safebox/proxy-scheduler
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: safebox:8c59ed2ce93f5001d6e078d6032959ad95eaeb9d
Branches Tags
safebox:master
...
compare: safebox:dbf7bc82eace9742583db7e23a745046cf3e7a1d
Branches Tags
safebox:master

2 Commits
8c59ed2ce9 ... dbf7bc82ea

Author SHA1 Message Date
hael
dbf7bc82ea sample files for testing 2023-02-22 11:44:05 +00:00
hael
55f0ebdd89 if allowed networks has changed then do not skip duplicated location but replace it (limit_except GET HEAD) 
remove_location: remove /
tmp filename fix
 2023-02-22 09:37:45 +00:00
7 changed files with 215 additions and 21 deletions
Expand all files Collapse all files

1
scripts/awk Normal file
View File

@@ -0,0 +1 @@
awk '/-----BEGIN CERTIFICATE-----/ {show=1} /-----END CERTIFICATE-----/ {show=1} show {print}' keys/$ovpn.crt >> result

87
scripts/domain.example.conf Normal file
View File

@@ -0,0 +1,87 @@
server {
listen 80 proxy_protocol;
server_name domain.example;
set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;
rewrite_log on;
return 301 https://domain.example;
}
server {
listen 443 ssl proxy_protocol;
set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;
server_name domain.example;
client_max_body_size 0;
rewrite_log on;
proxy_ssl_server_name on;
ssl_dhparam /etc/ssl/keys/domain.example/dhparam.pem;
ssl_certificate /etc/ssl/keys/fullchain.pem;
ssl_certificate_key /etc/ssl/keys/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !kDHE";
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
location / {
limit_except GET HEAD {
allow 192.168.109.1;
allow 192.168.109.2;
deny all;
}
proxy_pass http://domain-app:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_cookie_path / /;
proxy_set_header Connection $http_connection;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_next_upstream off;
proxy_redirect off;
proxy_buffering off;
}
location example2 {
proxy_pass http://example-app2-modified:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_cookie_path example2 example2;
proxy_set_header Connection $http_connection;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_next_upstream off;
proxy_redirect off;
proxy_buffering off;
}
# location end
location example {
limit_except GET HEAD {
allow 192.168.105.1
allow 192.168.106.1
allow 192.168.107.1
deny all;
}
proxy_pass http://example-app:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_cookie_path example example;
proxy_set_header Connection $http_connection;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_next_upstream off;
proxy_redirect off;
proxy_buffering off;
}
# location end
}

23
scripts/domains/app.domain.example Normal file
View File

@@ -0,0 +1,23 @@
{
"DEBUG": "true",
"DOMAIN": "domain.example",
"ALIASES_HTTP": [ ],
"ALIASES_HTTPS": [ ],
"LOCAL_NAME": "domain-app",
"HTTP_PORT": "",
"HTTPS_PORT": "80",
"ERROR_PAGE": "",
"REDIRECT_HTTP": "",
"REDIRECT_HTTPS": "",
"MAX_BODY_SIZE": "",
"ALLOWED_NETWORK": [ "192.168.109.1", "192.168.109.2", "192.168.110.2" ],
"OPERATION": "CREATE",
"ALTERNATE_LOCATION_PATH": [
{
"LOCAL_PATH": "example",
"LOCAL_NAME": "example-app",
"LOCAL_PORT": "",
"LOCAL_ALLOWED_NETWORK": [ "192.168.105.1", "192.168.106.1", "192.168.107.1" ]
}
]
}

24
scripts/domains/app2.domain.example Normal file
View File

@@ -0,0 +1,24 @@
{
"DEBUG": "true",
"DOMAIN": "domain.example",
"ALIASES_HTTP": [ ],
"ALIASES_HTTPS": [ ],
"LOCAL_NAME": "domain-app2",
"HTTP_PORT": "",
"HTTPS_PORT": "80",
"ERROR_PAGE": "",
"REDIRECT_HTTP": "",
"REDIRECT_HTTPS": "",
"MAX_BODY_SIZE": "",
"ALLOWED_NETWORK": [ ],
"OPERATION": "MODIFY",
"ALTERNATE_LOCATION_PATH": [
{
"LOCAL_PATH": "example2",
"LOCAL_NAME": "example-app2-modified",
"LOCAL_PORT": "",
"LOCAL_ALLOWED_NETWORK": [ ]
}
]
}

23
scripts/domains/app3.domain.example Normal file
View File

@@ -0,0 +1,23 @@
{
"DEBUG": "true",
"DOMAIN": "domain.example",
"ALIASES_HTTP": [ ],
"ALIASES_HTTPS": [ ],
"LOCAL_NAME": "domain-app",
"HTTP_PORT": "",
"HTTPS_PORT": "80",
"ERROR_PAGE": "",
"REDIRECT_HTTP": "",
"REDIRECT_HTTPS": "",
"MAX_BODY_SIZE": "",
"ALLOWED_NETWORK": [ ],
"ALTERNATE_LOCATION_PATH": [
{
"LOCAL_PATH": "example3",
"LOCAL_NAME": "example-app3",
"LOCAL_PORT": "",
"LOCAL_ALLOWED_NETWORK": [ ]
}
]
}

