Run certificate check in the background during Nginx config creation

.drone.yml

@@ -17,6 +17,8 @@ steps:
   - name: build multiarch proxy-scheduler
     image: docker.io/owncloudci/drone-docker-buildx:4
     privileged: true
+    environment:
+      BUILDKIT_NO_HTTP2: "1" 
     settings:
       cache-from: [ "registry.dev.format.hu/proxy-scheduler" ]
       registry: registry.dev.format.hu

letsencrypt.json

@@ -21,10 +21,15 @@
             "NETWORK": "letsencrypt",
             "VOLUMES": [
                 {
-                    "SOURCE": "/etc/system/ssl/keys/",
+                    "SOURCE": "/etc/system/data/ssl/keys/",
                     "DEST": "/acme.sh/",
                     "TYPE": "rw"
                 },
+                {
+                    "SOURCE": "SHARED",
+                    "DEST": "/var/tmp/shared",
+                    "TYPE": "rw"
+                },
                 {
                     "SOURCE": "/etc/user/config/domains",
                     "DEST": "/domains",

proxy-scheduler.json

@@ -6,11 +6,16 @@
     "containers": [
         {
             "IMAGE": "safebox/proxy-scheduler:latest",
-            "NAME": "proxy_scheduler-ifhiwhhg",
+            "NAME": "proxy_scheduler",
             "MEMORY": "64M",
             "IP": "null",
             "NETWORK": "host",
             "VOLUMES": [
+                {
+                    "SOURCE": "SHARED",
+                    "DEST": "/var/tmp/shared",
+                    "TYPE": "rw"
+                },
                 {
                     "SOURCE": "/etc/user/config/services",
                     "DEST": "/etc/user/config/services",

proxy.json

@@ -27,7 +27,7 @@
         "PROXY_CONFIG_DIR": "/proxy_config",
         "PROXY_TYPE": "haproxy",
         "TIMEOUT": "5",
-        "RESTART": "3",
+        "RESTART": "10",
         "ROLE": "backend-proxy",
         "SERVICE_NAME": "public-proxy"
     },

scripts/check_certificates.sh

@@ -14,7 +14,30 @@
 TIMEOUT=$TIMEOUT
 RESTART=$RESTART
 
-SETUP_VERSION=${SETUP_VERSION:-latest};
+SETUP_VERSION=${SETUP_VERSION:-latest}
+LOG_DIR=/var/tmp/shared/output
+LOG_FILE=$LOG_DIR/letsencrypt.txt
+LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json
+DATE=$(date +"%Y-%m-%d-%H-%M")
+
+create_json() {
+
+    if [ ! -f $LETSENCRYPT_OUTPUT ]; then
+        install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
+        echo '{}' >$LETSENCRYPT_OUTPUT
+    fi
+
+    TMP_FILE=$(mktemp)
+    jq '
+      if . == null or . == [] then 
+        {"'$DOMAIN'":{"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
+    else 
+      . + {"'$DOMAIN'": {"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
+      end
+    ' $LETSENCRYPT_OUTPUT >$TMP_FILE
+    cat $TMP_FILE >$LETSENCRYPT_OUTPUT
+    rm $TMP_FILE
+}
 
 # Setting service files path
 if [ "$SERVICE_FILES" == "" ]; then
@@ -27,10 +50,10 @@ fi
 
 # Setup docker registry url path
 if [[ -n "$DOCKER_REGISTRY_URL" && "$DOCKER_REGISTRY_URL" != "null" ]]; then
-    SETUP="/setup";
+    SETUP="/setup"
 else
-    SETUP="setup";
-    DOCKER_REGISTRY_URL="";
+    SETUP="setup"
+    DOCKER_REGISTRY_URL=""
 fi
 
