE_NAME": "proxy-scheduler", "SERVICE_NAME": "proxy-scheduler",
"DOMAIN": "null" "DOMAIN": "null"
}, },
"containers": [ "containers": [
{
"IMAGE": "safebox/proxy-scheduler:latest",
"NAME": "proxy_scheduler",
"MEMORY": "64M",
"IP": "null",
"NETWORK": "host",
"VOLUMES": [
{ {
"IMAGE": "registry.format.hu/proxy-scheduler:latest", "SOURCE": "SHARED",
"NAME": "proxy_scheduler-ifhiwhhg", "DEST": "/var/tmp/shared",
"MEMORY": "64M", "TYPE": "rw"
"IP": "null", },
"NETWORK": "host", {
"VOLUMES": [ "SOURCE": "/etc/user/config/services",
{ "DEST": "/etc/user/config/services",
"SOURCE": "/etc/user/config/domains", "TYPE": "rw"
"DEST": "/domains", },
"TYPE": "ro" {
}, "SOURCE": "/etc/user/config/domains",
{ "DEST": "/domains",
"SOURCE": "/etc/ssl/keys", "TYPE": "ro"
"DEST": "/keys", },
"TYPE": "rw" {
}, "SOURCE": "/etc/system/data/ssl/keys",
{ "DEST": "/keys",
"SOURCE": "/etc/ssl/certs/", "TYPE": "rw"
"DEST": "/etc/ssl/certs/", },
"TYPE": "ro" {
}, "SOURCE": "/etc/system/data/ssl/certs/",
{ "DEST": "/etc/ssl/certs/",
"SOURCE": "/etc/system/config/public-proxy/nginx", "TYPE": "ro"
"DEST": "/proxy_config", },
"TYPE": "rw" {
}, "SOURCE": "/etc/system/config/public-proxy/nginx",
{ "DEST": "/proxy_config",
"SOURCE": "/etc/user/config/services/public-proxy.json", "TYPE": "rw"
"DEST": "/public-proxy.json", },
"TYPE": "ro" {
}, "SOURCE": "/etc/user/config/services/public-proxy.json",
{ "DEST": "/public-proxy.json",
"SOURCE": "/var/run/docker.sock", "TYPE": "ro"
"DEST": "/var/run/docker.sock", },
"TYPE": "rw" {
}, "SOURCE": "/var/run/docker.sock",
{ "DEST": "/var/run/docker.sock",
"SOURCE": "/usr/bin/docker", "TYPE": "rw"
"DEST": "/usr/bin/docker",
"TYPE": "ro"
}
],
"PORTS": [ ],
"READYNESS": [
{"tcp": ""},
{"HTTP": ""},
{"EXEC": "/ready.sh"}
],
"ENVS": [
],
"ENV_FILES": [ "/etc/system/config/proxy.json" ],
"EXTRA": "null",
"DEPEND": [ "public-proxy.networks.loadbalancer", "public-proxy.containers.loadbalancer-27dhuwdh" ],
"START_ON_BOOT": "true",
"CMD": "null",
"PRE_START": "null",
"POST_START": "null"
} }
] ],
"PORTS": [],
"READYNESS": [
{
"tcp": ""
},
{
"HTTP": ""
},
{
"EXEC": "/ready.sh"
}
],
"ENVS": [],
"ENV_FILES": [
"/etc/system/config/proxy.json"
],
"EXTRA": "null",
"DEPEND": [
"public-proxy.networks.loadbalancer",
"public-proxy.containers.loadbalancer-27dhuwdh"
],
"START_ON_BOOT": "true",
"CMD": "null",
"PRE_START": "null",
"POST_START": "null"
}
]
} }

94
proxy.json
View File

@@ -1,49 +1,49 @@
{ {
"firewall_loadbalancer_wireguard_prerouting": { "firewall_loadbalancer_wireguard_prerouting": {
"NAME": "wireguard_proxy_client", "NAME": "wireguard_proxy_client",
"PREROUTING": "true", "PREROUTING": "true",
"TARGET_IP": "172.18.100.2", "TARGET_IP": "172.18.100.2",
"TYPE": "tcp", "TYPE": "tcp",
"SOURCE_PORT_1": "80", "SOURCE_PORT_1": "80",
"SOURCE_PORT_2": "443", "SOURCE_PORT_2": "443",
"TARGET_PORT_1": "80", "TARGET_PORT_1": "80",
"TARGET_PORT_2": "443", "TARGET_PORT_2": "443",
"COMMENT": "edeg3e98" "COMMENT": "edeg3e98"
}, },
"firewall_loadbalancer_wireguard_postrouting": { "firewall_loadbalancer_wireguard_postrouting": {
"NAME": "wireguard_proxy_client", "NAME": "wireguard_proxy_client",
"POSTROUTING": "true", "POSTROUTING": "true",
"TARGET_IP": "172.18.100.0", "TARGET_IP": "172.18.100.0",
"TARGET_PORT_1": "80", "TARGET_PORT_1": "80",
"TARGET_PORT_2": "443", "TARGET_PORT_2": "443",
"TYPE": "tcp", "TYPE": "tcp",
"COMMENT": "edeg3e98" "COMMENT": "edeg3e98"
}, },
"proxy_scheduler": { "proxy_scheduler": {
"DOCKER_REGISTRY_URL": "registry.format.hu", "DOCKER_REGISTRY_URL": "safebox",
"CERT_DIR": "/keys", "CERT_DIR": "/keys",
"DOMAIN_DIR": "/domains", "DOMAIN_DIR": "/domains",
"PROXY_SERVICE_FILE": "public-proxy.json", "PROXY_SERVICE_FILE": "public-proxy.json",
"PROXY_CONFIG_DIR": "/proxy_config", "PROXY_CONFIG_DIR": "/proxy_config",
"PROXY_TYPE": "haproxy", "PROXY_TYPE": "haproxy",
"TIMEOUT": "5", "TIMEOUT": "5",
"RESTART": "3", "RESTART": "10",
"ROLE": "backend-proxy", "ROLE": "backend-proxy",
"SERVICE_NAME": "public-proxy" "SERVICE_NAME": "public-proxy"
}, },
"proxy_scheduler_local": { "proxy_scheduler_local": {
"DOCKER_REGISTRY_URL": "registry.format.hu", "DOCKER_REGISTRY_URL": "safebox",
"PROXY_TYPE": "", "PROXY_TYPE": "",
"GENERATE_CERTIFICATE": "true", "GENERATE_CERTIFICATE": "true",
"LETSENCRYPT_URL": "letsencrypt.org", "LETSENCRYPT_URL": "letsencrypt.org",
"LETSENCRYPT_SERVICE_NAME": "letsencrypt.json", "LETSENCRYPT_SERVICE_NAME": "letsencrypt.json",
"CERT_DIR": "/keys", "CERT_DIR": "/keys",
"DOMAIN_DIR": "/domains", "DOMAIN_DIR": "/domains",
"PROXY_SERVICE_FILE": "public-proxy.json", "PROXY_SERVICE_FILE": "public-proxy.json",
"PROXY_CONFIG_DIR": "/proxy_config", "PROXY_CONFIG_DIR": "/proxy_config",
"TIMEOUT": "5", "TIMEOUT": "5",
"RESTART": "3", "RESTART": "3",
"ROLE": "backend-proxy", "ROLE": "backend-proxy",
"SERVICE_NAME": "public-proxy" "SERVICE_NAME": "public-proxy"
} }
} }

1
scripts/awk Normal file
View File

@@ -0,0 +1 @@
awk '/-----BEGIN CERTIFICATE-----/ {show=1} /-----END CERTIFICATE-----/ {show=1} show {print}' keys/$ovpn.crt >> result

