jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
a5c4b5d8a135bfc46af0b6e99e6b254299dcbc17
cloudron-box/src/reverseproxy.js

739 lines
33 KiB
JavaScript
Raw Normal View History

add certificate manager stub
2015-12-10 13:31:47 -08:00
'use strict';
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
exports = module.exports = {
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
setFallbackCertificate,
getFallbackCertificate,
make code a bit readable
2017-01-17 09:57:15 -08:00
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
generateFallbackCertificateSync,
setAppCertificateSync,
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
validateCertificate,
make code a bit readable
2017-01-17 09:57:15 -08:00
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
getCertificate,
ensureCertificate,
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
renewCerts,
make code a bit readable
2017-01-17 09:57:15 -08:00
reverseproxy: improve the note
2019-09-30 15:25:53 -07:00
// the 'configure' ensure a certificate and generate nginx config
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
configureAdmin,
configureApp,
unconfigureApp,
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
reverseproxy: improve the note
2019-09-30 15:25:53 -07:00
// these only generate nginx config
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
writeDefaultConfig,
rename writeAdmin to writeDashboard
2020-09-23 15:45:04 -07:00
writeDashboardConfig,
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
writeAppConfig,
removeAppConfigs,
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
// exported for testing
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
_getAcmeApi: getAcmeApi
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
};
acme2 implementation
2018-09-10 15:19:10 -07:00
var acme2 = require('./cert/acme2.js'),
use fallback certs if renewal fails
2016-03-17 12:20:02 -07:00
apps = require('./apps.js'),
add certificate manager stub
2015-12-10 13:31:47 -08:00
assert = require('assert'),
add getApi
2015-12-14 12:28:00 -08:00
async = require('async'),
Move ReverseProxyError with BoxError
2019-10-22 16:46:24 -07:00
BoxError = require('./boxerror.js'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
constants = require('./constants.js'),
Generate fallback cert to contain naked domain in SAN
2018-02-09 13:44:29 -08:00
crypto = require('crypto'),
Make LE work with hyphenated domains
2018-10-31 15:41:02 -07:00
debug = require('debug')('box:reverseproxy'),
Use tlsConfig from the domain, not from settings
2018-01-31 18:27:18 +01:00
domains = require('./domains.js'),
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
ejs = require('ejs'),
add certificate renew event
2016-04-30 22:27:33 -07:00
eventlog = require('./eventlog.js'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
fs = require('fs'),
Move cert change notification into ensureCertificate() When ensureCertificate renews the cert, the filename will match the nginx config cert file. The current code detects that this implies that the cert has not changed and thus does not update mail container. Move the notification into ensureCertificate() itself. If we have a wildcard cert and it gets renewed when installing a new app, then mail container will still get it.
2019-03-04 15:20:58 -08:00
mail = require('./mail.js'),
Generate fallback cert to contain naked domain in SAN
2018-02-09 13:44:29 -08:00
os = require('os'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
path = require('path'),
add certificate manager stub
2015-12-10 13:31:47 -08:00
paths = require('./paths.js'),
Ensure we purge all nginx configs of an app
2018-06-29 23:01:22 +02:00
rimraf = require('rimraf'),
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
safe = require('safetydance'),
config.js is dead, long live config.js we use settings now
2019-07-26 10:49:29 -07:00
settings = require('./settings.js'),
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
shell = require('./shell.js'),
Move hasIPv6 into sysinfo
2019-07-25 11:26:53 -07:00
sysinfo = require('./sysinfo.js'),
Rename user.js to users.js
2018-04-29 10:58:45 -07:00
users = require('./users.js'),
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
util = require('util');
add certificate manager stub
2015-12-10 13:31:47 -08:00
rename appconfig to nginxconfig
2019-10-13 17:08:33 -07:00
var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/nginxconfig.ejs', { encoding: 'utf8' }),
Do not crash if platform.start fails With this change, the box code always starts up even if nginx fails, docker fails etc.
2018-11-10 18:21:15 -08:00
RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
proxyAuth: add exclusion path had to move the ~ login/logout regexp inside. This is because of https://www.ruby-forum.com/t/proxy-pass-location-inheritance/239135 What it says is that a regexp inside a matching location prefix is given precedence regardless of how it appears in the file. This means that the negative regexp got precedence over login|logout and thus went into infinite redirect. By moving it to same level, the regexps are considered in order. Some notes on nginx location: * First, it will match the prefixes (= and the /). If =, the matching stops. If /xx then the longest match is "remembered" * It will then match the regex inside the longest match. First match wins * It will then match the rest of the regex locations. First match win * If no regex matched, it will then do the remembered longest prefix fixes #762
2021-01-08 14:10:11 -08:00
function nginxLocation(s) {
if (!s.startsWith('!')) return s;
let re = s.replace(/[\^$\\.*+?()[\]{}|]/g, '\\$&'); // https://github.com/es-shims/regexp.escape/blob/master/implementation.js
return `~ ^(?!(${re.slice(1)}))`; // negative regex assertion - https://stackoverflow.com/questions/16302897/nginx-location-not-equal-to-regex
}
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
function getAcmeApi(domainObject, callback) {
Pass around domainObject
2018-11-14 19:36:12 -08:00
assert.strictEqual(typeof domainObject, 'object');
use the acme backend when using altDomain
2016-04-19 08:21:23 -07:00
assert.strictEqual(typeof callback, 'function');
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
const api = acme2;
Add fallback certificate backend
2016-12-05 17:01:23 +01:00
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
let options = { prod: false, performHttpAuthorization: false, wildcard: false, email: '' };
certs: remove caas backend
2020-08-07 11:49:34 -07:00
options.prod = domainObject.tlsConfig.provider.match(/.*-prod/) !== null; // matches 'le-prod' or 'letsencrypt-prod'
options.performHttpAuthorization = domainObject.provider.match(/noop|manual|wildcard/) !== null;
options.wildcard = !!domainObject.tlsConfig.wildcard;
acme: update account with owner email fixes #544
2016-01-13 14:21:23 -08:00
Pass around domainObject
2018-11-14 19:36:12 -08:00
// registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
// we cannot use admin@fqdn because the user might not have set it up.