 if [ "$SETUP_VERSION" == "latest" ]; then
@@ -40,7 +63,7 @@ if [ "$SETUP_VERSION" == "latest" ]; then
 --mount src=USER_CONFIG,dst=/services,volume-subpath=services/tmp \
 --mount src=USER_CONFIG,dst=/etc/user/config/system.json,volume-subpath=system.json,ro \
 --mount src=USER_CONFIG,dst=/etc/user/config/user.json,volume-subpath=user.json,ro \
-";
+"
 else
     VOLUME_MOUNTS="
  -v /etc/system/data/dns:/etc/dns:rw \
@@ -50,7 +73,7 @@ else
  -v /etc/user/config/services/:/services/:ro \
  -v /etc/user/config/services/tmp:/services/tmp:rw \
 "
-fi;
+fi
 
 service_exec="docker run --rm \
 -w /services/ \
@@ -66,35 +89,36 @@ letsencrypt_certificates() {
     for retries in $(seq 0 $((RESTART + 1))); do
         if [[ $retries -le $RESTART ]]; then
 
-                        LETS_ENCRYPT_VALUE="$(docker ps | grep letsencrypt | grep Up | wc -l)";
+            LETS_ENCRYPT_VALUE="$(docker ps | grep letsencrypt | grep Up | wc -l)"
             if [[ $LETS_ENCRYPT_VALUE -eq 0 ]]; then
-                                echo "Starting letsencrypt process";                           
+                echo "Starting letsencrypt process"
                 mkdir -p $SERVICE_FILES/tmp/tmp
-                                cp -av /firewall-files/firewall-letsencrypt.json $SERVICE_FILES/tmp/;
-                                LETSENCRYPT_TEMP_SERVICE_FILE=$(mktemp -p $SERVICE_FILES/tmp/);      
+                cp -av /firewall-files/firewall-letsencrypt.json $SERVICE_FILES/tmp/
+                LETSENCRYPT_TEMP_SERVICE_FILE=$(mktemp -p $SERVICE_FILES/tmp/)
                 ENVS='[                                                              
                                         {"DOMAIN": "'$DOMAIN'"},                                     
                                         {"TIMEOUT": "'$TIMEOUT'"},                                   
                                         {"RESTART": "'$RESTART'"}                                    
-                                ]';                                                                  
+                                ]'
                 VOLUMES='                                                            
                                         {                                                            
                                                 "SOURCE": "/etc/user/config/user.json",              
                                                 "DEST": "/etc/user/config/user.json",                
                                                 "TYPE": "ro"                                         
                                         }                                                            
-                                ';                                                                   
-                                jq '.containers[0].ENVS |='"$ENVS"' | .containers[0].VOLUMES[.containers[0].VOLUMES|length]|='"$VOLUMES" $SERVICE_FILES/$LETSENCRYPT_SERVICE_NAME > $LETSENCRYPT_TEMP_SERVICE_FILE.json;
-				$service_exec $(basename $LETSENCRYPT_TEMP_SERVICE_FILE) start info prechecked;                                                                       	    rm -v $SERVICE_FILES/tmp/firewall-letsencrypt.json ; 
-				break;
+                                '
+                jq '.containers[0].ENVS |='"$ENVS"' | .containers[0].VOLUMES[.containers[0].VOLUMES|length]|='"$VOLUMES" $SERVICE_FILES/$LETSENCRYPT_SERVICE_NAME >$LETSENCRYPT_TEMP_SERVICE_FILE.json
+                $service_exec $(basename $LETSENCRYPT_TEMP_SERVICE_FILE) start info prechecked
+                rm -v $SERVICE_FILES/tmp/firewall-letsencrypt.json
+                break
             else
-				echo "Waiting "$TIMEOUT" second for previous letsencrypt process ending";
-				sleep $TIMEOUT;
+                echo "Waiting "$TIMEOUT" second for previous letsencrypt process ending"
+                sleep $TIMEOUT
 
                 echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
             fi
         else
-				echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate";
+            echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate"
         fi
 
     done
@@ -108,10 +132,9 @@ create_self_signed_certificate() {
     if [[ ! -f $DOMAIN_CERT_DIR/key.pem && ! -f $DOMAIN_CERT_DIR/fullchain.pem && ! -f $DOMAIN_CERT_DIR/cert.pem ]]; then
 