291
scripts/check_certificates.sh
View File

@@ -2,147 +2,218 @@
# Set env variables # Set env variables
SERVICE_FILES=$SERVICE_FILES SERVICE_FILES=$SERVICE_FILES
GENERATE_CERTIFICATE=$GENERATE_CERTIFICATE GENERATE_CERTIFICATE=$GENERATE_CERTIFICATE
DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL
LETSENCRYPT_URL=$LETSENCRYPT_URL LETSENCRYPT_URL=$LETSENCRYPT_URL
LETSENCRYPT_SERVICE_NAME=$LETSENCRYPT_SERVICE_NAME LETSENCRYPT_SERVICE_NAME=$LETSENCRYPT_SERVICE_NAME
CERT_DIR=$CERT_DIR CERT_DIR=$CERT_DIR
DOMAIN_DIR=$DOMAIN_DIR DOMAIN_DIR=$DOMAIN_DIR
DOMAIN=$1 DOMAIN=$1
DOMAIN_CERT_DIR=$CERT_DIR/$DOMAIN DOMAIN_CERT_DIR=$CERT_DIR/$DOMAIN
TIMEOUT=$TIMEOUT TIMEOUT=$TIMEOUT
RESTART=$RESTART RESTART=$RESTART
# Setup docker registry url path SETUP_VERSION=${SETUP_VERSION:-latest}
LOG_DIR=/var/tmp/shared/output
LOG_FILE=$LOG_DIR/letsencrypt.txt
LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json
DATE=$(date +"%Y-%m-%d-%H-%M")
if [[ -n "$DOCKER_REGISTRY_URL" && "$DOCKER_REGISTRY_URL" != "null" ]] ; then create_json() {
SETUP="/setup";
else if [ ! -f $LETSENCRYPT_OUTPUT ]; then
SETUP="setup"; install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
DOCKER_REGISTRY_URL=""; echo '{}' >$LETSENCRYPT_OUTPUT
fi fi
TMP_FILE=$(mktemp)
jq '
if . == null or . == [] then
{"'$DOMAIN'":{"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
else
. + {"'$DOMAIN'": {"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
end
' $LETSENCRYPT_OUTPUT >$TMP_FILE
cat $TMP_FILE >$LETSENCRYPT_OUTPUT
rm $TMP_FILE
}
# Setting service files path # Setting service files path
if [ "$SERVICE_FILES" == "" ]; then if [ "$SERVICE_FILES" == "" ]; then
SERVICE_FILES=/etc/user/config/services SERVICE_FILES=/etc/user/config/services
fi
if [ "$SOURCE" == "" ]; then
SOURCE=/etc/user/config
fi
# Setup docker registry url path
if [[ -n "$DOCKER_REGISTRY_URL" && "$DOCKER_REGISTRY_URL" != "null" ]]; then
SETUP="/setup"
else
SETUP="setup"
DOCKER_REGISTRY_URL=""
fi
if [ "$SETUP_VERSION" == "latest" ]; then
VOLUME_MOUNTS="
--mount src=SYSTEM_DATA,dst=/etc/ssl/certs,volume-subpath=ssl/certs,ro \
--mount src=SYSTEM_DATA,dst=/etc/dns/hosts.local,volume-subpath=dns/hosts.local,ro \
--mount src=USER_CONFIG,dst=/services,volume-subpath=services/tmp \
--mount src=USER_CONFIG,dst=/etc/user/config/system.json,volume-subpath=system.json,ro \
--mount src=USER_CONFIG,dst=/etc/user/config/user.json,volume-subpath=user.json,ro \
"
else
VOLUME_MOUNTS="
-v /etc/system/data/dns:/etc/dns:rw \
-v /etc/ssl/certs:/etc/ssl/certs:ro \
-v /etc/user/config/user.json:/etc/user/config/user.json:ro \
-v /etc/user/config/system.json:/etc/user/config/system.json:ro \
-v /etc/user/config/services/:/services/:ro \
-v /etc/user/config/services/tmp:/services/tmp:rw \
"
fi fi
service_exec="docker run --rm \ service_exec="docker run --rm \
-w /services/ \ -w /services/ \
-v $SERVICE_FILES/:/services/:ro \ $VOLUME_MOUNTS
-v $SERVICE_FILES/tmp/:/services/tmp/:rw \ -v /var/run/docker.sock:/var/run/docker.sock \
-v /var/run/docker.sock:/var/run/docker.sock \ --env DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \
-v /usr/bin/docker:/usr/bin/docker:ro \ $DOCKER_REGISTRY_URL$SETUP:$SETUP_VERSION"
--env TIMEOUT=$TIMEOUT \
--env RESTART=$RESTART \
--env DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL $DOCKER_REGISTRY_URL$SETUP"
letsencrypt_certificates() { letsencrypt_certificates() {
local RUNNING_CONTAINERS; #cd /
cd / for retries in $(seq 0 $((RESTART + 1))); do
if [[ $retries -le $RESTART ]]; then
# Check services with running containers by roles LETS_ENCRYPT_VALUE="$(docker ps | grep letsencrypt | grep Up | wc -l)"
for CONTAINER in $(jq -r --arg ROLE $ROLE '.containers[] | select(.ROLES==$ROLE)' /$PROXY_SERVICE_FILE | jq -r .NAME) ; do if [[ $LETS_ENCRYPT_VALUE -eq 0 ]]; then
UP=$(docker ps | grep $CONTAINER | grep Up | wc -l) echo "Starting letsencrypt process"
RUNNING_CONTAINERS=$((RUNNING_CONTAINERS + UP)) mkdir -p $SERVICE_FILES/tmp/tmp
done; cp -av /firewall-files/firewall-letsencrypt.json $SERVICE_FILES/tmp/
LETSENCRYPT_TEMP_SERVICE_FILE=$(mktemp -p $SERVICE_FILES/tmp/)
ENVS='[
{"DOMAIN": "'$DOMAIN'"},
{"TIMEOUT": "'$TIMEOUT'"},
{"RESTART": "'$RESTART'"}
]'
VOLUMES='
{
"SOURCE": "/etc/user/config/user.json",
"DEST": "/etc/user/config/user.json",
"TYPE": "ro"
}
'
jq '.containers[0].ENVS |='"$ENVS"' | .containers[0].VOLUMES[.containers[0].VOLUMES|length]|='"$VOLUMES" $SERVICE_FILES/$LETSENCRYPT_SERVICE_NAME >$LETSENCRYPT_TEMP_SERVICE_FILE.json
$service_exec $(basename $LETSENCRYPT_TEMP_SERVICE_FILE) start info prechecked
rm -v $SERVICE_FILES/tmp/firewall-letsencrypt.json
break
else
echo "Waiting "$TIMEOUT" second for previous letsencrypt process ending"
sleep $TIMEOUT
# In case of no running proxies found, try to start the service echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
if [[ "$RUNNING_CONTAINERS" -eq 0 ]] ; then fi
echo "No running proxies found, create self signed cetificate"; else
fi; echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate"
fi
for retries in $(seq 0 $((RESTART + 1))); do done
if [[ $retries -le $RESTART ]] ; then
LETS_ENCRYPT_VALUE="$(docker ps | grep letsencrypt | grep Up | wc -l)";
if [[ $LETS_ENCRYPT_VALUE -eq 0 ]] ; then
echo "Starting letsencrypt process";
$service_exec $LETSENCRYPT_SERVICE_NAME start info;
break;
else
echo "Waiting "$TIMEOUT" second for previous letsencrypt process ending";
sleep $TIMEOUT;
echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
fi
else
echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate";
fi
done
} }
create_self_signed_certificate() { create_self_signed_certificate() {
# Check any certificate exxits # Check any certificate exists
if [[ ! -f $DOMAIN_CERT_DIR/key.pem && ! -f $DOMAIN_CERT_DIR/fullchain.pem && ! -f $DOMAIN_CERT_DIR/cert.pem ]] ; then if [[ ! -f $DOMAIN_CERT_DIR/key.pem && ! -f $DOMAIN_CERT_DIR/fullchain.pem && ! -f $DOMAIN_CERT_DIR/cert.pem ]]; then
# generate key # generate key
echo "No any certificates found, generate self signed"; echo "No any certificates found, generate self signed"
openssl req -x509 -newkey rsa:4096 -keyout $DOMAIN_CERT_DIR/key.pem -out $DOMAIN_CERT_DIR/cert.pem -days 365 -sha256 -nodes -subj "/CN=$DOMAIN"; openssl req -x509 -newkey rsa:4096 -keyout $DOMAIN_CERT_DIR/key.pem -out $DOMAIN_CERT_DIR/cert.pem -days 365 -sha256 -nodes -subj "/CN=$DOMAIN"
cp -a $DOMAIN_CERT_DIR/cert.pem $DOMAIN_CERT_DIR/fullchain.pem; cp -a $DOMAIN_CERT_DIR/cert.pem $DOMAIN_CERT_DIR/fullchain.pem
touch $DOMAIN_CERT_DIR/new_certificate;
fi fi
} }
if [ ! -d "$DOMAIN_CERT_DIR" ]; then if [ ! -d "$DOMAIN_CERT_DIR" ]; then
echo "$DOMAIN not contains certificates, creates new." echo "$DOMAIN not contains certificates, creates new."
mkdir -p $DOMAIN_CERT_DIR; mkdir -p $DOMAIN_CERT_DIR
fi fi
if [ ! -f "$DOMAIN_CERT_DIR/dhparam.pem" ]; then if [ ! -f "$DOMAIN_CERT_DIR/dhparam.pem" ]; then
# generate dhparam file # generate dhparam file
openssl dhparam -dsaparam -out $DOMAIN_CERT_DIR/dhparam.pem 4096; openssl dhparam -dsaparam -out $DOMAIN_CERT_DIR/dhparam.pem 4096
fi create_self_signed_certificate
if [ "$GENERATE_CERTIFICATE" == "true" ]; then PROXY_NAMES=""
# Check services with running containers by roles
for CONTAINER in $(jq -r --arg ROLE $ROLE '.containers[] | select(.ROLES==$ROLE)' /$PROXY_SERVICE_FILE | jq -r .NAME); do
PROXY_NAMES=$PROXY_NAMES" "$CONTAINER
done
create_self_signed_certificate; for NAME in $(echo $PROXY_NAMES); do
sleep 10; RUNNING_CONTAINER=$(docker ps | grep $NAME | grep Up)
if [ "$RUNNING_CONTAINER" != "" ]; then
CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$LETSENCRYPT_URL"; echo "Restarting $NAME"
docker restart $NAME
if [[ "$(eval $CURL_CHECK)" == "200" ]] ; then else
echo "Starting $NAME"
file="$DOMAIN_CERT_DIR/letsencrypt" docker start $NAME
{ fi
echo "{ \"DOMAIN\": \"$DOMAIN\" }" docker ps | grep $NAME
} >> "$file"; done
DOMAIN_CHECK="curl -s -o /dev/null -w "%{http_code}" http://$DOMAIN"; fi
if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]] ; then
letsencrypt_certificates; if [ "$GENERATE_CERTIFICATE" == "true" ] && [ "$DOMAIN" != "localhost" ]; then
echo "Started letsencrypt for domain: $DOMAIN first time"
else CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$LETSENCRYPT_URL"
echo "Not starting letsencrypt, waiting $TIMEOUT seconds"
for retries in $(seq 0 $((RESTART + 1))); do if [[ "$(eval $CURL_CHECK)" == "200" ]]; then
if [[ $retries -le $RESTART ]] ; then
sleep $TIMEOUT; file="$DOMAIN_CERT_DIR/letsencrypt"
echo "Starting letsencrypt process again"; {
if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]] ; then echo "{ \"DOMAIN\": \"$DOMAIN\" }"
letsencrypt_certificates; } >>"$file"
echo "Started letsencrypt for domain: $DOMAIN second time"
break; if [ ! -f $LETSENCRYPT_OUTPUT ]; then
else install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
echo "Waiting "$TIMEOUT" second for starting proxies"; echo '{}' >$LETSENCRYPT_OUTPUT
sleep $TIMEOUT; fi
echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process." DOMAIN_CHECK="curl -s -o /dev/null -w "%{http_code}" http://$DOMAIN"
fi if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then
else echo "DOMAIN CHECK: $(eval $DOMAIN_CHECK)"
echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate"; letsencrypt_certificates
fi echo "Started letsencrypt for domain: $DOMAIN first time"
else
done echo "Not starting letsencrypt, waiting $TIMEOUT seconds"
fi for retries in $(seq 0 $((RESTART + 1))); do
fi if [[ $retries -le $RESTART ]]; then
sleep $TIMEOUT
echo "Starting letsencrypt process again"
if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then
echo "DOMAIN CHECK: $(eval $DOMAIN_CHECK)"
letsencrypt_certificates
echo "Started letsencrypt for domain: $DOMAIN second time"
break
else
echo "Waiting "$TIMEOUT" second for starting proxies"
sleep $TIMEOUT
echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
fi
else
LOG=$(echo "The domain '$DOMAIN' could not reachable. Reached retrying limit: '$RESTART', giving up to start lets encrypt process, try self sign the certificate" | base64 -w0)
STATUS="failed"
create_json $DOMAIN $STATUS "$LOG"
fi
done
fi
fi
fi fi

