safebox/proxy-scheduler
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: safebox:86d57693f6579deda8b04613ed5cd17b155aca31
Branches Tags
safebox:master
...
compare: safebox:master
Branches Tags
safebox:master

18 Commits
86d57693f6 ... master

Author SHA1 Message Date
gyurix
c3d881122c Run certificate check in the background during Nginx config creation
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-07-31 11:48:01 +02:00
gyurix
b5676c8ce6 Allow domain configuration deletion in Nginx script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-05-26 12:29:33 +02:00
gyurix
8f23ff58ac Update basic authentication messages in Nginx configuration script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-21 10:33:00 +02:00
gyurix
18ff17af6a Enhance error handling in certificate generation and improve logging for better debugging
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-21 09:42:47 +02:00
gyurix
61047a8913 Add BUILDKIT_NO_HTTP2 environment variable and improve domain check logging in certificate script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-15 09:29:42 +02:00
gyurix
67ea15291c Increase restart attempts in proxy configuration and add domain check logging in certificate script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-15 08:31:25 +02:00
gyurix
9ebbed0696 Restrict certificate generation to non-localhost domains
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-04-14 12:20:01 +02:00
Gyorgy Berenyi
0c841706a8 Update letsencrypt.json
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-30 06:44:12 +00:00
gyurix
4b86c3067f Update LETSENCRYPT_OUTPUT initialization to use empty JSON object for improved structure
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-18 08:58:19 +01:00
gyurix
c402e960be Refactor JSON handling in check_certificates.sh to simplify domain entry updates
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-15 00:20:02 +01:00
gyurix
6f2a6ed610 Refactor JSON creation in check_certificates.sh to use from_entries for improved data structure
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-14 20:37:53 +01:00
gyurix
6359f9a4cf Refactor JSON output structure in check_certificates.sh for improved data handling
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-14 18:15:40 +01:00
gyurix
9073684f44 Remove base64 encoding of log content in check_certificates.sh for improved clarity
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-13 08:39:01 +01:00
gyurix
9a96b891f8 Enhance check_certificates.sh to initialize output file and improve JSON handling for domain status logging
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-12 23:12:12 +01:00
Gyorgy Berenyi
bf94d01c0f Update scripts/check_certificates.sh
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-12 20:05:33 +00:00
gyurix
3100110e23 adding debug volume and log conent
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-03-12 07:52:12 +01:00
gyurix
ba3be0fbd0 merged
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Merge branch 'master' of https://git.format.hu/format/proxy-scheduler
 2025-03-05 23:06:03 +01:00
gyurix
3dded502e7 update letsencrypt and firewall configurations to use 'safebox' registry and improve formatting 2025-03-05 23:05:39 +01:00
7 changed files with 686 additions and 591 deletions
Expand all files Collapse all files

2
.drone.yml
View File

@@ -17,6 +17,8 @@ steps:
- name: build multiarch proxy-scheduler - name: build multiarch proxy-scheduler
image: docker.io/owncloudci/drone-docker-buildx:4 image: docker.io/owncloudci/drone-docker-buildx:4
privileged: true privileged: true
environment:
BUILDKIT_NO_HTTP2: "1"
settings: settings:
cache-from: [ "registry.dev.format.hu/proxy-scheduler" ] cache-from: [ "registry.dev.format.hu/proxy-scheduler" ]
registry: registry.dev.format.hu registry: registry.dev.format.hu

38
firewall-letsencrypt.json
View File

@@ -5,7 +5,7 @@
}, },
"containers": [ "containers": [
{ {
"IMAGE": "registry.format.hu/firewall", "IMAGE": "safebox/firewall",
"NAME": "firewall", "NAME": "firewall",
"MEMORY": "64M", "MEMORY": "64M",
"NETWORK": "host", "NETWORK": "host",
@@ -29,17 +29,35 @@
], ],
"PORTS": [], "PORTS": [],
"READYNESS": [ "READYNESS": [
{"tcp": ""}, {
{"HTTP": ""}, "tcp": ""
{"EXEC": "/ready.sh"} },
{
"HTTP": ""
},
{
"EXEC": "/ready.sh"
}
], ],
"ENVS": [ "ENVS": [
{ "CHAIN": "DOCKER-USER" }, {
{ "SOURCE": "smarthostloadbalancer" }, "CHAIN": "DOCKER-USER"
{ "TARGET": "letsencrypt" }, },
{ "TYPE": "tcp" }, {
{ "TARGET_PORT": "80" }, "SOURCE": "smarthostloadbalancer"
{ "COMMENT": "letsencrypt" } },
{
"TARGET": "letsencrypt"
},
{
"TYPE": "tcp"
},
{
"TARGET_PORT": "80"
},
{
"COMMENT": "letsencrypt"
}
], ],
"EXTRA": "--privileged --rm", "EXTRA": "--privileged --rm",
"DEPEND": "null", "DEPEND": "null",