         # generate key
-		echo "No any certificates found, generate self signed";
-		openssl req -x509 -newkey rsa:4096 -keyout $DOMAIN_CERT_DIR/key.pem -out $DOMAIN_CERT_DIR/cert.pem -days 365 -sha256 -nodes -subj "/CN=$DOMAIN";
-		cp -a $DOMAIN_CERT_DIR/cert.pem $DOMAIN_CERT_DIR/fullchain.pem;
-	
+        echo "No any certificates found, generate self signed"
+        openssl req -x509 -newkey rsa:4096 -keyout $DOMAIN_CERT_DIR/key.pem -out $DOMAIN_CERT_DIR/cert.pem -days 365 -sha256 -nodes -subj "/CN=$DOMAIN"
+        cp -a $DOMAIN_CERT_DIR/cert.pem $DOMAIN_CERT_DIR/fullchain.pem
 
     fi
 
@@ -119,66 +142,74 @@ create_self_signed_certificate() {
 
 if [ ! -d "$DOMAIN_CERT_DIR" ]; then
     echo "$DOMAIN not contains certificates, creates new."
-	mkdir -p $DOMAIN_CERT_DIR;
+    mkdir -p $DOMAIN_CERT_DIR
 fi
 
 if [ ! -f "$DOMAIN_CERT_DIR/dhparam.pem" ]; then
     # generate dhparam file
-	openssl dhparam -dsaparam -out $DOMAIN_CERT_DIR/dhparam.pem 4096;
-	create_self_signed_certificate;
+    openssl dhparam -dsaparam -out $DOMAIN_CERT_DIR/dhparam.pem 4096
+    create_self_signed_certificate
 
-	PROXY_NAMES="";
+    PROXY_NAMES=""
     # Check services with running containers by roles
     for CONTAINER in $(jq -r --arg ROLE $ROLE '.containers[] | select(.ROLES==$ROLE)' /$PROXY_SERVICE_FILE | jq -r .NAME); do
-		PROXY_NAMES=$PROXY_NAMES" "$CONTAINER;
-	done;
+        PROXY_NAMES=$PROXY_NAMES" "$CONTAINER
+    done
 
     for NAME in $(echo $PROXY_NAMES); do
-		RUNNING_CONTAINER=$(docker ps | grep $NAME | grep Up);
+        RUNNING_CONTAINER=$(docker ps | grep $NAME | grep Up)
         if [ "$RUNNING_CONTAINER" != "" ]; then
-			echo "Restarting $NAME";
-			docker restart $NAME;
+            echo "Restarting $NAME"
+            docker restart $NAME
         else
-			echo "Starting $NAME";
-			docker start $NAME;
-		fi;
-		docker ps |grep $NAME;
-	done;
+            echo "Starting $NAME"
+            docker start $NAME
+        fi
+        docker ps | grep $NAME
+    done
 
 fi
 
-if [ "$GENERATE_CERTIFICATE" == "true" ]; then
+if [ "$GENERATE_CERTIFICATE" == "true" ] && [ "$DOMAIN" != "localhost" ]; then
 
-	CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$LETSENCRYPT_URL";
+    CURL_CHECK="curl -s -o /dev/null -w "%{http_code}" https://$LETSENCRYPT_URL"
 
     if [[ "$(eval $CURL_CHECK)" == "200" ]]; then
 
         file="$DOMAIN_CERT_DIR/letsencrypt"
         {
             echo "{ \"DOMAIN\": \"$DOMAIN\" }"
-		} >> "$file";
+        } >>"$file"
 