39
scripts/check_proxy_state.sh
View File

@@ -20,6 +20,7 @@ ROLE=$ROLE
SERVICE_NAME=$SERVICE_NAME SERVICE_NAME=$SERVICE_NAME
PROXY_CONFIG_DIR=$PROXY_CONFIG_DIR PROXY_CONFIG_DIR=$PROXY_CONFIG_DIR
SETUP_VERSION=${SETUP_VERSION:-latest};
# Setup docker registry url path # Setup docker registry url path
@@ -76,9 +77,8 @@ service_exec="docker run --rm \
-v /etc/user/config/services/:/services/:ro \ -v /etc/user/config/services/:/services/:ro \
-v /etc/user/config/services/tmp/:/services/tmp/:rw \ -v /etc/user/config/services/tmp/:/services/tmp/:rw \
-v /var/run/docker.sock:/var/run/docker.sock \ -v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/bin/docker:/usr/bin/docker:ro \
--env DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \ --env DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \
$DOCKER_REGISTRY_URL$SETUP" $DOCKER_REGISTRY_URL$SETUP:$SETUP_VERSION"
do_proxy_restart() { do_proxy_restart() {
@@ -86,24 +86,32 @@ do_proxy_restart() {
for PROXY_NAME in $NAMES ; do for PROXY_NAME in $NAMES ; do
docker stop $PROXY_NAME;
docker start $PROXY_NAME; DO_RESTART="true";
sleep $TIMEOUT; if [ "$FORCE_RESTART" != "true" ]; then
if docker ps | grep $PROXY_NAME ; then docker stop $PROXY_NAME;
echo "$PROXY_NAME restarted successful"; docker start $PROXY_NAME;
else sleep $TIMEOUT;
if docker ps | grep $PROXY_NAME | grep Up ; then
echo "$PROXY_NAME restarted successful";
DO_RESTART="false";
fi
fi
if [ "$DO_RESTART" == "true" ]; then
for retries in $(seq 0 $((RESTART + 1))); do for retries in $(seq 0 $((RESTART + 1))); do
if [[ $retries -le $RESTART ]] ; then if [[ $retries -le $RESTART ]] ; then
echo "Proxy "$PROXY_NAME" restarting in progress"; echo "Proxy "$PROXY_NAME" restarting in progress";
$service_exec $SERVICE_NAME.containers.$PROXY_NAME stop force; $service_exec $SERVICE_NAME.containers.$PROXY_NAME stop force;
# finding network name for starting affected network ## finding network name for starting affected network
NETWORK_NAME=$(jq -r --arg NAME $PROXY_NAME '.containers[] | select(.NAME==$NAME)' $PROXY_SERVICE_FILE | jq -r .NETWORK) #NETWORK_NAME=$(jq -r --arg NAME $PROXY_NAME '.containers[] | select(.NAME==$NAME)' $PROXY_SERVICE_FILE | jq -r .NETWORK)
#$service_exec $SERVICE_NAME.networks.$NETWORK_NAME start
$service_exec $SERVICE_NAME.networks.$NETWORK_NAME start
$service_exec $SERVICE_NAME.containers.$PROXY_NAME start $service_exec $SERVICE_NAME.containers.$PROXY_NAME start
sleep $TIMEOUT; sleep $TIMEOUT;
if docker ps | grep $PROXY_NAME ; then if docker ps | grep $PROXY_NAME | grep Up ; then
echo "$PROXY_NAME restarted successful"; echo "$PROXY_NAME restarted successful";
break ; break ;
else else
@@ -116,7 +124,6 @@ do_proxy_restart() {
done done
fi fi
done done
} }
check_domain() { check_domain() {
@@ -178,7 +185,7 @@ elif [[ "$RUNNING_CONTAINERS" -eq 0 ]] ; then
for proxies in $CONTAINERS ; do for proxies in $CONTAINERS ; do
if docker ps | grep $proxies ; then if docker ps | grep $proxies | grep Up; then
echo "$proxies started successful"; echo "$proxies started successful";
else else
echo "$proxies starting was unsuccesful"; echo "$proxies starting was unsuccesful";
@@ -196,7 +203,7 @@ elif [[ "$RUNNING_CONTAINERS" -eq 1 ]] ; then
do_proxy_restart $proxies; do_proxy_restart $proxies;
if docker ps | grep $proxies ; then if docker ps | grep $proxies | grep Up ; then
echo "$proxies started successful"; echo "$proxies started successful";
else else
echo "$proxies starting was unsuccesful"; echo "$proxies starting was unsuccesful";
@@ -211,7 +218,7 @@ elif [[ "$RUNNING_CONTAINERS" -eq 1 ]] ; then
# At last need to restart the only one running proxy when the others started successful. # At last need to restart the only one running proxy when the others started successful.
for CHECK_PROXIES in $CONTAINERS ; do for CHECK_PROXIES in $CONTAINERS ; do
if [[ $CHECK_PROXIES != $ONLY_RUNNING_PROXY_NAME ]] ; then if [[ $CHECK_PROXIES != $ONLY_RUNNING_PROXY_NAME ]] ; then
if docker ps | grep $CHECK_PROXIES ; then if docker ps | grep $CHECK_PROXIES | grep Up ; then
echo "Not running proxies successfuly started, let's start the only running one."; echo "Not running proxies successfuly started, let's start the only running one.";
do_proxy_restart $ONLY_RUNNING_PROXY_NAME; do_proxy_restart $ONLY_RUNNING_PROXY_NAME;
else else