// we simply update the account with the latest email we have each time when getting letsencrypt certs
// https://github.com/ietf-wg-acme/acme/issues/30
users.getOwner(function (error, owner) {
Use webmaster@ instead of support@ as LetsEncrypt fallback
2020-05-03 11:02:18 +02:00
options.email = error ? 'webmaster@cloudron.io' : owner.email; // can error if not activated yet
set prod option based on provider
2015-12-17 13:17:46 -08:00
Pass around domainObject
2018-11-14 19:36:12 -08:00
callback(null, api, options);
add getApi
2015-12-14 12:28:00 -08:00
});
}
do not renew apps without any cert autoRenew was mistakenly reconfiguring app without a cert (this is the common case for apps in non-custom domain)
2016-03-23 08:49:08 -07:00
function isExpiringSync(certFilePath, hours) {
assert.strictEqual(typeof certFilePath, 'string');
Refactor code to take hours
2016-03-18 22:59:51 -07:00
assert.strictEqual(typeof hours, 'number');
refactor expiry check
2016-03-19 12:50:31 -07:00
do not renew apps without any cert autoRenew was mistakenly reconfiguring app without a cert (this is the common case for apps in non-custom domain)
2016-03-23 08:49:08 -07:00
if (!fs.existsSync(certFilePath)) return 2; // not found
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
fix linter errors
2016-03-19 13:22:38 -07:00
var result = safe.child_process.spawnSync('/usr/bin/openssl', [ 'x509', '-checkend', String(60 * 60 * hours), '-in', certFilePath ]);
Refactor code to take hours
2016-03-18 22:59:51 -07:00
Check if result is not null
2018-11-23 11:26:18 -08:00
if (!result) return 3; // some error
trim the output string
2016-03-21 08:25:10 -07:00
debug('isExpiringSync: %s %s %s', certFilePath, result.stdout.toString('utf8').trim(), result.status);
cert: check expiry correctly
2016-03-14 22:50:06 -07:00
return result.status === 1; // 1 - expired 0 - not expired
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
}
bare domains are getting continuously renewed the code is not handling the case where bare domain is not part of the wildcard SAN.
2018-11-14 19:46:38 -08:00
// checks if the certificate matches the options provided by user (like wildcard, le-staging etc)
function providerMatchesSync(domainObject, certFilePath, apiOptions) {
assert.strictEqual(typeof domainObject, 'object');
detect change in provider type and renew accordingly
2018-10-24 19:52:07 -07:00
assert.strictEqual(typeof certFilePath, 'string');
assert.strictEqual(typeof apiOptions, 'object');
if (!fs.existsSync(certFilePath)) return false; // not found
const subjectAndIssuer = safe.child_process.execSync(`/usr/bin/openssl x509 -noout -subject -issuer -in "${certFilePath}"`, { encoding: 'utf8' });
Fix error handling of all the execSync usage
2018-11-23 11:39:00 -08:00
if (!subjectAndIssuer) return false; // something bad happenned
detect change in provider type and renew accordingly
2018-10-24 19:52:07 -07:00
Make the cert subject match
2018-11-15 14:18:34 +01:00
const subject = subjectAndIssuer.match(/^subject=(.*)$/m)[1];
Get the domain correctly from subject
2018-11-15 10:45:27 -08:00
const domain = subject.substr(subject.indexOf('=') + 1).trim(); // subject can be /CN=, CN=, CN = and other forms
bare domains are getting continuously renewed the code is not handling the case where bare domain is not part of the wildcard SAN.
2018-11-14 19:46:38 -08:00
const issuer = subjectAndIssuer.match(/^issuer=(.*)$/m)[1];
Get the domain correctly from subject
2018-11-15 10:45:27 -08:00
const isWildcardCert = domain.includes('*');
acme2: issuer name has changed There is now Let's Encrypt R3 and Let's Encrypt R4 etc https://scotthelme.co.uk/lets-encrypts-new-root-and-intermediate-certificates/
2020-12-04 11:48:23 -08:00
const isLetsEncryptProd = issuer.includes('Let\'s Encrypt');
bare domains are getting continuously renewed the code is not handling the case where bare domain is not part of the wildcard SAN.
2018-11-14 19:46:38 -08:00
const issuerMismatch = (apiOptions.prod && !isLetsEncryptProd) || (!apiOptions.prod && isLetsEncryptProd);
// bare domain is not part of wildcard SAN
Get the domain correctly from subject
2018-11-15 10:45:27 -08:00
const wildcardMismatch = (domain !== domainObject.domain) && (apiOptions.wildcard && !isWildcardCert) || (!apiOptions.wildcard && isWildcardCert);
detect change in provider type and renew accordingly
2018-10-24 19:52:07 -07:00
bare domains are getting continuously renewed the code is not handling the case where bare domain is not part of the wildcard SAN.