-		DOMAIN_CHECK="curl -s -o /dev/null -w "%{http_code}" http://$DOMAIN";
+        if [ ! -f $LETSENCRYPT_OUTPUT ]; then
+            install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
+            echo '{}' >$LETSENCRYPT_OUTPUT
+        fi
+        DOMAIN_CHECK="curl -s -o /dev/null -w "%{http_code}" http://$DOMAIN"
         if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then
-			letsencrypt_certificates;
+            echo "DOMAIN CHECK: $(eval $DOMAIN_CHECK)"
+            letsencrypt_certificates
             echo "Started letsencrypt for domain: $DOMAIN first time"
         else
             echo "Not starting letsencrypt, waiting $TIMEOUT seconds"
             for retries in $(seq 0 $((RESTART + 1))); do
                 if [[ $retries -le $RESTART ]]; then
-					sleep $TIMEOUT;
-					echo "Starting letsencrypt process again";
+                    sleep $TIMEOUT
+                    echo "Starting letsencrypt process again"
                     if [[ "$(eval $DOMAIN_CHECK)" == "200" || "$(eval $DOMAIN_CHECK)" == "301" ]]; then
-						letsencrypt_certificates;
+                        echo "DOMAIN CHECK: $(eval $DOMAIN_CHECK)"
+                        letsencrypt_certificates
                         echo "Started letsencrypt for domain: $DOMAIN second time"
-						break;
+                        break
                     else
-						echo "Waiting "$TIMEOUT" second for starting proxies";
-						sleep $TIMEOUT;
+                        echo "Waiting "$TIMEOUT" second for starting proxies"
+                        sleep $TIMEOUT
                         echo "Not reached number of restart limit: "$RESTART" sleep "$TIMEOUT" and try again to start lets encrypt process."
                     fi
                 else
-					echo "Reached retrying limit: "$RESTART" ,giving up to start lets encrypt process, try self sign the certificate";
+                    LOG=$(echo "The domain '$DOMAIN' could not reachable. Reached retrying limit: '$RESTART', giving up to start lets encrypt process, try self sign the certificate" | base64 -w0)
+                    STATUS="failed"
+                    create_json $DOMAIN $STATUS "$LOG"
                 fi
 
             done

scripts/nginx_config_create.sh

@@ -4,13 +4,13 @@ GENERATE_CERTIFICATE=$GENERATE_CERTIFICATE
 
 cd /proxy_config
 
-FILENAME="$1";
+FILENAME="$1"
 
 DOMAIN_SOURCE=/domains/$FILENAME
 #DOMAIN_SOURCE=./domains/$FILENAME #TEMP
 DOMAIN_NAME=$(jq -r .DOMAIN $DOMAIN_SOURCE)
 HTTP_PORT=$(jq -r .HTTP_PORT $DOMAIN_SOURCE)
-HTTPS_PORT=$(jq -r .HTTPS_PORT $DOMAIN_SOURCE);
+HTTPS_PORT=$(jq -r .HTTPS_PORT $DOMAIN_SOURCE)
 ALIASES_HTTP=$(jq -r '.ALIASES_HTTP | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
 ALIASES_HTTPS=$(jq -r '.ALIASES_HTTPS | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
 REDIRECT_HTTP=$(jq -r .REDIRECT_HTTP $DOMAIN_SOURCE)
@@ -20,23 +20,24 @@ MAX_BODY_SIZE=$(jq -r .MAX_BODY_SIZE $DOMAIN_SOURCE)
 DEBUG=$(jq -r .DEBUG $DOMAIN_SOURCE)
 ALLOWED_NETWORK=$(jq -r '.ALLOWED_NETWORK | select(.!="null") | join(" ")' $DOMAIN_SOURCE)
 OPERATION=$(jq -r '.OPERATION' $DOMAIN_SOURCE)
+BASIC_AUTH=$(jq -r .BASIC_AUTH $DOMAIN_SOURCE)
 ALTERNATE_LOCATION_PATH=$(jq -r .ALTERNATE_LOCATION_PATH $DOMAIN_SOURCE)
-LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null);
+LOCAL_NAME=$(jq -r .LOCAL_NAME $DOMAIN_SOURCE 2>/dev/null)
 if [[ "$LOCAL_NAME" == "" || "$LOCAL_NAME" == "null" ]]; then
-        LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null);
+    LOCAL_NAME=$(jq -r .LOCAL_IP $DOMAIN_SOURCE 2>/dev/null)
 fi
-RELOAD_LOCATIONS="";
+RELOAD_LOCATIONS=""
 
-if [ -n "$2" ]; then
-	echo "$DOMAIN_NAME DELETED";
-	rm $DOMAIN_NAME.conf;
-	exit;
+if [ -n "$2" ] || [ "$OPERATION" == "DELETE" ]; then
+    echo "$DOMAIN_NAME DELETED"
+    rm $DOMAIN_NAME.conf
+    exit
 fi
 
 add_alternate_location() {
     {
         cat $DOMAIN_NAME.conf | head -n -1
-		add_location;
+        add_location
         echo "}"
 