213
scripts/config_haproxy_create.sh
View File

@@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
# Initial parameters # Initial parameters
DATE=`date +%F-%H-%M-%S` DATE=$(date +%F-%H-%M-%S)
DOMAIN=$1 DOMAIN=$1
@@ -19,113 +19,162 @@ cp -a /scripts/haproxy_template.cfg $PROXY_CONFIG_DIR/haproxy.cfg
{ {
echo "frontend http echo "frontend http
"; "
cat "$global_http" cat "$global_http"
echo echo
#echo "acl letsencrypt path_beg /.well-known/acme-challenge/"; #echo "acl letsencrypt path_beg /.well-known/acme-challenge/";
echo echo
for i in `ls $DOMAIN_DIR|cut -d / -f2` ; do for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
if [[ "$(jq -r .REDIRECT_HTTPS $i)" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]] DOMAIN_NAME=$(jq -r .DOMAIN $i)
then if [[ "$(jq -r .REDIRECT_HTTPS $i)" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
echo "redirect prefix https://$(jq -r .REDIRECT_HTTPS $i) code 301 if { hdr(host) -i $(jq -r .DOMAIN $i) }"; echo "redirect prefix https://$(jq -r .REDIRECT_HTTPS $i) code 301 if { hdr(host) -i $DOMAIN_NAME }"
fi fi
done done
echo echo
for i in `ls $DOMAIN_DIR|cut -d / -f2` ; do for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]] DOMAIN_NAME=$(jq -r .DOMAIN $i)
then if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
echo "acl $(jq -r .DOMAIN $i)_http hdr(host) -i $(jq -r .DOMAIN $i)";
fi
if [[ "$(jq -r .DOMAIN $i)" != "letsencrypt" && "$(jq -r .HTTP_PORT $i)" != "" && "$(jq -r .ALIASES_HTTP[] $i)" != "" ]] TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
then WILDCARD=$(echo $DOMAIN_NAME | grep '*')
ALIASES_LIST=$(jq -r .ALIASES_HTTP[] $i)
for ALIAS in $ALIASES_LIST
do
echo "acl $(jq -r .DOMAIN $i)_http hdr(host) -i $ALIAS";
done
fi
done if [ "$WILDCARD" != "" ]; then
HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
echo "acl $HOST."$TLD"_http hdr(host) -m reg -i ^[^\.]+\."$HOST"\."$TLD"$"
else
echo "acl "$DOMAIN_NAME"_http hdr(host) -i $DOMAIN_NAME"
fi
fi
echo if [[ "$DOMAIN_NAME" != "letsencrypt" && "$(jq -r .HTTP_PORT $i)" != "" && "$(jq -r .ALIASES_HTTP[] $i)" != "" ]]; then
ALIASES_LIST=$(jq -r .ALIASES_HTTP[] $i)
for ALIAS in $ALIASES_LIST; do
echo "acl "$DOMAIN_NAME"_http hdr(host) -i $ALIAS"
done
fi
#echo "use_backend letsencrypt_http if letsencrypt" done
for i in `ls $DOMAIN_DIR|cut -d / -f2` ; do echo
if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTP_PORTS $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]] #echo "use_backend letsencrypt_http if letsencrypt"
then
echo "use_backend $(jq -r .DOMAIN $i)_http if $(jq -r .DOMAIN $i)_http";
fi
done
echo for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
for i in `ls $DOMAIN_DIR|cut -d / -f2` ; do DOMAIN_NAME=$(jq -r .DOMAIN $i)
TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
WILDCARD=$(echo $DOMAIN_NAME | grep '*')
if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTP_PORT $i)" != "" ]] if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTP_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
then if [ "$WILDCARD" != "" ]; then
echo "backend $(jq -r .DOMAIN $i)_http"; HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
echo " mode http"; echo "use_backend $HOST."$TLD"_http if $HOST."$TLD"_http"
echo " server $(jq -r .DOMAIN $i) $(jq -r .LOCAL_NAME $i):$(jq -r .HTTP_PORT $i) send-proxy"; else
fi echo "use_backend "$DOMAIN_NAME"_http if "$DOMAIN_NAME"_http"
done fi
fi
done
echo echo
echo "frontend https for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
";
cat "$global_https" DOMAIN_NAME=$(jq -r .DOMAIN $i)
echo TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
WILDCARD=$(echo $DOMAIN_NAME | grep '*')
for i in `ls $DOMAIN_DIR|cut -d / -f2` ; do if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTP_PORT $i)" != "" ]]; then
if [ "$WILDCARD" != "" ]; then
HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
echo "backend $HOST."$TLD"_http"
echo " mode http"
echo " server $HOST.$TLD $(jq -r .LOCAL_NAME $i):$(jq -r .HTTP_PORT $i) send-proxy"
else
echo "backend "$DOMAIN_NAME"_http"
echo " mode http"
echo " server $DOMAIN_NAME $(jq -r .LOCAL_NAME $i):$(jq -r .HTTP_PORT $i) send-proxy"
fi
fi
done
if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]] echo
then
echo "acl $(jq -r .DOMAIN $i)_https req_ssl_sni -i $(jq -r .DOMAIN $i)";
fi
if [[ "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .ALIASES_HTTPS[] $i)" != "" ]]
then
ALIASES_LIST=$(jq -r .ALIASES_HTTPS[] $i)
for ALIAS in $ALIASES_LIST
do
echo "acl $(jq -r .DOMAIN $i)_https req_ssl_sni -i $ALIAS";
done
fi
done
echo echo "frontend https"
for i in `ls $DOMAIN_DIR|cut -d / -f2` ; do echo
if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]] cat "$global_https"
then echo
echo "use_backend $(jq -r .DOMAIN $i)_https if $(jq -r .DOMAIN $i)_https";
fi
done
echo for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
DOMAIN_NAME=$(jq -r .DOMAIN $i)
TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
WILDCARD=$(echo $DOMAIN_NAME | grep '*')
for i in `ls $DOMAIN_DIR|cut -d / -f2` ; do if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
if [[ "$(jq -r .DOMAIN $i)" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .DOMAIN $i)" != "letsencrypt" ]] if [ "$WILDCARD" != "" ]; then
then HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
echo "backend $(jq -r .DOMAIN $i)_https"; echo "acl $HOST."$TLD"_https req_ssl_sni -i ^[^\.]+\.$HOST\."$TLD"$"
echo " option ssl-hello-chk"; else
echo " mode tcp"; echo "acl "$DOMAIN_NAME"_https req_ssl_sni -i $DOMAIN_NAME"
echo " server $(jq -r .DOMAIN $i) $(jq -r .LOCAL_NAME $i):$(jq -r .HTTPS_PORT $i) check send-proxy"; fi
fi fi
done if [[ "$(jq -r .HTTPS_PORT $i)" != "" && "$(jq -r .ALIASES_HTTPS[] $i)" != "" ]]; then
ALIASES_LIST=$(jq -r .ALIASES_HTTPS[] $i)
for ALIAS in $ALIASES_LIST; do
echo "acl $HOST."$TLD"_https req_ssl_sni -i $ALIAS"
done
fi
done
} >> "$file"; echo
echo "$DOMAIN" >> $PROXY_CONFIG_DIR/new_config
for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
DOMAIN_NAME=$(jq -r .DOMAIN $i)
TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
WILDCARD=$(echo $DOMAIN_NAME | grep '*')
if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
if [ "$WILDCARD" != "" ]; then
HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
echo "use_backend $HOST."$TLD"_https if $HOST."$TLD"_https"
else
echo "use_backend "$DOMAIN_NAME"_https if "$DOMAIN_NAME"_https"
fi
fi
done
echo
for i in $(ls $DOMAIN_DIR | cut -d / -f2); do
if [[ "$DOMAIN_NAME" != "" && "$(jq -r .HTTPS_PORT $i)" != "" && "$DOMAIN_NAME" != "letsencrypt" ]]; then
DOMAIN_NAME=$(jq -r .DOMAIN $i)
TLD="$(echo $DOMAIN_NAME | rev | cut -d '.' -f1 | rev)"
WILDCARD=$(echo $DOMAIN_NAME | grep '*')
if [ "$WILDCARD" != "" ]; then
HOST=$(echo $DOMAIN_NAME | rev | cut -d '.' -f2- | rev | cut -d '.' -f2-)
echo "backend $HOST."$TLD"_https"
echo " option ssl-hello-chk"
echo " mode tcp"
echo " server $HOST.$TLD $(jq -r .LOCAL_NAME $i):$(jq -r .HTTPS_PORT $i) check send-proxy"
else
echo "backend "$DOMAIN_NAME"_https"
echo " option ssl-hello-chk"
echo " mode tcp"
echo " server $DOMAIN_NAME $(jq -r .LOCAL_NAME $i):$(jq -r .HTTPS_PORT $i) check send-proxy"
fi
fi
done
} >>"$file"
echo "$DOMAIN" >>$PROXY_CONFIG_DIR/new_config