2018-11-14 19:46:38 -08:00
const mismatch = issuerMismatch || wildcardMismatch;
detect change in provider type and renew accordingly
2018-10-24 19:52:07 -07:00
acme2: better logs
2020-12-04 11:47:19 -08:00
debug(`providerMatchesSync: ${certFilePath} subject=${subject} domain=${domain} issuer=${issuer} `
+ `wildcard=${isWildcardCert}/${apiOptions.wildcard} prod=${isLetsEncryptProd}/${apiOptions.prod} `
+ `issuerMismatch=${issuerMismatch} wildcardMismatch=${wildcardMismatch} match=${!mismatch}`);
detect change in provider type and renew accordingly
2018-10-24 19:52:07 -07:00
return !mismatch;
}
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
// note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
// servers certificate appears first (and not the intermediate cert)
Make cert an object
2018-11-05 22:36:16 -08:00
function validateCertificate(location, domainObject, certificate) {
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
assert.strictEqual(typeof location, 'string');
Fix various typos
2018-11-05 21:26:53 -08:00
assert.strictEqual(typeof domainObject, 'object');
Make cert an object
2018-11-05 22:36:16 -08:00
assert(certificate && typeof certificate, 'object');
const cert = certificate.cert, key = certificate.key;
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
certificates: cert/key cannot be null
2018-01-26 19:31:06 -08:00
// check for empty cert and key strings
Move ReverseProxyError with BoxError
2019-10-22 16:46:24 -07:00
if (!cert && key) return new BoxError(BoxError.BAD_FIELD, 'missing cert', { field: 'cert' });
if (cert && !key) return new BoxError(BoxError.BAD_FIELD, 'missing key', { field: 'key' });
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
Remove SAN check -checkhost already checks the SAN. It is implementation dependent as to whether the CN is checked for.
2018-02-09 14:05:01 -08:00
// -checkhost checks for SAN or CN exclusively. SAN takes precedence and if present, ignores the CN.
rework dns api to take domainObject the DNS backends require many different params, it's just easier to pass them all together and have backends do whatever. For example, route53 API requires the fqdn. Some other backends require just the "part" to insert. * location - location in the database (where app is installed) * zoneName - the dns zone name * domain - domain in the database (where apps are installed into) * name/getName() - this returns the name to insert in the DNS based on zoneName/location * fqdn - the fully resolved location in zoneName verifyDnsConfig also takes a domain object even if it's not in db just so that we can test even existing domain objects, if required. The IP param is removed since it's not required. for caas, we also don't need the fqdn hack in dnsConfig anymore
2019-01-04 18:44:54 -08:00
const fqdn = domains.fqdn(location, domainObject);
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
Make key validation work for ecc certs
2020-03-24 20:56:49 -07:00
let result = safe.child_process.execSync(`openssl x509 -noout -checkhost "${fqdn}"`, { encoding: 'utf8', input: cert });
Move ReverseProxyError with BoxError
2019-10-22 16:46:24 -07:00
if (result === null) return new BoxError(BoxError.BAD_FIELD, 'Unable to get certificate subject:' + safe.error.message, { field: 'cert' });
Bring back code for alt domain match There are no actual tests for this yet. Should be added.
2017-05-11 21:55:25 +02:00
Move ReverseProxyError with BoxError
2019-10-22 16:46:24 -07:00
if (result.indexOf('does match certificate') === -1) return new BoxError(BoxError.BAD_FIELD, `Certificate is not valid for this domain. Expecting ${fqdn}`, { field: 'cert' });
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
Make key validation work for ecc certs
2020-03-24 20:56:49 -07:00
// check if public key in the cert and private key matches. pkey below works for RSA and ECDSA keys
const pubKeyFromCert = safe.child_process.execSync('openssl x509 -noout -pubkey', { encoding: 'utf8', input: cert });
if (pubKeyFromCert === null) return new BoxError(BoxError.BAD_FIELD, `Unable to get public key from cert: ${safe.error.message}`, { field: 'cert' });
Fix error handling of all the execSync usage
2018-11-23 11:39:00 -08:00
Make key validation work for ecc certs
2020-03-24 20:56:49 -07:00
const pubKeyFromKey = safe.child_process.execSync('openssl pkey -pubout', { encoding: 'utf8', input: key });
if (pubKeyFromKey === null) return new BoxError(BoxError.BAD_FIELD, `Unable to get public key from private key: ${safe.error.message}`, { field: 'cert' });
Fix error handling of all the execSync usage
2018-11-23 11:39:00 -08:00
Make key validation work for ecc certs
2020-03-24 20:56:49 -07:00
if (pubKeyFromCert !== pubKeyFromKey) return new BoxError(BoxError.BAD_FIELD, 'Public key does not match the certificate.', { field: 'cert' });
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
lint
2017-11-27 10:39:42 -08:00
// check expiration
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
result = safe.child_process.execSync('openssl x509 -checkend 0', { encoding: 'utf8', input: cert });
Move ReverseProxyError with BoxError
2019-10-22 16:46:24 -07:00
if (!result) return new BoxError(BoxError.BAD_FIELD, 'Certificate has expired.', { field: 'cert' });
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
return null;
}
refactor certificate settings
2015-12-11 13:52:21 -08:00
Move the BOX_ENV check for more test coverage
2018-01-30 16:14:05 -08:00
function reload(callback) {
remove httpPort we can just use container IP instead of all this httpPort exporting magic. this is also required for exposing httpPaths feature (we have to otherwise have multiple httpPorts).