     } >>"$file"
@@ -49,47 +50,52 @@ add_location() {
         ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE)
         ALP_IDX=$(($ALP_IDX - 1))
 
-			for i in $(seq 0 $ALP_IDX) ;
-			do
+        for i in $(seq 0 $ALP_IDX); do
             ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
 
-				ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH);
-				ALP_LOCAL_NAME=$(echo $ALP | jq -rc .LOCAL_NAME);
-				ALP_LOCAL_PORT=$(echo $ALP | jq -rc .LOCAL_PORT);
-				ALP_LOCAL_ALLOWED_NETWORK=$(echo $ALP | jq -rc '.LOCAL_ALLOWED_NETWORK | select(.!="null") | join(" ")');
+            ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH)
+            ALP_LOCAL_NAME=$(echo $ALP | jq -rc .LOCAL_NAME)
+            ALP_LOCAL_PORT=$(echo $ALP | jq -rc .LOCAL_PORT)
+            ALP_LOCAL_ALLOWED_NETWORK=$(echo $ALP | jq -rc '.LOCAL_ALLOWED_NETWORK | select(.!="null") | join(" ")')
 
             # do not duplicate locations
-				EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf);
+            EXISTS=$(grep -rn "location $ALP_LOCAL_PATH {" -m 1 $DOMAIN_NAME.conf)
             if [ -n "$EXISTS" ]; then
-					ROW_NUMBER=$(echo $EXISTS | cut -d ':' -f1);
-					START=$(($ROW_NUMBER + 2));
-					OFFSET=$(tail -n+$START $DOMAIN_NAME.conf | grep -n '}' -m 1 | cut -d ':' -f1);
-					OFFSET=$(($OFFSET - 2));
-					ALP_ALLOWED=$(echo $(tail -n+$START $DOMAIN_NAME.conf | head -n $OFFSET | awk '{print $2}')); # echo removes space at the end
+                ROW_NUMBER=$(echo $EXISTS | cut -d ':' -f1)
+                START=$(($ROW_NUMBER + 2))
+                OFFSET=$(tail -n+$START $DOMAIN_NAME.conf | grep -n '}' -m 1 | cut -d ':' -f1)
+                OFFSET=$(($OFFSET - 2))
+                ALP_ALLOWED=$(echo $(tail -n+$START $DOMAIN_NAME.conf | head -n $OFFSET | awk '{print $2}')) # echo removes space at the end
                 if [ "$ALP_LOCAL_ALLOWED_NETWORK" != "$ALP_ALLOWED" ]; then
                     RELOAD_LOCATIONS=$RELOAD_LOCATIONS$ALP_LOCAL_PATH" "
-					fi;
+                fi
                 # skip if exists
-					continue;
-				fi;
+                continue
+            fi
 
             if [[ "$ALP_LOCAL_NAME" = "" ]]; then
                 ALP_LOCAL_NAME=$LOCAL_NAME
-				fi;
+            fi
 
             if [[ "$ALP_LOCAL_PORT" = "" ]]; then
                 ALP_LOCAL_PORT=$HTTP_PORT
-				fi;
+            fi
 
             echo "location $ALP_LOCAL_PATH {"
 
+            if [ "$BASIC_AUTH" == "TRUE" ]; then
+                echo '  auth_basic           "SAFEBOX AUTHORIZATION";
+     auth_basic_user_file htpasswd;
+                        '
+            fi
+
             if [[ "$ALP_LOCAL_ALLOWED_NETWORK" != "" ]]; then
-					echo " limit_except GET HEAD {";
+                echo " limit_except GET HEAD {"
                 for i in $(echo $ALP_LOCAL_ALLOWED_NETWORK); do
-						echo " 	allow $i";
-					done;
-					echo " 	deny all;";
-					echo " }";
+                    echo " 	allow $i"
+                done
+                echo " 	deny all;"
+                echo " }"
             fi
 
             if [[ "$ALP_LOCAL_PORT" != "" ]]; then
@@ -117,8 +123,8 @@ add_location() {
             echo " proxy_buffering off;"
             echo "}"
             echo "# location end"
-			done;
-		fi;
+        done
+    fi
 