29
letsencrypt.json
View File

@@ -14,17 +14,22 @@
], ],
"containers": [ "containers": [
{ {
"IMAGE": "registry.format.hu/letsencrypt", "IMAGE": "safebox/letsencrypt",
"NAME": "letsencrypt", "NAME": "letsencrypt",
"MEMORY": "64M", "MEMORY": "64M",
"IP": "172.18.254.254", "IP": "172.18.254.254",
"NETWORK": "letsencrypt", "NETWORK": "letsencrypt",
"VOLUMES": [ "VOLUMES": [
{ {
"SOURCE": "/etc/system/ssl/keys/", "SOURCE": "/etc/system/data/ssl/keys/",
"DEST": "/acme.sh/", "DEST": "/acme.sh/",
"TYPE": "rw" "TYPE": "rw"
}, },
{
"SOURCE": "SHARED",
"DEST": "/var/tmp/shared",
"TYPE": "rw"
},
{ {
"SOURCE": "/etc/user/config/domains", "SOURCE": "/etc/user/config/domains",
"DEST": "/domains", "DEST": "/domains",
@@ -32,18 +37,28 @@
} }
], ],
"PORTS": [], "PORTS": [],
"ENV_FILES": [ "/etc/user/config/user.json" ], "ENV_FILES": [
"/etc/user/config/user.json"
],
"READYNESS": [ "READYNESS": [
{"tcp": ""}, {
{"HTTP": ""}, "tcp": ""
{"EXEC": "/ready.sh"} },
{
"HTTP": ""
},
{
"EXEC": "/ready.sh"
}
], ],
"EXTRA": "", "EXTRA": "",
"DEPEND": "null", "DEPEND": "null",
"START_ON_BOOT": "false", "START_ON_BOOT": "false",
"CMD": "null", "CMD": "null",
"PRE_START": "null", "PRE_START": "null",
"POST_START": [ "firewall-29eexhrh" ] "POST_START": [
"firewall-letsencrypt"
]
} }
] ]
} }

31
proxy-scheduler.json
View File

@@ -5,12 +5,17 @@
}, },
"containers": [ "containers": [
{ {
"IMAGE": "registry.format.hu/proxy-scheduler:latest", "IMAGE": "safebox/proxy-scheduler:latest",
"NAME": "proxy_scheduler-ifhiwhhg", "NAME": "proxy_scheduler",
"MEMORY": "64M", "MEMORY": "64M",
"IP": "null", "IP": "null",
"NETWORK": "host", "NETWORK": "host",
"VOLUMES": [ "VOLUMES": [
{
"SOURCE": "SHARED",
"DEST": "/var/tmp/shared",
"TYPE": "rw"
},
{ {
"SOURCE": "/etc/user/config/services", "SOURCE": "/etc/user/config/services",
"DEST": "/etc/user/config/services", "DEST": "/etc/user/config/services",
@@ -49,15 +54,25 @@
], ],
"PORTS": [], "PORTS": [],
"READYNESS": [ "READYNESS": [
{"tcp": ""}, {
{"HTTP": ""}, "tcp": ""
{"EXEC": "/ready.sh"} },
{
"HTTP": ""
},
{
"EXEC": "/ready.sh"
}
], ],
"ENVS": [ "ENVS": [],
"ENV_FILES": [
"/etc/system/config/proxy.json"
], ],
"ENV_FILES": [ "/etc/system/config/proxy.json" ],
"EXTRA": "null", "EXTRA": "null",
"DEPEND": [ "public-proxy.networks.loadbalancer", "public-proxy.containers.loadbalancer-27dhuwdh" ], "DEPEND": [
"public-proxy.networks.loadbalancer",
"public-proxy.containers.loadbalancer-27dhuwdh"
],
"START_ON_BOOT": "true", "START_ON_BOOT": "true",
"CMD": "null", "CMD": "null",
"PRE_START": "null", "PRE_START": "null",

6
proxy.json
View File

@@ -20,19 +20,19 @@
"COMMENT": "edeg3e98" "COMMENT": "edeg3e98"
}, },
"proxy_scheduler": { "proxy_scheduler": {
"DOCKER_REGISTRY_URL": "registry.format.hu", "DOCKER_REGISTRY_URL": "safebox",
"CERT_DIR": "/keys", "CERT_DIR": "/keys",
"DOMAIN_DIR": "/domains", "DOMAIN_DIR": "/domains",
"PROXY_SERVICE_FILE": "public-proxy.json", "PROXY_SERVICE_FILE": "public-proxy.json",
"PROXY_CONFIG_DIR": "/proxy_config", "PROXY_CONFIG_DIR": "/proxy_config",
"PROXY_TYPE": "haproxy", "PROXY_TYPE": "haproxy",
"TIMEOUT": "5", "TIMEOUT": "5",
"RESTART": "3", "RESTART": "10",
"ROLE": "backend-proxy", "ROLE": "backend-proxy",
"SERVICE_NAME": "public-proxy" "SERVICE_NAME": "public-proxy"
}, },
"proxy_scheduler_local": { "proxy_scheduler_local": {
"DOCKER_REGISTRY_URL": "registry.format.hu", "DOCKER_REGISTRY_URL": "safebox",
"PROXY_TYPE": "", "PROXY_TYPE": "",
"GENERATE_CERTIFICATE": "true", "GENERATE_CERTIFICATE": "true",
"LETSENCRYPT_URL": "letsencrypt.org", "LETSENCRYPT_URL": "letsencrypt.org",