2020-11-18 23:24:34 -08:00
if (constants.TEST) return callback();
Move the BOX_ENV check for more test coverage
2018-01-30 16:14:05 -08:00
Make reverseProxy return BoxError consistently
2019-10-24 10:28:38 -07:00
shell.sudo('reload', [ RELOAD_NGINX_CMD ], {}, function (error) {
Make addons code remove a BoxError
2019-12-04 13:17:58 -08:00
if (error) return callback(new BoxError(BoxError.NGINX_ERROR, `Error reloading nginx: ${error.message}`));
Make reverseProxy return BoxError consistently
2019-10-24 10:28:38 -07:00
callback();
});
Move the BOX_ENV check for more test coverage
2018-01-30 16:14:05 -08:00
}
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
function generateFallbackCertificateSync(domainObject) {
assert.strictEqual(typeof domainObject, 'object');
const domain = domainObject.domain;
const certFilePath = path.join(os.tmpdir(), `${domain}-${crypto.randomBytes(4).readUInt32LE(0)}.cert`);
const keyFilePath = path.join(os.tmpdir(), `${domain}-${crypto.randomBytes(4).readUInt32LE(0)}.key`);
let opensslConf = safe.fs.readFileSync('/etc/ssl/openssl.cnf', 'utf8');
// SAN must contain all the domains since CN check is based on implementation if SAN is found. -checkhost also checks only SAN if present!
let opensslConfWithSan;
remove support for hyphentated domains this has not been used for a long time
2020-08-15 18:40:59 -07:00
let cn = domain;
generate cert with correct CN
2018-11-05 20:36:58 -08:00
remove support for hyphentated domains this has not been used for a long time
2020-08-15 18:40:59 -07:00
debug(`generateFallbackCertificateSync: domain=${domainObject.domain} cn=${cn}`);
generate cert with correct CN
2018-11-05 20:36:58 -08:00
opensslConfWithSan = `${opensslConf}\n[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${cn}\n`;
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
let configFile = path.join(os.tmpdir(), 'openssl-' + crypto.randomBytes(4).readUInt32LE(0) + '.conf');
safe.fs.writeFileSync(configFile, opensslConfWithSan, 'utf8');
reduce the duration of self-signed certs https://support.apple.com/en-us/HT210176 https://forum.cloudron.io/topic/3346/automatically-generated-self-signed-wildcard-certificate-doesn-t-appear-to-be-able-to-be-trusted-by-ios-13-or-greater
2020-10-08 14:38:52 -07:00
// the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)
let certCommand = util.format(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=*.${cn} -extensions SAN -config ${configFile} -nodes`);
Move ReverseProxyError with BoxError
2019-10-22 16:46:24 -07:00
if (!safe.child_process.execSync(certCommand)) return { error: new BoxError(BoxError.OPENSSL_ERROR, safe.error.message) };
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
safe.fs.unlinkSync(configFile);
const cert = safe.fs.readFileSync(certFilePath, 'utf8');
Move DomainsError to BoxError
2019-10-23 10:02:04 -07:00
if (!cert) return { error: new BoxError(BoxError.FS_ERROR, safe.error.message) };
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
safe.fs.unlinkSync(certFilePath);
const key = safe.fs.readFileSync(keyFilePath, 'utf8');
Move DomainsError to BoxError
2019-10-23 10:02:04 -07:00
if (!key) return { error: new BoxError(BoxError.FS_ERROR, safe.error.message) };
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
safe.fs.unlinkSync(keyFilePath);
return { cert: cert, key: key, error: null };
}
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
function setFallbackCertificate(domain, fallback, callback) {
fqdn -> domain
2018-01-24 14:28:35 -08:00
assert.strictEqual(typeof domain, 'string');
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
assert(fallback && typeof fallback === 'object');
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
assert.strictEqual(typeof fallback, 'object');
refactor certificate settings
2015-12-11 13:52:21 -08:00
assert.strictEqual(typeof callback, 'function');
remove restricted fallback cert this feature was never used. iirc, it was for managed hosting
2020-08-07 11:41:15 -07:00
debug(`setFallbackCertificate: setting certs for domain ${domain}`);
if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`), fallback.cert)) return callback(new BoxError(BoxError.FS_ERROR, safe.error.message));
if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.key`), fallback.key)) return callback(new BoxError(BoxError.FS_ERROR, safe.error.message));
refactor certificate settings
2015-12-11 13:52:21 -08:00
Do not restart mail container when setting fallback certs
2019-03-04 19:35:22 -08:00
// TODO: maybe the cert is being used by the mail container
reload(function (error) {
Move ReverseProxyError with BoxError
2019-10-22 16:46:24 -07:00
if (error) return callback(new BoxError(BoxError.NGINX_ERROR, error));
refactor certificate settings
2015-12-11 13:52:21 -08:00
Do not restart mail container when setting fallback certs
2019-03-04 19:35:22 -08:00
return callback(null);
refactor certificate settings
2015-12-11 13:52:21 -08:00
});
}
fqdn -> domain
2018-01-24 14:28:35 -08:00
function getFallbackCertificate(domain, callback) {
assert.strictEqual(typeof domain, 'string');
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
assert.strictEqual(typeof callback, 'function');
certs: remove caas backend
2020-08-07 11:49:34 -07:00
const certFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`);
const keyFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.key`);
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
Remove unused type field
2019-10-01 11:17:12 -07:00
callback(null, { certFilePath, keyFilePath });
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
}
Make cert an object
2018-11-05 22:36:16 -08:00
function setAppCertificateSync(location, domainObject, certificate) {
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
assert.strictEqual(typeof location, 'string');
assert.strictEqual(typeof domainObject, 'object');
Make cert an object
2018-11-05 22:36:16 -08:00
assert.strictEqual(typeof certificate, 'object');
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
rework dns api to take domainObject the DNS backends require many different params, it's just easier to pass them all together and have backends do whatever. For example, route53 API requires the fqdn. Some other backends require just the "part" to insert. * location - location in the database (where app is installed) * zoneName - the dns zone name * domain - domain in the database (where apps are installed into) * name/getName() - this returns the name to insert in the DNS based on zoneName/location * fqdn - the fully resolved location in zoneName verifyDnsConfig also takes a domain object even if it's not in db just so that we can test even existing domain objects, if required. The IP param is removed since it's not required. for caas, we also don't need the fqdn hack in dnsConfig anymore
2019-01-04 18:44:54 -08:00
let fqdn = domains.fqdn(location, domainObject);
Make cert an object
2018-11-05 22:36:16 -08:00
if (certificate.cert && certificate.key) {
if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${fqdn}.user.cert`), certificate.cert)) return safe.error;
if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${fqdn}.user.key`), certificate.key)) return safe.error;
generate fallback cert correctly for hyphenated domains
2018-11-05 19:09:58 -08:00
} else { // remove existing cert/key
if (!safe.fs.unlinkSync(path.join(paths.APP_CERTS_DIR, `${fqdn}.user.cert`))) debug('Error removing cert: ' + safe.error.message);
if (!safe.fs.unlinkSync(path.join(paths.APP_CERTS_DIR, `${fqdn}.user.key`))) debug('Error removing key: ' + safe.error.message);
}
return null;
}
rename hostname to vhost to make the code less magical
2021-01-19 13:47:11 -08:00
function getAcmeCertificate(vhost, domainObject, callback) {
assert.strictEqual(typeof vhost, 'string'); // this can contain wildcard domain (for alias domains)
Pass around domainObject
2018-11-14 19:36:12 -08:00
assert.strictEqual(typeof domainObject, 'object');
select app's cert based on domain's wildcard flag this also removes the confusing type field in the bundle. we instead check the current nginx config to see what cert is in use.