 }
 
@@ -129,32 +135,31 @@ remove_alternate_location() {
         ALP_IDX=$(jq -r '.ALTERNATE_LOCATION_PATH | length' $DOMAIN_SOURCE)
         ALP_IDX=$(($ALP_IDX - 1))
 
-		for i in $(seq 0 $ALP_IDX) ;
-		do
+        for i in $(seq 0 $ALP_IDX); do
             ALP=$(jq -r .ALTERNATE_LOCATION_PATH[$i] $DOMAIN_SOURCE)
-			ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH);
+            ALP_LOCAL_PATH=$(echo $ALP | jq -rc .LOCAL_PATH)
             remove_location $ALP_LOCAL_PATH
-		done;
-	fi;
+        done
+    fi
 }
 
 remove_location() {
     local LOCATION=$1
 
-	LOCATION_ROW="location $LOCATION {";
-	ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1);
+    LOCATION_ROW="location $LOCATION {"
+    ROW_NUMBER=$(grep -rn "$LOCATION_ROW" $DOMAIN_NAME.conf | cut -d ':' -f1)
     if [ -n "$ROW_NUMBER" ]; then
-		OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1);
-		START=$(($ROW_NUMBER - 1));
-		END=$(($ROW_NUMBER + $OFFSET));
+        OFFSET=$(tail -n+$ROW_NUMBER $DOMAIN_NAME.conf | grep -n '# location end' -m 1 | cut -d ':' -f1)
+        START=$(($ROW_NUMBER - 1))
+        END=$(($ROW_NUMBER + $OFFSET))
 
         {
             head -n$START $DOMAIN_NAME.conf
             tail -n+$END $DOMAIN_NAME.conf
         } >>$file
 
-		mv $file $DOMAIN_NAME.conf;
-	fi;
+        mv $file $DOMAIN_NAME.conf
+    fi
 }
 
 # create new nginx config
@@ -201,26 +206,31 @@ if [[ "$HTTP_PORT" != "" && "$HTTP_PORT" != "80" ]]; then
 
             echo "rewrite_log on;"
 
-	
             if [[ "$REDIRECT_HTTP" != "" ]]; then
                 echo "return 301 $REDIRECT_HTTP;"
             elif [[ "$HTTP_PORT" == "" ]]; then
-			echo "return 301 https://"$DOMAIN_NAME;
+                echo "return 301 https://"$DOMAIN_NAME
 
             else
                 echo "location / {"
 
+                if [ "$BASIC_AUTH" == "TRUE" ]; then
+                    echo '  auth_basic           "SAFEBOX AUTHORIZATION";
+     auth_basic_user_file htpasswd;
+                        '
+                fi
+
                 if [[ "$ALLOWED_NETWORK" != "" ]]; then
                     ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
                     ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1))
 
-				echo " limit_except GET HEAD {";
+                    echo " limit_except GET HEAD {"
                     for i in $(seq 0 $ALLOWED_NETWORK_IDX); do
                         AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
                         echo " 	allow "$AN";"
                     done
                     echo " 	deny  all;"
-				echo " }";
+                    echo " }"
                 fi
 
                 if [[ "$HTTP_PORT" != "" ]]; then
@@ -295,7 +305,6 @@ ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 5m;
 ssl_stapling on;"
 
-
             if [[ "$ERROR_PAGE" != "" && "$HTTPS_PORT" != "" ]]; then
                 echo "error_page 404 /$ERROR_PAGE;
 location = /$ERROR_PAGE {
@@ -311,17 +320,23 @@ location = /$ERROR_PAGE {
             else
                 echo "location / {"
 