127
scripts/check_certificates.sh
View File

@@ -14,7 +14,30 @@
TIMEOUT=$TIMEOUT TIMEOUT=$TIMEOUT
RESTART=$RESTART RESTART=$RESTART
SETUP_VERSION=${SETUP_VERSION:-latest}; SETUP_VERSION=${SETUP_VERSION:-latest}
LOG_DIR=/var/tmp/shared/output
LOG_FILE=$LOG_DIR/letsencrypt.txt
LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json
DATE=$(date +"%Y-%m-%d-%H-%M")
create_json() {
if [ ! -f $LETSENCRYPT_OUTPUT ]; then
install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
echo '{}' >$LETSENCRYPT_OUTPUT
fi
TMP_FILE=$(mktemp)
jq '
if . == null or . == [] then
{"'$DOMAIN'":{"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
else
. + {"'$DOMAIN'": {"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
end
' $LETSENCRYPT_OUTPUT >$TMP_FILE
cat $TMP_FILE >$LETSENCRYPT_OUTPUT
rm $TMP_FILE
}
# Setting service files path # Setting service files path
if [ "$SERVICE_FILES" == "" ]; then if [ "$SERVICE_FILES" == "" ]; then
@@ -27,10 +50,10 @@ fi
# Setup docker registry url path # Setup docker registry url path
if [[ -n "$DOCKER_REGISTRY_URL" && "$DOCKER_REGISTRY_URL" != "null" ]]; then if [[ -n "$DOCKER_REGISTRY_URL" && "$DOCKER_REGISTRY_URL" != "null" ]]; then
SETUP="/setup"; SETUP="/setup"
else else
SETUP="setup"; SETUP="setup"
DOCKER_REGISTRY_URL=""; DOCKER_REGISTRY_URL=""
fi fi
if [ "$SETUP_VERSION" == "latest" ]; then if [ "$SETUP_VERSION" == "latest" ]; then
@@ -40,7 +63,7 @@ if [ "$SETUP_VERSION" == "latest" ]; then
--mount src=USER_CONFIG,dst=/services,volume-subpath=services/tmp \ --mount src=USER_CONFIG,dst=/services,volume-subpath=services/tmp \
--mount src=USER_CONFIG,dst=/etc/user/config/system.json,volume-subpath=system.json,ro \ --mount src=USER_CONFIG,dst=/etc/user/config/system.json,volume-subpath=system.json,ro \
--mount src=USER_CONFIG,dst=/etc/user/config/user.json,volume-subpath=user.json,ro \ --mount src=USER_CONFIG,dst=/etc/user/config/user.json,volume-subpath=user.json,ro \
"; "
else else
VOLUME_MOUNTS=" VOLUME_MOUNTS="
-v /etc/system/data/dns:/etc/dns:rw \ -v /etc/system/data/dns:/etc/dns:rw \
@@ -50,7 +73,7 @@ else
-v /etc/user/config/services/:/services/:ro \ -v /etc/user/config/services/:/services/:ro \
-v /etc/user/config/services/tmp:/services/tmp:rw \ -v /etc/user/config/services/tmp:/services/tmp:rw \
" "
fi; fi
service_exec="docker run --rm \ service_exec="docker run --rm \
-w /services/ \ -w /services/ \
@@ -66,35 +89,36 @@ letsencrypt_certificates() {
for retries in $(seq 0 $((RESTART + 1))); do for retries in $(seq 0 $((RESTART + 1))); do
if [[ $retries -le $RESTART ]]; then if [[ $retries -le $RESTART ]]; then
LETS_ENCRYPT_VALUE="$(docker ps | grep letsencrypt | grep Up | wc -l)"; LETS_ENCRYPT_VALUE="$(docker ps | grep letsencrypt | grep Up | wc -l)"
if [[ $LETS_ENCRYPT_VALUE -eq 0 ]]; then if [[ $LETS_ENCRYPT_VALUE -eq 0 ]]; then
echo "Starting letsencrypt process"; echo "Starting letsencrypt process"
mkdir -p $SERVICE_FILES/tmp/tmp mkdir -p $SERVICE_FILES/tmp/tmp
cp -av /firewall-files/firewall-letsencrypt.json $SERVICE_FILES/tmp/; cp -av /firewall-files/firewall-letsencrypt.json $SERVICE_FILES/tmp/
LETSENCRYPT_TEMP_SERVICE_FILE=$(mktemp -p $SERVICE_FILES/tmp/); LETSENCRYPT_TEMP_SERVICE_FILE=$(mktemp -p $SERVICE_FILES/tmp/)