2018-09-12 14:19:25 -07:00
assert.strictEqual(typeof callback, 'function');
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
let certFilePath, keyFilePath;
check user cert and then the le cert part of #47
2017-01-17 09:58:55 -08:00
rename hostname to vhost to make the code less magical
2021-01-19 13:47:11 -08:00
if (vhost !== domainObject.domain && domainObject.tlsConfig.wildcard) { // bare domain is not part of wildcard SAN
let certName = domains.makeWildcard(vhost).replace('*.', '_.');
Pass around domainObject
2018-11-14 19:36:12 -08:00
certFilePath = path.join(paths.APP_CERTS_DIR, `${certName}.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${certName}.key`);
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
Pass around domainObject
2018-11-14 19:36:12 -08:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
} else {
rename hostname to vhost to make the code less magical
2021-01-19 13:47:11 -08:00
certFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.key`);
acme2: implement wildcard certs
2018-09-11 22:46:17 -07:00
Pass around domainObject
2018-11-14 19:36:12 -08:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
}
make ensureCertificate check any wildcard cert
2018-09-11 23:47:23 -07:00
Pass around domainObject
2018-11-14 19:36:12 -08:00
callback(null);
make ensureCertificate check any wildcard cert
2018-09-11 23:47:23 -07:00
}
Fix reverseProxy.getCertificate API
2018-12-19 14:20:48 -08:00
function getCertificate(fqdn, domain, callback) {
assert.strictEqual(typeof fqdn, 'string');
assert.strictEqual(typeof domain, 'string');
make ensureCertificate check any wildcard cert
2018-09-11 23:47:23 -07:00
assert.strictEqual(typeof callback, 'function');
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
// 1. user cert always wins
// 2. if using fallback provider, return that cert
// 3. look for LE certs
Fix reverseProxy.getCertificate API
2018-12-19 14:20:48 -08:00
domains.get(domain, function (error, domainObject) {
Pass around domainObject
2018-11-14 19:36:12 -08:00
if (error) return callback(error);
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
// user cert always wins
let certFilePath = path.join(paths.APP_CERTS_DIR, `${fqdn}.user.cert`);
let keyFilePath = path.join(paths.APP_CERTS_DIR, `${fqdn}.user.key`);
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
if (domainObject.tlsConfig.provider === 'fallback') return getFallbackCertificate(domain, callback);
getAcmeCertificate(fqdn, domainObject, function (error, result) {
Pass around domainObject
2018-11-14 19:36:12 -08:00
if (error || result) return callback(error, result);
acme2: implement wildcard certs
2018-09-11 22:46:17 -07:00
Fix reverseProxy.getCertificate API
2018-12-19 14:20:48 -08:00
return getFallbackCertificate(domain, callback);
Pass around domainObject
2018-11-14 19:36:12 -08:00
});
select app's cert based on domain's wildcard flag this also removes the confusing type field in the bundle. we instead check the current nginx config to see what cert is in use.