87
scripts/domain.example.conf Normal file
View File

@@ -0,0 +1,87 @@
server {
listen 80 proxy_protocol;
server_name domain.example;
set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;
rewrite_log on;
return 301 https://domain.example;
}
server {
listen 443 ssl proxy_protocol;
set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;
server_name domain.example;
client_max_body_size 0;
rewrite_log on;
proxy_ssl_server_name on;
ssl_dhparam /etc/ssl/keys/domain.example/dhparam.pem;
ssl_certificate /etc/ssl/keys/fullchain.pem;
ssl_certificate_key /etc/ssl/keys/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !kDHE";
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
location / {
limit_except GET HEAD {
allow 192.168.109.1;
allow 192.168.109.2;
deny all;
}
proxy_pass http://domain-app:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_cookie_path / /;
proxy_set_header Connection $http_connection;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_next_upstream off;
proxy_redirect off;
proxy_buffering off;
}
location example2 {
proxy_pass http://example-app2-modified:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_cookie_path example2 example2;
proxy_set_header Connection $http_connection;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_next_upstream off;
proxy_redirect off;
proxy_buffering off;
}
# location end
location example {
limit_except GET HEAD {
allow 192.168.105.1
allow 192.168.106.1
allow 192.168.107.1
deny all;
}
proxy_pass http://example-app:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_cookie_path example example;
proxy_set_header Connection $http_connection;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_next_upstream off;
proxy_redirect off;
proxy_buffering off;
}
# location end
}

23
scripts/domains/app.domain.example Normal file
View File

@@ -0,0 +1,23 @@
{
"DEBUG": "true",
"DOMAIN": "domain.example",
"ALIASES_HTTP": [ ],
"ALIASES_HTTPS": [ ],
"LOCAL_NAME": "domain-app",
"HTTP_PORT": "",
"HTTPS_PORT": "80",
"ERROR_PAGE": "",
"REDIRECT_HTTP": "",
"REDIRECT_HTTPS": "",
"MAX_BODY_SIZE": "",
"ALLOWED_NETWORK": [ "192.168.109.1", "192.168.109.2", "192.168.110.2" ],
"OPERATION": "CREATE",
"ALTERNATE_LOCATION_PATH": [
{
"LOCAL_PATH": "example",
"LOCAL_NAME": "example-app",
"LOCAL_PORT": "",
"LOCAL_ALLOWED_NETWORK": [ "192.168.105.1", "192.168.106.1", "192.168.107.1" ]
}
]
}

24
scripts/domains/app2.domain.example Normal file
View File

@@ -0,0 +1,24 @@
{
"DEBUG": "true",
"DOMAIN": "domain.example",
"ALIASES_HTTP": [ ],
"ALIASES_HTTPS": [ ],
"LOCAL_NAME": "domain-app2",
"HTTP_PORT": "",
"HTTPS_PORT": "80",
"ERROR_PAGE": "",
"REDIRECT_HTTP": "",
"REDIRECT_HTTPS": "",
"MAX_BODY_SIZE": "",
"ALLOWED_NETWORK": [ ],
"OPERATION": "MODIFY",
"ALTERNATE_LOCATION_PATH": [
{
"LOCAL_PATH": "example2",
"LOCAL_NAME": "example-app2-modified",
"LOCAL_PORT": "",
"LOCAL_ALLOWED_NETWORK": [ ]
}
]
}

23
scripts/domains/app3.domain.example Normal file
View File

@@ -0,0 +1,23 @@
{
"DEBUG": "true",
"DOMAIN": "domain.example",
"ALIASES_HTTP": [ ],
"ALIASES_HTTPS": [ ],
"LOCAL_NAME": "domain-app",
"HTTP_PORT": "",
"HTTPS_PORT": "80",
"ERROR_PAGE": "",
"REDIRECT_HTTP": "",
"REDIRECT_HTTPS": "",
"MAX_BODY_SIZE": "",
"ALLOWED_NETWORK": [ ],
"ALTERNATE_LOCATION_PATH": [
{
"LOCAL_PATH": "example3",
"LOCAL_NAME": "example-app3",
"LOCAL_PORT": "",
"LOCAL_ALLOWED_NETWORK": [ ]
}
]
}

13
scripts/domains/domain.sample Normal file
View File

@@ -0,0 +1,13 @@
{
"DEBUG": "true",
"DOMAIN": "domain.example",
"ALIASES_HTTP": [ ],
"ALIASES_HTTPS": [ ],
"LOCAL_NAME": "domain-app",
"HTTP_PORT": "",
"HTTPS_PORT": "80",
"ERROR_PAGE": "",
"REDIRECT_HTTP": "",
"REDIRECT_HTTPS": "",
"MAX_BODY_SIZE": ""
}