ENVS='[ ENVS='[
{"DOMAIN": "'$DOMAIN'"}, {"DOMAIN": "'$DOMAIN'"},
{"TIMEOUT": "'$TIMEOUT'"}, {"TIMEOUT": "'$TIMEOUT'"},
{"RESTART": "'$RESTART'"} {"RESTART": "'$RESTART'"}
]'; ]'
VOLUMES=' VOLUMES='
{ {
"SOURCE": "/etc/user/config/user.json", "SOURCE": "/etc/user/config/user.json",
"DEST": "/etc/user/config/user.json", "DEST": "/etc/user/config/user.json",
"TYPE": "ro" "TYPE": "ro"
} }
'; '
jq '.containers[0].ENVS |='"$ENVS"' | .containers[0].VOLUMES[.containers[0].VOLUMES|length]|='"$VOLUMES" $SERVICE_FILES/$LETSENCRYPT_SERVICE_NAME > $LETSENCRYPT_TEMP_SERVICE_FILE.json; jq '.containers[0].ENVS |='"$ENVS"' | .containers[0].VOLUMES[.containers[0].VOLUMES|length]|='"$VOLUMES" $SERVICE_FILES/$LETSENCRYPT_SERVICE_NAME >$LETSENCRYPT_TEMP_SERVICE_FILE.json
$service_exec $(basename $LETSENCRYPT_TEMP_SERVICE_FILE) start info prechecked; rm -v $SERVICE_FILES/tmp/firewall-letsencrypt.json ; $service_exec $(basename $LETSENCRYPT_TEMP_SERVICE_FILE) start info prechecked
break; rm -v $SERVICE_FILES/tmp/firewall-letsencrypt.json
break
else else
echo "Waiting "$TIMEOUT" second for previous letsencrypt process ending"; echo "Waiting "$TIMEOUT" second for previous letsencrypt process ending"
sleep $TIMEOUT; sleep $TIMEOUT
echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process." echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
fi fi
else else
echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate"; echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate"
fi fi
done done
@@ -108,10 +132,9 @@ create_self_signed_certificate() {
if [[ ! -f $DOMAIN_CERT_DIR/key.pem && ! -f $DOMAIN_CERT_DIR/fullchain.pem && ! -f $DOMAIN_CERT_DIR/cert.pem ]]; then if [[ ! -f $DOMAIN_CERT_DIR/key.pem && ! -f $DOMAIN_CERT_DIR/fullchain.pem && ! -f $DOMAIN_CERT_DIR/cert.pem ]]; then
# generate key # generate key
echo "No any certificates found, generate self signed"; echo "No any certificates found, generate self signed"
openssl req -x509 -newkey rsa:4096 -keyout $DOMAIN_CERT_DIR/key.pem -out $DOMAIN_CERT_DIR/cert.pem -days 365 -sha256 -nodes -subj "/CN=$DOMAIN"; openssl req -x509 -newkey rsa:4096 -keyout $DOMAIN_CERT_DIR/key.pem -out $DOMAIN_CERT_DIR/cert.pem -days 365 -sha256 -nodes -subj "/CN=$DOMAIN"
cp -a $DOMAIN_CERT_DIR/cert.pem $DOMAIN_CERT_DIR/fullchain.pem; cp -a $DOMAIN_CERT_DIR/cert.pem $DOMAIN_CERT_DIR/fullchain.pem
fi fi
@@ -119,66 +142,74 @@ create_self_signed_certificate() {
if [ ! -d "$DOMAIN_CERT_DIR" ]; then if [ ! -d "$DOMAIN_CERT_DIR" ]; then
echo "$DOMAIN not contains certificates, creates new." echo "$DOMAIN not contains certificates, creates new."
mkdir -p $DOMAIN_CERT_DIR; mkdir -p $DOMAIN_CERT_DIR
fi fi
if [ ! -f "$DOMAIN_CERT_DIR/dhparam.pem" ]; then if [ ! -f "$DOMAIN_CERT_DIR/dhparam.pem" ]; then
# generate dhparam file # generate dhparam file
openssl dhparam -dsaparam -out $DOMAIN_CERT_DIR/dhparam.pem 4096; openssl dhparam -dsaparam -out $DOMAIN_CERT_DIR/dhparam.pem 4096
create_self_signed_certificate; create_self_signed_certificate
PROXY_NAMES=""; PROXY_NAMES=""