2018-09-12 14:19:25 -07:00
});
generate cert files for mail container this allows us to not track paths anymore part of #47
2017-01-17 10:21:42 -08:00
}
rework args to ensureCertificate
2018-09-12 12:50:04 -07:00
function ensureCertificate(vhost, domain, auditSource, callback) {
assert.strictEqual(typeof vhost, 'string');
assert.strictEqual(typeof domain, 'string');
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
assert.strictEqual(typeof auditSource, 'object');
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
assert.strictEqual(typeof callback, 'function');
Pass around domainObject
2018-11-14 19:36:12 -08:00
domains.get(domain, function (error, domainObject) {
detect change in provider type and renew accordingly
2018-10-24 19:52:07 -07:00
if (error) return callback(error);
Save user certs separately from automatic certs Fixing the admin cert is a bit more complex since it is used in setup script as well. Can do that in a later task. Fixes #44
2016-09-12 01:21:51 -07:00
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
// user cert always wins
let certFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.user.cert`);
let keyFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.user.key`);
Add missing debugs
2020-08-10 14:54:37 -07:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
debug(`ensureCertificate: ${vhost} will use custom app certs`);
return callback(null, { certFilePath, keyFilePath }, { renewed: false });
}
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
if (domainObject.tlsConfig.provider === 'fallback') {
Add missing debugs
2020-08-10 14:54:37 -07:00
debug(`ensureCertificate: ${vhost} will use fallback certs`);
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
return getFallbackCertificate(domain, function (error, bundle) {
if (error) return callback(error);
callback(null, bundle, { renewed: false });
});
}
getAcmeApi(domainObject, function (error, acmeApi, apiOptions) {
Pass around domainObject
2018-11-14 19:36:12 -08:00
if (error) return callback(error);
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
getAcmeCertificate(vhost, domainObject, function (_error, currentBundle) {
Add certificate.new event
2018-11-14 20:38:49 -08:00
if (currentBundle) {
debug(`ensureCertificate: ${vhost} certificate already exists at ${currentBundle.keyFilePath}`);
use tlsConfig to determine acme or not
2015-12-11 22:25:22 -08:00
Fix bug where nginx was not reloaded on cert renewal Looks like it worked so far because nginx got reloaded in situations like apptask or server reboot.
2019-10-01 11:25:17 -07:00
if (!isExpiringSync(currentBundle.certFilePath, 24 * 30) && providerMatchesSync(domainObject, currentBundle.certFilePath, apiOptions)) return callback(null, currentBundle, { renewed: false });
acme2: better logs
2020-12-04 11:47:19 -08:00
debug(`ensureCertificate: ${vhost} cert requires renewal`);
Pass around domainObject
2018-11-14 19:36:12 -08:00
} else {
debug(`ensureCertificate: ${vhost} cert does not exist`);
}
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
Pass around domainObject
2018-11-14 19:36:12 -08:00
debug('ensureCertificate: getting certificate for %s with options %j', vhost, apiOptions);
Fix crash when cert renewal fails
2018-02-02 21:21:51 -08:00
Fix certificate ordering logic * app certs set by user are always preferred * If fallback, choose fallback certs. ignore others * If LE, try to pick LE certs. Otherwise, provider fallback. Fixes #724
2020-08-07 22:59:57 -07:00
acmeApi.getCertificate(vhost, domain, apiOptions, function (error, certFilePath, keyFilePath) {
debug: certFilePath is undefined
2019-12-08 18:23:12 -08:00
debug(`ensureCertificate: error: ${error ? error.message : 'null'} cert: ${certFilePath || 'null'}`);
cert: add more debugs
2019-10-03 10:36:57 -07:00
move cert renewal notification to notification logic
2019-03-04 14:50:56 -08:00
eventlog.add(currentBundle ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: vhost, errorMessage: error ? error.message : '' });
simply use fallback certs if LE fails currently, it fails if we cannot get a cert. This means that we need to provide some option to simply use fallback cert. This requires UI changes that I want to avoid :-)
2015-12-14 17:09:40 -08:00
If cert renewal failed, continue using old cert
2019-10-03 10:46:03 -07:00
if (error && currentBundle && !isExpiringSync(currentBundle.certFilePath, 0)) {
debug('ensureCertificate: continue using existing bundle since renewal failed');
return callback(null, currentBundle, { renewed: false });
}
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
if (certFilePath && keyFilePath) return callback(null, { certFilePath, keyFilePath }, { renewed: true });
Fix crash
2019-10-01 14:04:39 -07:00
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
debug(`ensureCertificate: renewal of ${vhost} failed. using fallback certificates for ${domain}`);
cert: add more debugs
2019-10-03 10:36:57 -07:00
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
getFallbackCertificate(domain, function (error, bundle) {
if (error) return callback(error);
Pass around domainObject
2018-11-14 19:36:12 -08:00
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
callback(null, bundle, { renewed: false });
Move cert change notification into ensureCertificate() When ensureCertificate renews the cert, the filename will match the nginx config cert file. The current code detects that this implies that the cert has not changed and thus does not update mail container. Move the notification into ensureCertificate() itself. If we have a wildcard cert and it gets renewed when installing a new app, then mail container will still get it.
2019-03-04 15:20:58 -08:00
});
Pass around domainObject
2018-11-14 19:36:12 -08:00
});
select app's cert based on domain's wildcard flag this also removes the confusing type field in the bundle. we instead check the current nginx config to see what cert is in use.