+                if [ "$BASIC_AUTH" == "TRUE" ]; then
+                    echo '  auth_basic           "SAFEBOX AUTHORIZATION";
+     auth_basic_user_file htpasswd;
+                        '
+                fi
+
                 if [[ "$ALLOWED_NETWORK" != "" ]]; then
                     ALLOWED_NETWORK_IDX=$(jq -r '.ALLOWED_NETWORK | length' $DOMAIN_SOURCE)
                     ALLOWED_NETWORK_IDX=$(($ALLOWED_NETWORK_IDX - 1))
 
-			echo " limit_except GET HEAD {";
+                    echo " limit_except GET HEAD {"
                     for i in $(seq 0 $ALLOWED_NETWORK_IDX); do
                         AN=$(jq -r .ALLOWED_NETWORK[$i] $DOMAIN_SOURCE)
                         echo " 	allow "$AN";"
                     done
                     echo " 	deny  all;"
-			echo " }";
+                    echo " }"
                 fi
                 echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
 
@@ -344,15 +359,15 @@ echo " proxy_pass http://$LOCAL_NAME:$HTTPS_PORT;"
                 echo " proxy_buffering off;"
                 echo "}"
 
-		echo "# first location end";
+                echo "# first location end"
 
-		add_location;
+                add_location
 
             fi
 
             if [ "$REGENERATE" == "" ]; then
                 echo "}"
-fi;
+            fi
 
         fi
 
@@ -361,14 +376,14 @@ fi
 
 regenerate_config() {
 
-	mv $file $DOMAIN_NAME.conf;
+    mv $file $DOMAIN_NAME.conf
 
     # regenerates nginx config into $file
-	create_new_config "regenerate";
+    create_new_config "regenerate"
 
     #  append existing alternate locations to new config file
-	OFFSET=$(cat $DOMAIN_NAME.conf | grep -n '# first location end' -m 1 | cut -d ':' -f1);
-	OFFSET=$(($OFFSET + 1));
+    OFFSET=$(cat $DOMAIN_NAME.conf | grep -n '# first location end' -m 1 | cut -d ':' -f1)
+    OFFSET=$(($OFFSET + 1))
     {
         tail -n+$OFFSET $DOMAIN_NAME.conf
     } >>$file
@@ -378,8 +393,7 @@ file="/tmp/$DOMAIN_NAME.conf"
 
 # check whether certificates exist or not
 
-
-echo "created domain name: "$DOMAIN_NAME;
+echo "created domain name: "$DOMAIN_NAME
 
 #cp -a /scripts/nginx_template.conf /tmp/$DOMAIN.conf
 
@@ -387,40 +401,40 @@ echo "created domain name: "$DOMAIN_NAME;
 if [ -f $DOMAIN_NAME.conf ]; then
 
     if [ "$OPERATION" = "DELETE" ]; then
-		remove_alternate_location;
+        remove_alternate_location
     elif [ "$OPERATION" = "MODIFY" ]; then
         # must be before create_new_config
-		remove_alternate_location;
-		add_alternate_location;
+        remove_alternate_location
+        add_alternate_location
 
-		regenerate_config;
+        regenerate_config
 
     else
         # default CREATE, append location
-		add_alternate_location;
+        add_alternate_location
 
-		regenerate_config;
+        regenerate_config
 
         # reload alternate locations if allowed networks has changed
         if [ -n "$RELOAD_LOCATIONS" ]; then
-			rm $file;
-			remove_alternate_location;
-			add_alternate_location;
-		fi;
-	fi;
+            rm $file
+            remove_alternate_location
+            add_alternate_location
+        fi
+    fi
 else
 
     # rewrite operation if nginx config file doesn't exists
-	OPERATION="CREATE";
-	create_new_config;
+    OPERATION="CREATE"
+    create_new_config
 
-fi; # end of create new nginx config
+fi # end of create new nginx config
 
 if [ "$OPERATION" != "DELETE" ]; then
-	mv $file $DOMAIN_NAME.conf;
-fi;
+    mv $file $DOMAIN_NAME.conf
+fi
 echo "$DOMAIN" >>new_config
 
 if [ "$HTTPS_PORT" != "" ]; then
-	/scripts/check_certificates.sh "$DOMAIN_NAME";
+    /scripts/check_certificates.sh "$DOMAIN_NAME" &
 fi