# Check services with running containers by roles # Check services with running containers by roles
for CONTAINER in $(jq -r --arg ROLE $ROLE '.containers[] | select(.ROLES==$ROLE)' /$PROXY_SERVICE_FILE | jq -r .NAME); do for CONTAINER in $(jq -r --arg ROLE $ROLE '.containers[] | select(.ROLES==$ROLE)' /$PROXY_SERVICE_FILE | jq -r .NAME); do
PROXY_NAMES=$PROXY_NAMES" "$CONTAINER; PROXY_NAMES=$PROXY_NAMES" "$CONTAINER
done; done
for NAME in $(echo $PROXY_NAMES); do for NAME in $(echo $PROXY_NAMES); do
RUNNING_CONTAINER=$(docker ps | grep $NAME | grep Up); RUNNING_CONTAINER=$(docker ps | grep $NAME | grep Up)
if [ "$RUNNING_CONTAINER" != "" ]; then if [ "$RUNNING_CONTAINER" != "" ]; then
echo "Restarting $NAME"; echo "Restarting $NAME"
docker restart $NAME; docker restart $NAME
else else
echo "Starting $NAME"; echo "Starting $NAME"
docker start $NAME; docker start $NAME
fi; fi
docker ps |grep $NAME; docker ps | grep $NAME
done; done
fi fi
if [ "$GENERATE_CERTIFICATE" == "true" ]; then if [ "$GENERATE_CERTIFICATE" == "true" ] && [ "$DOMAIN" != "localhost" ]; then
CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$LETSENCRYPT_URL"; CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$LETSENCRYPT_URL"
if [[ "$(eval $CURL_CHECK)" == "200" ]]; then if [[ "$(eval $CURL_CHECK)" == "200" ]]; then
file="$DOMAIN_CERT_DIR/letsencrypt" file="$DOMAIN_CERT_DIR/letsencrypt"
{ {
echo "{ \"DOMAIN\": \"$DOMAIN\" }" echo "{ \"DOMAIN\": \"$DOMAIN\" }"
} >> "$file"; } >>"$file"
DOMAIN_CHECK="curl -s -o /dev/null -w "%{http_code}" http://$DOMAIN"; if [ ! -f $LETSENCRYPT_OUTPUT ]; then
install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
echo '{}' >$LETSENCRYPT_OUTPUT
fi
DOMAIN_CHECK="curl -s -o /dev/null -w "%{http_code}" http://$DOMAIN"
if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then
letsencrypt_certificates; echo "DOMAIN CHECK: $(eval $DOMAIN_CHECK)"
letsencrypt_certificates
echo "Started letsencrypt for domain: $DOMAIN first time" echo "Started letsencrypt for domain: $DOMAIN first time"
else else
echo "Not starting letsencrypt, waiting $TIMEOUT seconds" echo "Not starting letsencrypt, waiting $TIMEOUT seconds"
for retries in $(seq 0 $((RESTART + 1))); do for retries in $(seq 0 $((RESTART + 1))); do
if [[ $retries -le $RESTART ]]; then if [[ $retries -le $RESTART ]]; then
sleep $TIMEOUT; sleep $TIMEOUT
echo "Starting letsencrypt process again"; echo "Starting letsencrypt process again"
if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then
letsencrypt_certificates; echo "DOMAIN CHECK: $(eval $DOMAIN_CHECK)"
letsencrypt_certificates
echo "Started letsencrypt for domain: $DOMAIN second time" echo "Started letsencrypt for domain: $DOMAIN second time"
break; break
else else
echo "Waiting "$TIMEOUT" second for starting proxies"; echo "Waiting "$TIMEOUT" second for starting proxies"
sleep $TIMEOUT; sleep $TIMEOUT
echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process." echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
fi fi
else else
echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate"; LOG=$(echo "The domain '$DOMAIN' could not reachable. Reached retrying limit: '$RESTART', giving up to start lets encrypt process, try self sign the certificate" | base64 -w0)
STATUS="failed"
create_json $DOMAIN $STATUS "$LOG"
fi fi
done done