2018-09-12 14:19:25 -07:00
});
simply use fallback certs if LE fails currently, it fails if we cannot get a cert. This means that we need to provide some option to simply use fallback cert. This requires UI changes that I want to avoid :-)
2015-12-14 17:09:40 -08:00
});
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
rename writeAdmin to writeDashboard
2020-09-23 15:45:04 -07:00
function writeDashboardNginxConfig(bundle, configFileName, vhost, callback) {
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
assert.strictEqual(typeof bundle, 'object');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
assert.strictEqual(typeof configFileName, 'string');
assert.strictEqual(typeof vhost, 'string');
assert.strictEqual(typeof callback, 'function');
var data = {
sourceDir: path.resolve(__dirname, '..'),
config.js is dead, long live config.js we use settings now
2019-07-26 10:49:29 -07:00
adminOrigin: settings.adminOrigin(),
nginx: add separate endpoint for ip/setup screens 'setup' endpoint for setup/restore. we show the setup wizard. 'ip' endpoint is post activation. we show a splash screen here. Also, the https://ip will not respond to any api calls anymore (since this will leak the admin fqdn otherwise). We should probably make this customizable at some point. Fixes #739
2020-09-23 22:13:02 -07:00
vhost: vhost,
Move hasIPv6 into sysinfo
2019-07-25 11:26:53 -07:00
hasIPv6: sysinfo.hasIPv6(),
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
endpoint: 'admin',
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
add support for protected sites https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ https://gock.net/blog/2020/nginx-subrequest-authentication-server/ https://github.com/andygock/auth-server
2020-11-09 20:34:48 -08:00
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
proxyAuth: add exclusion path had to move the ~ login/logout regexp inside. This is because of https://www.ruby-forum.com/t/proxy-pass-location-inheritance/239135 What it says is that a regexp inside a matching location prefix is given precedence regardless of how it appears in the file. This means that the negative regexp got precedence over login|logout and thus went into infinite redirect. By moving it to same level, the regexps are considered in order. Some notes on nginx location: * First, it will match the prefixes (= and the /). If =, the matching stops. If /xx then the longest match is "remembered" * It will then match the regex inside the longest match. First match wins * It will then match the rest of the regex locations. First match win * If no regex matched, it will then do the remembered longest prefix fixes #762
2021-01-08 14:10:11 -08:00
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') }
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
Make reverseProxy return BoxError consistently
2019-10-24 10:28:38 -07:00
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(new BoxError(BoxError.FS_ERROR, safe.error));
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
reload(callback);
}
Make reverseProxy.configureAdmin not use config This way we can set things up before modifying config for dashboard switch
2018-12-13 21:42:47 -08:00
function configureAdmin(domain, auditSource, callback) {
assert.strictEqual(typeof domain, 'string');
typos
2018-01-30 19:59:09 -08:00
assert.strictEqual(typeof auditSource, 'object');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
assert.strictEqual(typeof callback, 'function');
Make reverseProxy.configureAdmin not use config This way we can set things up before modifying config for dashboard switch
2018-12-13 21:42:47 -08:00
domains.get(domain, function (error, domainObject) {
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
if (error) return callback(error);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
rework dns api to take domainObject the DNS backends require many different params, it's just easier to pass them all together and have backends do whatever. For example, route53 API requires the fqdn. Some other backends require just the "part" to insert. * location - location in the database (where app is installed) * zoneName - the dns zone name * domain - domain in the database (where apps are installed into) * name/getName() - this returns the name to insert in the DNS based on zoneName/location * fqdn - the fully resolved location in zoneName verifyDnsConfig also takes a domain object even if it's not in db just so that we can test even existing domain objects, if required. The IP param is removed since it's not required. for caas, we also don't need the fqdn hack in dnsConfig anymore
2019-01-04 18:44:54 -08:00
const adminFqdn = domains.fqdn(constants.ADMIN_LOCATION, domainObject);
Make reverseProxy.configureAdmin not use config This way we can set things up before modifying config for dashboard switch
2018-12-13 21:42:47 -08:00
ensureCertificate(adminFqdn, domainObject.domain, auditSource, function (error, bundle) {
if (error) return callback(error);
rename writeAdmin to writeDashboard
2020-09-23 15:45:04 -07:00
writeDashboardNginxConfig(bundle, `${adminFqdn}.conf`, adminFqdn, callback);
on startup, only re-generate the admin config should not try to get certificates on startup
2018-12-13 22:15:08 -08:00
});
});
}
rename writeAdmin to writeDashboard
2020-09-23 15:45:04 -07:00
function writeDashboardConfig(domain, callback) {
on startup, only re-generate the admin config should not try to get certificates on startup
2018-12-13 22:15:08 -08:00
assert.strictEqual(typeof domain, 'string');
assert.strictEqual(typeof callback, 'function');
rename writeAdmin to writeDashboard
2020-09-23 15:45:04 -07:00
debug(`writeDashboardConfig: writing admin config for ${domain}`);
Add debugs
2019-09-30 11:52:23 -07:00
on startup, only re-generate the admin config should not try to get certificates on startup
2018-12-13 22:15:08 -08:00
domains.get(domain, function (error, domainObject) {
if (error) return callback(error);
rework dns api to take domainObject the DNS backends require many different params, it's just easier to pass them all together and have backends do whatever. For example, route53 API requires the fqdn. Some other backends require just the "part" to insert. * location - location in the database (where app is installed) * zoneName - the dns zone name * domain - domain in the database (where apps are installed into) * name/getName() - this returns the name to insert in the DNS based on zoneName/location * fqdn - the fully resolved location in zoneName verifyDnsConfig also takes a domain object even if it's not in db just so that we can test even existing domain objects, if required. The IP param is removed since it's not required. for caas, we also don't need the fqdn hack in dnsConfig anymore
2019-01-04 18:44:54 -08:00
const adminFqdn = domains.fqdn(constants.ADMIN_LOCATION, domainObject);
on startup, only re-generate the admin config should not try to get certificates on startup
2018-12-13 22:15:08 -08:00
Fix reverseProxy.getCertificate API