489
scripts/nginx_config_create.sh
View File

@@ -4,13 +4,13 @@ GENERATE_CERTIFICATE=$GENERATE_CERTIFICATE
cd /proxy_config cd /proxy_config
FILENAME=$1 FILENAME="$1"
DOMAIN_SOURCE=/domains/$FILENAME DOMAIN_SOURCE=/domains/$FILENAME
#DOMAIN_SOURCE=./domains/$FILENAME #TEMP #DOMAIN_SOURCE=./domains/$FILENAME #TEMP
DOMAIN_NAME=$(jq -r .DOMAIN $DOMAIN_SOURCE) DOMAIN_NAME=$(jq -r .DOMAIN $DOMAIN_SOURCE)
HTTP_PORT=$(jq -r .HTTP_PORT $DOMAIN_SOURCE) HTTP_PORT=$(jq -r .HTTP_PORT $DOMAIN_SOURCE)
HTTPS_PORT=$(jq -r .HTTPS_PORT $DOMAIN_SOURCE); HTTPS_PORT=$(jq -r .HTTPS_PORT $DOMAIN_SOURCE)
ALIASES_HTTP=$(jq -r '.ALIASES_HTTP | select(.!="null") | join(" ")' $DOMAIN_SOURCE) ALIASES_HTTP=$(jq -r '.ALIASES_HTTP | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
ALIASES_HTTPS=$(jq -r '.ALIASES_HTTPS | select(.!="null") | join(" ")' $DOMAIN_SOURCE) ALIASES_HTTPS=$(jq -r '.ALIASES_HTTPS | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
REDIRECT_HTTP=$(jq -r .REDIRECT_HTTP $DOMAIN_SOURCE) REDIRECT_HTTP=$(jq -r .REDIRECT_HTTP $DOMAIN_SOURCE)
@@ -20,75 +20,91 @@ MAX_BODY_SIZE=$(jq -r .MAX_BODY_SIZE $DOMAIN_SOURCE)
DEBUG=$(jq -r .DEBUG $DOMAIN_SOURCE) DEBUG=$(jq -r .DEBUG $DOMAIN_SOURCE)
ALLOWED_NETWORK=$(jq -r '.ALLOWED_NETWORK | select(.!="null") | join(" ")' $DOMAIN_SOURCE) ALLOWED_NETWORK=$(jq -r '.ALLOWED_NETWORK | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
OPERATION=$(jq -r '.OPERATION' $DOMAIN_SOURCE) OPERATION=$(jq -r '.OPERATION' $DOMAIN_SOURCE)
BASIC_AUTH=$(jq -r .BASIC_AUTH $DOMAIN_SOURCE)
ALTERNATE_LOCATION_PATH=$(jq -r .ALTERNATE_LOCATION_PATH $DOMAIN_SOURCE) ALTERNATE_LOCATION_PATH=$(jq -r .ALTERNATE_LOCATION_PATH $DOMAIN_SOURCE)
LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null); LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null)
if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then
LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null); LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null)
fi fi
RELOAD_LOCATIONS=""
if [ -n "$2" ]; then if [ -n "$2" ] || [ "$OPERATION" == "DELETE" ]; then
echo "$DOMAIN_NAME DELETED"; echo "$DOMAIN_NAME DELETED"
rm $DOMAIN_NAME.conf; rm $DOMAIN_NAME.conf
exit; exit
fi fi
add_alternate_location() { add_alternate_location() {
{ {
cat $DOMAIN_NAME.conf | head -n -1 cat $DOMAIN_NAME.conf | head -n -1
add_location; add_location
echo "}" echo "}"
} >> "$file" } >>"$file"
} }
add_location() { add_location() {
if [[ "$ALTERNATE_LOCATION_PATH" != "" ]]; then if [[ "$ALTERNATE_LOCATION_PATH" != "" ]]; then
ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE) ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE)
ALP_IDX=$(( $ALP_IDX - 1 )) ALP_IDX=$(($ALP_IDX - 1))
for i in $(seq 0 $ALP_IDX) ; for i in $(seq 0 $ALP_IDX); do
do ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH); ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH)
ALP_LOCAL_NAME=$(echo $ALP | jq -rc .LOCAL_NAME); ALP_LOCAL_NAME=$(echo $ALP | jq -rc .LOCAL_NAME)
ALP_LOCAL_PORT=$(echo $ALP | jq -rc .LOCAL_PORT); ALP_LOCAL_PORT=$(echo $ALP | jq -rc .LOCAL_PORT)
ALP_LOCAL_ALLOWED_NETWORK=$(echo $ALP | jq -rc '.LOCAL_ALLOWED_NETWORK | select(.!="null") | join(" ")'); ALP_LOCAL_ALLOWED_NETWORK=$(echo $ALP | jq -rc '.LOCAL_ALLOWED_NETWORK | select(.!="null") | join(" ")')
# do not duplicate locations # do not duplicate locations
EXISTS=$(grep -rn "location /$ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf); EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf)
if [ -n "$EXISTS" ]; then if [ -n "$EXISTS" ]; then
# skip if exists ROW_NUMBER=$(echo $EXISTS | cut -d ':' -f1)
continue; START=$(($ROW_NUMBER + 2))
fi; OFFSET=$(tail -n+$START $DOMAIN_NAME.conf | grep -n '}' -m 1 | cut -d ':' -f1)
OFFSET=$(($OFFSET - 2))
ALP_ALLOWED=$(echo $(tail -n+$START $DOMAIN_NAME.conf | head -n $OFFSET | awk '{print $2}')) # echo removes space at the end
if [ "$ALP_LOCAL_ALLOWED_NETWORK" != "$ALP_ALLOWED" ]; then
RELOAD_LOCATIONS=$RELOAD_LOCATIONS$ALP_LOCAL_PATH" "
fi
# skip if exists
continue
fi
if [[ "$ALP_LOCAL_NAME" = "" ]]; then if [[ "$ALP_LOCAL_NAME" = "" ]]; then
ALP_LOCAL_NAME=$LOCAL_NAME ALP_LOCAL_NAME=$LOCAL_NAME
fi; fi
if [[ "$ALP_LOCAL_PORT" = "" ]]; then if [[ "$ALP_LOCAL_PORT" = "" ]]; then
ALP_LOCAL_PORT=$HTTP_PORT ALP_LOCAL_PORT=$HTTP_PORT
fi; fi
echo "location $ALP_LOCAL_PATH {" echo "location $ALP_LOCAL_PATH {"
if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then if [ "$BASIC_AUTH" == "TRUE" ]; then
echo ' auth_basic "SAFEBOX AUTHORIZATION";
auth_basic_user_file htpasswd;
'
fi
for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK) ; do if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then
echo " allow "$i";" echo " limit_except GET HEAD {"
done for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK); do
echo " deny all;" echo " allow $i"
fi done
echo " deny all;"
echo " }"
fi
if [[ "$ALP_LOCAL_PORT" != "" ]]; then if [[ "$ALP_LOCAL_PORT" != "" ]]; then
echo " proxy_pass http://$ALP_LOCAL_NAME:$ALP_LOCAL_PORT;" echo " proxy_pass http://$ALP_LOCAL_NAME:$ALP_LOCAL_PORT/;"
else else
echo " proxy_pass http://$ALP_LOCAL_NAME:80;" echo " proxy_pass http://$ALP_LOCAL_NAME:80;"
fi fi
echo " proxy_set_header Host "'$http_host'"; echo " proxy_set_header Host "'$http_host'";
proxy_set_header X-Real-IP "'$remote_addr'"; proxy_set_header X-Real-IP "'$remote_addr'";
proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'"; proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'";
proxy_set_header X-Forwarded-Proto "'$scheme'"; proxy_set_header X-Forwarded-Proto "'$scheme'";
@@ -100,141 +116,128 @@ add_location() {
proxy_read_timeout 300; proxy_read_timeout 300;
proxy_next_upstream off;" proxy_next_upstream off;"
if [[ "$DEBUG" != "true" ]]; then if [[ "$DEBUG" != "true" ]]; then
echo " access_log off;" echo " access_log off;"
fi fi
echo " proxy_redirect off;" echo " proxy_redirect off;"
echo " proxy_buffering off;" echo " proxy_buffering off;"
echo "}" echo "}"
echo "# location end" echo "# location end"
done; done
fi; fi
} }
remove_alternate_location() { remove_alternate_location() {
if [[ "$ALTERNATE_LOCATION_PATH" != "" ]]; then if [[ "$ALTERNATE_LOCATION_PATH" != "" ]]; then
ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE) ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE)
ALP_IDX=$(( $ALP_IDX - 1 )) ALP_IDX=$(($ALP_IDX - 1))
for i in $(seq 0 $ALP_IDX) ; for i in $(seq 0 $ALP_IDX); do
do ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE) ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH)
ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH); remove_location $ALP_LOCAL_PATH
remove_location $ALP_LOCAL_PATH done
done; fi
fi;
} }
remove_location() { remove_location() {
local LOCATION=$1 local LOCATION=$1
LOCATION_ROW="location /$LOCATION {"; LOCATION_ROW="location $LOCATION {"
ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1); ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1)
OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1); if [ -n "$ROW_NUMBER" ]; then
START=$(($ROW_NUMBER - 1)); OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1)
END=$(($ROW_NUMBER + $OFFSET)); START=$(($ROW_NUMBER - 1))
END=$(($ROW_NUMBER + $OFFSET))
{ {
head -n$START $DOMAIN_NAME.conf head -n$START $DOMAIN_NAME.conf
tail -n+$END $DOMAIN_NAME.conf tail -n+$END $DOMAIN_NAME.conf
} >> $file } >>$file
mv $file $DOMAIN_NAME.conf; mv $file $DOMAIN_NAME.conf
fi
} }
file="/tmp/$DOMAIN.conf"
# check whether certificates exist or not
echo "created domain name: "$DOMAIN_NAME;
#cp -a /scripts/nginx_template.conf /tmp/$DOMAIN.conf
# if domain already exists as a config file append alternate location there
if [ -f $DOMAIN_NAME.conf ]; then
if [ "$OPERATION" = "DELETE" ]; then
remove_alternate_location;
elif [ "$OPERATION" = "MODIFY" ]; then
remove_alternate_location;
add_alternate_location;
else
# default CREATE, append location
add_alternate_location;
fi;
else
# create new nginx config # create new nginx config
{ create_new_config() {
{
if [[ "$HTTP_PORT" != "80" ]]; then REGENERATE="$1"
echo "server {
if [[ "$HTTP_PORT" != "80" ]]; then
echo "server {
listen 80 proxy_protocol;" listen 80 proxy_protocol;"
if [[ "$ALIASES_HTTP" != "" ]]; then if [[ "$ALIASES_HTTP" != "" ]]; then
echo "server_name $DOMAIN_NAME $ALIASES_HTTP;" echo "server_name $DOMAIN_NAME $ALIASES_HTTP;"
else else
echo "server_name $DOMAIN_NAME;" echo "server_name $DOMAIN_NAME;"
fi fi
echo "set_real_ip_from 0.0.0.0/0; echo "set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
rewrite_log on; rewrite_log on;
return 301 https://$DOMAIN_NAME; return 301 https://$DOMAIN_NAME;
}" }"
fi fi
if [[ "$HTTP_PORT" != "" && "$HTTP_PORT" != "80" ]]; then if [[ "$HTTP_PORT" != "" && "$HTTP_PORT" != "80" ]]; then
echo "server { echo "server {
listen $HTTP_PORT proxy_protocol; listen $HTTP_PORT proxy_protocol;
set_real_ip_from 0.0.0.0/0; set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;" real_ip_header proxy_protocol;"
if [[ "$ALIASES_HTTP" != "" ]]; then if [[ "$ALIASES_HTTP" != "" ]]; then
echo "server_name $DOMAIN_NAME $ALIASES_HTTP;" echo "server_name $DOMAIN_NAME $ALIASES_HTTP;"
else else
echo "server_name $DOMAIN_NAME;" echo "server_name $DOMAIN_NAME;"
fi fi
if [[ "$MAX_BODY_SIZE" != "" ]]; then if [[ "$MAX_BODY_SIZE" != "" ]]; then
echo "client_max_body_size "$MAX_BODY_SIZE";" echo "client_max_body_size "$MAX_BODY_SIZE";"
else else
echo "client_max_body_size 0;" echo "client_max_body_size 0;"
fi fi
echo "rewrite_log on;" echo "rewrite_log on;"
if [[ "$REDIRECT_HTTP" != "" ]]; then
echo "return 301 $REDIRECT_HTTP;"
elif [[ "$HTTP_PORT" == "" ]]; then
echo "return 301 https://"$DOMAIN_NAME
if [[ "$REDIRECT_HTTP" != "" ]] ; then else
echo "return 301 $REDIRECT_HTTP;" echo "location / {"
elif [[ "$HTTP_PORT" == "" ]]; then
echo "return 301 https://"$DOMAIN_NAME;
else if [ "$BASIC_AUTH" == "TRUE" ]; then
echo "location / {" echo ' auth_basic "SAFEBOX AUTHORIZATION";
auth_basic_user_file htpasswd;
'
fi
if [[ "$ALLOWED_NETWORK" != "" ]]; then if [[ "$ALLOWED_NETWORK" != "" ]]; then
ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE) ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
ALLOWED_NETWORK_IDX=$(( $ALLOWED_NETWORK_IDX - 1 )) ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1))
for i in $(seq 0 $ALLOWED_NETWORK_IDX) ; do echo " limit_except GET HEAD {"
AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE) for i in $(seq 0 $ALLOWED_NETWORK_IDX); do
echo " allow "$AN";" AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
done echo " allow "$AN";"
echo " deny all;" done
fi echo " deny all;"
echo " }"
fi
if [[ "$HTTP_PORT" != "" ]]; then if [[ "$HTTP_PORT" != "" ]]; then
echo " proxy_pass http://$LOCAL_NAME:$HTTP_PORT;" echo " proxy_pass http://$LOCAL_NAME:$HTTP_PORT;"
fi fi
echo " proxy_set_header Host "'$http_host'"; echo " proxy_set_header Host "'$http_host'";
proxy_set_header X-Real-IP "'$remote_addr'"; proxy_set_header X-Real-IP "'$remote_addr'";
proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'"; proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'";
proxy_set_header X-Forwarded-Proto "'$scheme'"; proxy_set_header X-Forwarded-Proto "'$scheme'";
@@ -242,95 +245,102 @@ if [[ "$HTTP_PORT" != "" && "$HTTP_PORT" != "80" ]]; then
proxy_cookie_path / /; proxy_cookie_path / /;
proxy_set_header Connection "'$http_connection'" ;" proxy_set_header Connection "'$http_connection'" ;"
if [[ "$DEBUG" != "true" ]]; then if [[ "$DEBUG" != "true" ]]; then
echo " access_log off;" echo " access_log off;"
fi fi
echo " proxy_redirect off;" echo " proxy_redirect off;"
echo " proxy_buffering off;" echo " proxy_buffering off;"
echo "}" echo "}"
if [[ "$ERROR_PAGE" != "" && "$HTTP_PORT" != "" ]]; then if [[ "$ERROR_PAGE" != "" && "$HTTP_PORT" != "" ]]; then
echo "error_page 404 /$ERROR_PAGE; echo "error_page 404 /$ERROR_PAGE;
location = /$ERROR_PAGE { location = /$ERROR_PAGE {
root html; root html;
allow all; allow all;
index 404.html; index 404.html;
rewrite ^ "'$scheme'" http://$ERROR_PAGE"'$request_uri'" permanent; rewrite ^ "'$scheme'" http://$ERROR_PAGE"'$request_uri'" permanent;
}" }"
fi fi
fi fi
echo "}" echo "}"
fi fi
if [[ "$HTTPS_PORT" != "" ]]; then if [[ "$HTTPS_PORT" != "" ]]; then
echo "server { echo "server {
listen 443 ssl proxy_protocol; listen 443 ssl proxy_protocol;