172
scripts/nginx_config_create.sh
View File

@@ -4,13 +4,13 @@ GENERATE_CERTIFICATE=$GENERATE_CERTIFICATE
cd /proxy_config cd /proxy_config
FILENAME="$1"; FILENAME="$1"
DOMAIN_SOURCE=/domains/$FILENAME DOMAIN_SOURCE=/domains/$FILENAME
#DOMAIN_SOURCE=./domains/$FILENAME #TEMP #DOMAIN_SOURCE=./domains/$FILENAME #TEMP
DOMAIN_NAME=$(jq -r .DOMAIN $DOMAIN_SOURCE) DOMAIN_NAME=$(jq -r .DOMAIN $DOMAIN_SOURCE)
HTTP_PORT=$(jq -r .HTTP_PORT $DOMAIN_SOURCE) HTTP_PORT=$(jq -r .HTTP_PORT $DOMAIN_SOURCE)
HTTPS_PORT=$(jq -r .HTTPS_PORT $DOMAIN_SOURCE); HTTPS_PORT=$(jq -r .HTTPS_PORT $DOMAIN_SOURCE)
ALIASES_HTTP=$(jq -r '.ALIASES_HTTP | select(.!="null") | join(" ")' $DOMAIN_SOURCE) ALIASES_HTTP=$(jq -r '.ALIASES_HTTP | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
ALIASES_HTTPS=$(jq -r '.ALIASES_HTTPS | select(.!="null") | join(" ")' $DOMAIN_SOURCE) ALIASES_HTTPS=$(jq -r '.ALIASES_HTTPS | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
REDIRECT_HTTP=$(jq -r .REDIRECT_HTTP $DOMAIN_SOURCE) REDIRECT_HTTP=$(jq -r .REDIRECT_HTTP $DOMAIN_SOURCE)
@@ -20,23 +20,24 @@ MAX_BODY_SIZE=$(jq -r .MAX_BODY_SIZE $DOMAIN_SOURCE)
DEBUG=$(jq -r .DEBUG $DOMAIN_SOURCE) DEBUG=$(jq -r .DEBUG $DOMAIN_SOURCE)
ALLOWED_NETWORK=$(jq -r '.ALLOWED_NETWORK | select(.!="null") | join(" ")' $DOMAIN_SOURCE) ALLOWED_NETWORK=$(jq -r '.ALLOWED_NETWORK | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
OPERATION=$(jq -r '.OPERATION' $DOMAIN_SOURCE) OPERATION=$(jq -r '.OPERATION' $DOMAIN_SOURCE)
BASIC_AUTH=$(jq -r .BASIC_AUTH $DOMAIN_SOURCE)
ALTERNATE_LOCATION_PATH=$(jq -r .ALTERNATE_LOCATION_PATH $DOMAIN_SOURCE) ALTERNATE_LOCATION_PATH=$(jq -r .ALTERNATE_LOCATION_PATH $DOMAIN_SOURCE)
LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null); LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null)
if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then
LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null); LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null)
fi fi
RELOAD_LOCATIONS=""; RELOAD_LOCATIONS=""
if [ -n "$2" ]; then if [ -n "$2" ] || [ "$OPERATION" == "DELETE" ]; then
echo "$DOMAIN_NAME DELETED"; echo "$DOMAIN_NAME DELETED"
rm $DOMAIN_NAME.conf; rm $DOMAIN_NAME.conf
exit; exit
fi fi
add_alternate_location() { add_alternate_location() {
{ {
cat $DOMAIN_NAME.conf | head -n -1 cat $DOMAIN_NAME.conf | head -n -1
add_location; add_location
echo "}" echo "}"
} >>"$file" } >>"$file"
@@ -49,47 +50,52 @@ add_location() {
ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE) ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE)
ALP_IDX=$(($ALP_IDX - 1)) ALP_IDX=$(($ALP_IDX - 1))
for i in $(seq 0 $ALP_IDX) ; for i in $(seq 0 $ALP_IDX); do
do
ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE) ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH); ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH)
ALP_LOCAL_NAME=$(echo $ALP | jq -rc .LOCAL_NAME); ALP_LOCAL_NAME=$(echo $ALP | jq -rc .LOCAL_NAME)
ALP_LOCAL_PORT=$(echo $ALP | jq -rc .LOCAL_PORT); ALP_LOCAL_PORT=$(echo $ALP | jq -rc .LOCAL_PORT)
ALP_LOCAL_ALLOWED_NETWORK=$(echo $ALP | jq -rc '.LOCAL_ALLOWED_NETWORK | select(.!="null") | join(" ")'); ALP_LOCAL_ALLOWED_NETWORK=$(echo $ALP | jq -rc '.LOCAL_ALLOWED_NETWORK | select(.!="null") | join(" ")')
# do not duplicate locations # do not duplicate locations
EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf); EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf)
if [ -n "$EXISTS" ]; then if [ -n "$EXISTS" ]; then
ROW_NUMBER=$(echo $EXISTS | cut -d ':' -f1); ROW_NUMBER=$(echo $EXISTS | cut -d ':' -f1)
START=$(($ROW_NUMBER + 2)); START=$(($ROW_NUMBER + 2))
OFFSET=$(tail -n+$START $DOMAIN_NAME.conf | grep -n '}' -m 1 | cut -d ':' -f1); OFFSET=$(tail -n+$START $DOMAIN_NAME.conf | grep -n '}' -m 1 | cut -d ':' -f1)
OFFSET=$(($OFFSET - 2)); OFFSET=$(($OFFSET - 2))
ALP_ALLOWED=$(echo $(tail -n+$START $DOMAIN_NAME.conf | head -n $OFFSET | awk '{print $2}')); # echo removes space at the end ALP_ALLOWED=$(echo $(tail -n+$START $DOMAIN_NAME.conf | head -n $OFFSET | awk '{print $2}')) # echo removes space at the end