13
scripts/domains/domain.sample Normal file
View File

@@ -0,0 +1,13 @@
{
"DEBUG": "true",
"DOMAIN": "domain.example",
"ALIASES_HTTP": [ ],
"ALIASES_HTTPS": [ ],
"LOCAL_NAME": "domain-app",
"HTTP_PORT": "",
"HTTPS_PORT": "80",
"ERROR_PAGE": "",
"REDIRECT_HTTP": "",
"REDIRECT_HTTPS": "",
"MAX_BODY_SIZE": ""
}

65
scripts/nginx_config_create.sh
View File

@@ -25,6 +25,7 @@ LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null);
if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then
LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null); LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null);
fi fi
RELOAD_LOCATIONS="";
if [ -n "$2" ]; then if [ -n "$2" ]; then
echo "$DOMAIN_NAME DELETED"; echo "$DOMAIN_NAME DELETED";
@@ -60,6 +61,14 @@ add_location() {
# do not duplicate locations # do not duplicate locations
EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf); EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf);
if [ -n "$EXISTS" ]; then if [ -n "$EXISTS" ]; then
ROW_NUMBER=$(echo $EXISTS | cut -d ':' -f1);
START=$(($ROW_NUMBER + 2));
OFFSET=$(tail -n+$START $DOMAIN_NAME.conf | grep -n '}' -m 1 | cut -d ':' -f1);
OFFSET=$(($OFFSET - 2));
ALP_ALLOWED=$(echo $(tail -n+$START $DOMAIN_NAME.conf | head -n $OFFSET | awk '{print $2}')); # echo removes space at the end
if [ "$ALP_LOCAL_ALLOWED_NETWORK" != "$ALP_ALLOWED" ]; then
RELOAD_LOCATIONS=$RELOAD_LOCATIONS$ALP_LOCAL_PATH" "
fi;
# skip if exists # skip if exists
continue; continue;
fi; fi;
@@ -75,11 +84,12 @@ add_location() {
echo "location $ALP_LOCAL_PATH {" echo "location $ALP_LOCAL_PATH {"
if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then
echo " limit_except GET HEAD {";
for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK) ; do for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK) ; do
echo " allow "$i";" echo " allow $i";
done done;
echo " deny all;" echo " deny all;";
echo " }";
fi fi
if [[ "$ALP_LOCAL_PORT" != "" ]]; then if [[ "$ALP_LOCAL_PORT" != "" ]]; then
@@ -131,22 +141,24 @@ remove_alternate_location() {
remove_location() { remove_location() {
local LOCATION=$1 local LOCATION=$1
LOCATION_ROW="location /$LOCATION {"; LOCATION_ROW="location $LOCATION {";
ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1); ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1);
OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1); if [ -n "$ROW_NUMBER" ]; then
START=$(($ROW_NUMBER - 1)); OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1);
END=$(($ROW_NUMBER + $OFFSET)); START=$(($ROW_NUMBER - 1));
END=$(($ROW_NUMBER + $OFFSET));
{ {
head -n$START $DOMAIN_NAME.conf head -n$START $DOMAIN_NAME.conf
tail -n+$END $DOMAIN_NAME.conf tail -n+$END $DOMAIN_NAME.conf
} >> $file } >> $file
mv $file $DOMAIN_NAME.conf; mv $file $DOMAIN_NAME.conf;
fi;
} }
file="/tmp/$DOMAIN.conf" file="/tmp/$DOMAIN_NAME.conf"
# check whether certificates exist or not # check whether certificates exist or not
@@ -166,6 +178,13 @@ if [ -f $DOMAIN_NAME.conf ]; then
else else
# default CREATE, append location # default CREATE, append location
add_alternate_location; add_alternate_location;
# reload alternate locations if allowed networks has changed
if [ -n "$RELOAD_LOCATIONS" ]; then
rm $file;
remove_alternate_location;
add_alternate_location;
fi;
fi; fi;
else else
@@ -223,12 +242,14 @@ if [[ "$HTTP_PORT" != "" && "$HTTP_PORT" != "80" ]]; then
ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE) ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
ALLOWED_NETWORK_IDX=$(( $ALLOWED_NETWORK_IDX - 1 )) ALLOWED_NETWORK_IDX=$(( $ALLOWED_NETWORK_IDX - 1 ))
echo " limit_except GET HEAD {";
for i in $(seq 0 $ALLOWED_NETWORK_IDX) ; do for i in $(seq 0 $ALLOWED_NETWORK_IDX) ; do
AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE) AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
echo " allow "$AN";" echo " allow "$AN";"
done done
echo " deny all;" echo " deny all;"
fi echo " }";
fi
if [[ "$HTTP_PORT" != "" ]]; then if [[ "$HTTP_PORT" != "" ]]; then
echo " proxy_pass http://$LOCAL_NAME:$HTTP_PORT;" echo " proxy_pass http://$LOCAL_NAME:$HTTP_PORT;"
@@ -322,11 +343,13 @@ location = /$ERROR_PAGE {
ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE) ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
ALLOWED_NETWORK_IDX=$(( $ALLOWED_NETWORK_IDX - 1 )) ALLOWED_NETWORK_IDX=$(( $ALLOWED_NETWORK_IDX - 1 ))
echo " limit_except GET HEAD {";
for i in $(seq 0 $ALLOWED_NETWORK_IDX) ; do for i in $(seq 0 $ALLOWED_NETWORK_IDX) ; do
AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE) AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
echo " allow "$AN";" echo " allow "$AN";"
done done
echo " deny all;" echo " deny all;"
echo " }";
fi fi
echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;" echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"