set_real_ip_from 0.0.0.0/0; set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;" real_ip_header proxy_protocol;"
if [[ "$ALIASES_HTTPS" != "" ]]; then if [[ "$ALIASES_HTTPS" != "" ]]; then
echo "server_name $DOMAIN_NAME $ALIASES_HTTPS;" echo "server_name $DOMAIN_NAME $ALIASES_HTTPS;"
else else
echo "server_name $DOMAIN_NAME;" echo "server_name $DOMAIN_NAME;"
fi fi
if [[ "$MAX_BODY_SIZE" != "" ]]; then if [[ "$MAX_BODY_SIZE" != "" ]]; then
echo "client_max_body_size "$MAX_BODY_SIZE";" echo "client_max_body_size "$MAX_BODY_SIZE";"
else else
echo "client_max_body_size 0;" echo "client_max_body_size 0;"
fi fi
echo "rewrite_log on; echo "rewrite_log on;
proxy_ssl_server_name on; proxy_ssl_server_name on;
ssl_dhparam /etc/ssl/keys/$DOMAIN_NAME/dhparam.pem;" ssl_dhparam /etc/ssl/keys/$DOMAIN_NAME/dhparam.pem;"
if [ "$GENERATE_CERTIFICATE" == "true" ]; then if [ "$GENERATE_CERTIFICATE" == "true" ]; then
echo "ssl_certificate /etc/ssl/keys/$DOMAIN_NAME/fullchain.pem; echo "ssl_certificate /etc/ssl/keys/$DOMAIN_NAME/fullchain.pem;
ssl_certificate_key /etc/ssl/keys/$DOMAIN_NAME/key.pem;" ssl_certificate_key /etc/ssl/keys/$DOMAIN_NAME/key.pem;"
else else
echo "ssl_certificate /etc/ssl/keys/fullchain.pem; echo "ssl_certificate /etc/ssl/keys/fullchain.pem;
ssl_certificate_key /etc/ssl/keys/key.pem;" ssl_certificate_key /etc/ssl/keys/key.pem;"
fi fi
echo "ssl_protocols TLSv1 TLSv1.1 TLSv1.2; echo "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_ciphers "'"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !kDHE"'"; ssl_ciphers "'"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !kDHE"'";
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_stapling on;" ssl_stapling on;"
if [[ "$ERROR_PAGE" != "" && "$HTTPS_PORT" != "" ]]; then
if [[ "$ERROR_PAGE" != "" && "$HTTPS_PORT" != "" ]]; then echo "error_page 404 /$ERROR_PAGE;
echo "error_page 404 /$ERROR_PAGE;
location = /$ERROR_PAGE { location = /$ERROR_PAGE {
root html; root html;
allow all; allow all;
index 404.html; index 404.html;
rewrite ^ "'$scheme' "http://$ERROR_PAGE"'$request_uri'" permanent; rewrite ^ "'$scheme' "http://$ERROR_PAGE"'$request_uri'" permanent;
}" }"
fi fi
if [[ "$REDIRECT_HTTPS" != "" ]]; then if [[ "$REDIRECT_HTTPS" != "" ]]; then
echo "return 301 $REDIRECT_HTTPS;" echo "return 301 $REDIRECT_HTTPS;"
else else
echo "location / {" echo "location / {"
if [[ "$ALLOWED_NETWORK" != "" ]]; then if [ "$BASIC_AUTH" == "TRUE" ]; then
ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE) echo ' auth_basic "SAFEBOX AUTHORIZATION";
ALLOWED_NETWORK_IDX=$(( $ALLOWED_NETWORK_IDX - 1 )) auth_basic_user_file htpasswd;
'
fi
for i in $(seq 0 $ALLOWED_NETWORK_IDX) ; do if [[ "$ALLOWED_NETWORK" != "" ]]; then
AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE) ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
echo " allow "$AN";" ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1))
done
echo " deny all;"
fi
echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
echo " proxy_set_header Host "'$http_host'"; echo " limit_except GET HEAD {"
for i in $(seq 0 $ALLOWED_NETWORK_IDX); do
AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
echo " allow "$AN";"
done
echo " deny all;"
echo " }"
fi
echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
echo " proxy_set_header Host "'$http_host'";
proxy_set_header X-Real-IP "'$remote_addr'"; proxy_set_header X-Real-IP "'$remote_addr'";
proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'"; proxy_set_header X-Forwarded-For "'$proxy_add_x_forwarded_for'";
proxy_set_header X-Forwarded-Proto "'$scheme'"; proxy_set_header X-Forwarded-Proto "'$scheme'";
@@ -342,30 +352,89 @@ echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
proxy_read_timeout 300; proxy_read_timeout 300;
proxy_next_upstream off;" proxy_next_upstream off;"
if [[ "$DEBUG" != "true" ]]; then if [[ "$DEBUG" != "true" ]]; then
echo " access_log off;" echo " access_log off;"
fi fi
echo " proxy_redirect off;" echo " proxy_redirect off;"
echo " proxy_buffering off;" echo " proxy_buffering off;"
echo "}" echo "}"
add_location; echo "# first location end"
fi add_location
echo "}" fi
fi if [ "$REGENERATE" == "" ]; then
echo "}"
fi
} >> "$file" fi
fi; # end of create new nginx config } >>"$file"
}
regenerate_config() {
mv $file $DOMAIN_NAME.conf
# regenerates nginx config into $file
create_new_config "regenerate"
# append existing alternate locations to new config file
OFFSET=$(cat $DOMAIN_NAME.conf | grep -n '# first location end' -m 1 | cut -d ':' -f1)
OFFSET=$(($OFFSET + 1))
{
tail -n+$OFFSET $DOMAIN_NAME.conf
} >>$file
}
file="/tmp/$DOMAIN_NAME.conf"
# check whether certificates exist or not
echo "created domain name: "$DOMAIN_NAME
#cp -a /scripts/nginx_template.conf /tmp/$DOMAIN.conf
# if domain already exists as a config file append alternate location there
if [ -f $DOMAIN_NAME.conf ]; then
if [ "$OPERATION" = "DELETE" ]; then
remove_alternate_location
elif [ "$OPERATION" = "MODIFY" ]; then
# must be before create_new_config
remove_alternate_location
add_alternate_location
regenerate_config
else
# default CREATE, append location
add_alternate_location
regenerate_config
# reload alternate locations if allowed networks has changed
if [ -n "$RELOAD_LOCATIONS" ]; then
rm $file
remove_alternate_location
add_alternate_location
fi
fi
else
# rewrite operation if nginx config file doesn't exists
OPERATION="CREATE"
create_new_config
fi # end of create new nginx config
if [ "$OPERATION" != "DELETE" ]; then if [ "$OPERATION" != "DELETE" ]; then
mv $file $DOMAIN_NAME.conf; mv $file $DOMAIN_NAME.conf
fi; fi
echo "$DOMAIN" >> new_config echo "$DOMAIN" >>new_config
if [ "$HTTPS_PORT" != "" ]; then if [ "$HTTPS_PORT" != "" ]; then
/scripts/check_certificates.sh "$DOMAIN_NAME"; /scripts/check_certificates.sh "$DOMAIN_NAME" &
fi fi

2
scripts/scheduler.sh
View File

@@ -17,7 +17,7 @@ mkdir -p $CERT_DIR
unset IFS unset IFS
inotifywait --exclude .sw -m -e CREATE,CLOSE_WRITE,DELETE,MOVED_TO -r $DOMAIN_DIR $CERT_DIR $PROXY_CONFIG_DIR | \ inotifywait --exclude "\.(swp|tmp)" -m -e CREATE,CLOSE_WRITE,DELETE,MOVED_TO -r $DOMAIN_DIR $CERT_DIR $PROXY_CONFIG_DIR | \
while read dir op file while read dir op file
do do