if [ "$ALP_LOCAL_ALLOWED_NETWORK" != "$ALP_ALLOWED" ]; then if [ "$ALP_LOCAL_ALLOWED_NETWORK" != "$ALP_ALLOWED" ]; then
RELOAD_LOCATIONS=$RELOAD_LOCATIONS$ALP_LOCAL_PATH" " RELOAD_LOCATIONS=$RELOAD_LOCATIONS$ALP_LOCAL_PATH" "
fi; fi
# skip if exists # skip if exists
continue; continue
fi; fi
if [[ "$ALP_LOCAL_NAME" = "" ]]; then if [[ "$ALP_LOCAL_NAME" = "" ]]; then
ALP_LOCAL_NAME=$LOCAL_NAME ALP_LOCAL_NAME=$LOCAL_NAME
fi; fi
if [[ "$ALP_LOCAL_PORT" = "" ]]; then if [[ "$ALP_LOCAL_PORT" = "" ]]; then
ALP_LOCAL_PORT=$HTTP_PORT ALP_LOCAL_PORT=$HTTP_PORT
fi; fi
echo "location $ALP_LOCAL_PATH {" echo "location $ALP_LOCAL_PATH {"
if [ "$BASIC_AUTH" == "TRUE" ]; then
echo ' auth_basic "SAFEBOX AUTHORIZATION";
auth_basic_user_file htpasswd;
'
fi
if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then
echo " limit_except GET HEAD {"; echo " limit_except GET HEAD {"
for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK); do for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK); do
echo " allow $i"; echo " allow $i"
done; done
echo " deny all;"; echo " deny all;"
echo " }"; echo " }"
fi fi
if [[ "$ALP_LOCAL_PORT" != "" ]]; then if [[ "$ALP_LOCAL_PORT" != "" ]]; then
@@ -117,8 +123,8 @@ add_location() {
echo " proxy_buffering off;" echo " proxy_buffering off;"
echo "}" echo "}"
echo "# location end" echo "# location end"
done; done
fi; fi
} }
@@ -129,32 +135,31 @@ remove_alternate_location() {
ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE) ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE)
ALP_IDX=$(($ALP_IDX - 1)) ALP_IDX=$(($ALP_IDX - 1))
for i in $(seq 0 $ALP_IDX) ; for i in $(seq 0 $ALP_IDX); do
do
ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE) ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH); ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH)
remove_location $ALP_LOCAL_PATH remove_location $ALP_LOCAL_PATH
done; done
fi; fi
} }
remove_location() { remove_location() {
local LOCATION=$1 local LOCATION=$1
LOCATION_ROW="location $LOCATION {"; LOCATION_ROW="location $LOCATION {"
ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1); ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1)
if [ -n "$ROW_NUMBER" ]; then if [ -n "$ROW_NUMBER" ]; then
OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1); OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1)
START=$(($ROW_NUMBER - 1)); START=$(($ROW_NUMBER - 1))
END=$(($ROW_NUMBER + $OFFSET)); END=$(($ROW_NUMBER + $OFFSET))
{ {
head -n$START $DOMAIN_NAME.conf head -n$START $DOMAIN_NAME.conf
tail -n+$END $DOMAIN_NAME.conf tail -n+$END $DOMAIN_NAME.conf
} >>$file } >>$file
mv $file $DOMAIN_NAME.conf; mv $file $DOMAIN_NAME.conf
fi; fi
} }
# create new nginx config # create new nginx config
@@ -201,26 +206,31 @@ if [[ "$HTTP_PORT" != "" && "$HTTP_PORT" != "80" ]]; then
echo "rewrite_log on;" echo "rewrite_log on;"
if [[ "$REDIRECT_HTTP" != "" ]]; then if [[ "$REDIRECT_HTTP" != "" ]]; then
echo "return 301 $REDIRECT_HTTP;" echo "return 301 $REDIRECT_HTTP;"
elif [[ "$HTTP_PORT" == "" ]]; then elif [[ "$HTTP_PORT" == "" ]]; then
echo "return 301 https://"$DOMAIN_NAME; echo "return 301 https://"$DOMAIN_NAME
else else
echo "location / {" echo "location / {"
if [ "$BASIC_AUTH" == "TRUE" ]; then
echo ' auth_basic "SAFEBOX AUTHORIZATION";
auth_basic_user_file htpasswd;
'
fi
if [[ "$ALLOWED_NETWORK" != "" ]]; then if [[ "$ALLOWED_NETWORK" != "" ]]; then
ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE) ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1)) ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1))
echo " limit_except GET HEAD {"; echo " limit_except GET HEAD {"
for i in $(seq 0 $ALLOWED_NETWORK_IDX); do for i in $(seq 0 $ALLOWED_NETWORK_IDX); do
AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE) AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
echo " allow "$AN";" echo " allow "$AN";"
done done
echo " deny all;" echo " deny all;"
echo " }"; echo " }"
fi fi
if [[ "$HTTP_PORT" != "" ]]; then if [[ "$HTTP_PORT" != "" ]]; then
@@ -295,7 +305,6 @@ ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_stapling on;" ssl_stapling on;"
if [[ "$ERROR_PAGE" != "" && "$HTTPS_PORT" != "" ]]; then if [[ "$ERROR_PAGE" != "" && "$HTTPS_PORT" != "" ]]; then
echo "error_page 404 /$ERROR_PAGE; echo "error_page 404 /$ERROR_PAGE;
location = /$ERROR_PAGE { location = /$ERROR_PAGE {
@@ -311,17 +320,23 @@ location = /$ERROR_PAGE {
else else
echo "location / {" echo "location / {"
if [ "$BASIC_AUTH" == "TRUE" ]; then
echo ' auth_basic "SAFEBOX AUTHORIZATION";
auth_basic_user_file htpasswd;
'
fi
if [[ "$ALLOWED_NETWORK" != "" ]]; then if [[ "$ALLOWED_NETWORK" != "" ]]; then
ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE) ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1)) ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1))
echo " limit_except GET HEAD {"; echo " limit_except GET HEAD {"
for i in $(seq 0 $ALLOWED_NETWORK_IDX); do for i in $(seq 0 $ALLOWED_NETWORK_IDX); do
AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE) AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
echo " allow "$AN";" echo " allow "$AN";"
done done
echo " deny all;" echo " deny all;"
echo " }"; echo " }"
fi fi
echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;" echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
@@ -344,15 +359,15 @@ echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
echo " proxy_buffering off;" echo " proxy_buffering off;"
echo "}" echo "}"
echo "# first location end"; echo "# first location end"
add_location; add_location
fi fi
if [ "$REGENERATE" == "" ]; then if [ "$REGENERATE" == "" ]; then
echo "}" echo "}"
fi; fi
fi fi
@@ -361,14 +376,14 @@ fi
regenerate_config() { regenerate_config() {
mv $file $DOMAIN_NAME.conf; mv $file $DOMAIN_NAME.conf
# regenerates nginx config into $file # regenerates nginx config into $file
create_new_config "regenerate"; create_new_config "regenerate"
# append existing alternate locations to new config file # append existing alternate locations to new config file
OFFSET=$(cat $DOMAIN_NAME.conf | grep -n '# first location end' -m 1 | cut -d ':' -f1); OFFSET=$(cat $DOMAIN_NAME.conf | grep -n '# first location end' -m 1 | cut -d ':' -f1)
OFFSET=$(($OFFSET + 1)); OFFSET=$(($OFFSET + 1))
{ {
tail -n+$OFFSET $DOMAIN_NAME.conf tail -n+$OFFSET $DOMAIN_NAME.conf
} >>$file } >>$file
@@ -378,8 +393,7 @@ file="/tmp/$DOMAIN_NAME.conf"
# check whether certificates exist or not # check whether certificates exist or not
echo "created domain name: "$DOMAIN_NAME
echo "created domain name: "$DOMAIN_NAME;
#cp -a /scripts/nginx_template.conf /tmp/$DOMAIN.conf #cp -a /scripts/nginx_template.conf /tmp/$DOMAIN.conf
@@ -387,40 +401,40 @@ echo "created domain name: "$DOMAIN_NAME;
if [ -f $DOMAIN_NAME.conf ]; then if [ -f $DOMAIN_NAME.conf ]; then
if [ "$OPERATION" = "DELETE" ]; then if [ "$OPERATION" = "DELETE" ]; then
remove_alternate_location; remove_alternate_location
elif [ "$OPERATION" = "MODIFY" ]; then elif [ "$OPERATION" = "MODIFY" ]; then
# must be before create_new_config # must be before create_new_config
remove_alternate_location; remove_alternate_location
add_alternate_location; add_alternate_location
regenerate_config; regenerate_config
else else
# default CREATE, append location # default CREATE, append location
add_alternate_location; add_alternate_location
regenerate_config; regenerate_config
# reload alternate locations if allowed networks has changed # reload alternate locations if allowed networks has changed
if [ -n "$RELOAD_LOCATIONS" ]; then if [ -n "$RELOAD_LOCATIONS" ]; then
rm $file; rm $file
remove_alternate_location; remove_alternate_location
add_alternate_location; add_alternate_location
fi; fi
fi; fi
else else
# rewrite operation if nginx config file doesn't exists # rewrite operation if nginx config file doesn't exists
OPERATION="CREATE"; OPERATION="CREATE"
create_new_config; create_new_config
fi; # end of create new nginx config fi # end of create new nginx config
if [ "$OPERATION" != "DELETE" ]; then if [ "$OPERATION" != "DELETE" ]; then
mv $file $DOMAIN_NAME.conf; mv $file $DOMAIN_NAME.conf
fi; fi
echo "$DOMAIN" >>new_config echo "$DOMAIN" >>new_config
if [ "$HTTPS_PORT" != "" ]; then if [ "$HTTPS_PORT" != "" ]; then
/scripts/check_certificates.sh "$DOMAIN_NAME"; /scripts/check_certificates.sh "$DOMAIN_NAME" &
fi fi