2018-12-19 14:20:48 -08:00
getCertificate(adminFqdn, domainObject.domain, function (error, bundle) {
on startup, only re-generate the admin config should not try to get certificates on startup
2018-12-13 22:15:08 -08:00
if (error) return callback(error);
rename writeAdmin to writeDashboard
2020-09-23 15:45:04 -07:00
writeDashboardNginxConfig(bundle, `${adminFqdn}.conf`, adminFqdn, callback);
Make reverseProxy.configureAdmin not use config This way we can set things up before modifying config for dashboard switch
2018-12-13 21:42:47 -08:00
});
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
implement domain aliases
2021-01-18 17:26:26 -08:00
function writeAppNginxConfig(app, fqdn, bundle, callback) {
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
assert.strictEqual(typeof app, 'object');
implement domain aliases
2021-01-18 17:26:26 -08:00
assert.strictEqual(typeof fqdn, 'string');
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
assert.strictEqual(typeof bundle, 'object');
assert.strictEqual(typeof callback, 'function');
statically allocate app container IPs We removed httpPort with the assumption that docker allocated IPs and kept them as long as the container is around. This turned out to be not true because the IP changes on even container restart. So we now allocate IPs statically. The iprange makes sure we don't overlap with addons and other CI app or JupyterHub apps. https://github.com/moby/moby/issues/6743 https://github.com/moby/moby/pull/19001
2020-11-20 14:13:16 -08:00
var sourceDir = path.resolve(__dirname, '..');
var endpoint = 'app';
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
statically allocate app container IPs We removed httpPort with the assumption that docker allocated IPs and kept them as long as the container is around. This turned out to be not true because the IP changes on even container restart. So we now allocate IPs statically. The iprange makes sure we don't overlap with addons and other CI app or JupyterHub apps. https://github.com/moby/moby/issues/6743 https://github.com/moby/moby/pull/19001
2020-11-20 14:13:16 -08:00
let robotsTxtQuoted = null, hideHeaders = [], cspQuoted = null;
const reverseProxyConfig = app.reverseProxyConfig || {}; // some of our code uses fake app objects
if (reverseProxyConfig.robotsTxt) robotsTxtQuoted = JSON.stringify(app.reverseProxyConfig.robotsTxt);
if (reverseProxyConfig.csp) {
cspQuoted = `"${app.reverseProxyConfig.csp}"`;
hideHeaders = [ 'Content-Security-Policy' ];
if (reverseProxyConfig.csp.includes('frame-ancestors ')) hideHeaders.push('X-Frame-Options');
}
Add field to configure the reverse proxy part of #596
2019-10-13 18:22:03 -07:00
statically allocate app container IPs We removed httpPort with the assumption that docker allocated IPs and kept them as long as the container is around. This turned out to be not true because the IP changes on even container restart. So we now allocate IPs statically. The iprange makes sure we don't overlap with addons and other CI app or JupyterHub apps. https://github.com/moby/moby/issues/6743 https://github.com/moby/moby/pull/19001
2020-11-20 14:13:16 -08:00
var data = {
sourceDir: sourceDir,
adminOrigin: settings.adminOrigin(),
implement domain aliases
2021-01-18 17:26:26 -08:00
vhost: fqdn,
statically allocate app container IPs We removed httpPort with the assumption that docker allocated IPs and kept them as long as the container is around. This turned out to be not true because the IP changes on even container restart. So we now allocate IPs statically. The iprange makes sure we don't overlap with addons and other CI app or JupyterHub apps. https://github.com/moby/moby/issues/6743 https://github.com/moby/moby/pull/19001
2020-11-20 14:13:16 -08:00
hasIPv6: sysinfo.hasIPv6(),
ip: app.containerIp,
port: app.manifest.httpPort,
endpoint: endpoint,
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
robotsTxtQuoted,
cspQuoted,
hideHeaders,
proxyAuth: {
enabled: app.sso && app.manifest.addons && app.manifest.addons.proxyAuth,
proxyAuth: allow protecting specific subpath while I don't think this is useful for apps, it is useful for e2e test atleast
2020-11-20 18:13:23 -08:00
id: app.id,
proxyAuth: add exclusion path had to move the ~ login/logout regexp inside. This is because of https://www.ruby-forum.com/t/proxy-pass-location-inheritance/239135 What it says is that a regexp inside a matching location prefix is given precedence regardless of how it appears in the file. This means that the negative regexp got precedence over login|logout and thus went into infinite redirect. By moving it to same level, the regexps are considered in order. Some notes on nginx location: * First, it will match the prefixes (= and the /). If =, the matching stops. If /xx then the longest match is "remembered" * It will then match the regex inside the longest match. First match wins * It will then match the rest of the regex locations. First match win * If no regex matched, it will then do the remembered longest prefix fixes #762
2021-01-08 14:10:11 -08:00
location: nginxLocation(safe.query(app.manifest, 'addons.proxyAuth.path') || '/')
statically allocate app container IPs We removed httpPort with the assumption that docker allocated IPs and kept them as long as the container is around. This turned out to be not true because the IP changes on even container restart. So we now allocate IPs statically. The iprange makes sure we don't overlap with addons and other CI app or JupyterHub apps. https://github.com/moby/moby/issues/6743 https://github.com/moby/moby/pull/19001
2020-11-20 14:13:16 -08:00
},
httpPaths: app.manifest.httpPaths || {}
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
replace * in alias domain with _ for better filenames this is similar to what we do for cert filenames
2021-01-19 13:36:17 -08:00
const aliasSuffix = app.fqdn === fqdn ? '' : `-alias-${fqdn.replace('*', '_')}`;
implement domain aliases
2021-01-18 17:26:26 -08:00
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}${aliasSuffix}.conf`);
debug('writeAppNginxConfig: writing config for "%s" to %s with options %j', fqdn, nginxConfigFilename, data);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
statically allocate app container IPs We removed httpPort with the assumption that docker allocated IPs and kept them as long as the container is around. This turned out to be not true because the IP changes on even container restart. So we now allocate IPs statically. The iprange makes sure we don't overlap with addons and other CI app or JupyterHub apps. https://github.com/moby/moby/issues/6743 https://github.com/moby/moby/pull/19001
2020-11-20 14:13:16 -08:00
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
debug('Error creating nginx config for "%s" : %s', app.fqdn, safe.error.message);
return callback(new BoxError(BoxError.FS_ERROR, safe.error));
}
reload(callback);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
}
on startup, only re-generate the admin config should not try to get certificates on startup
2018-12-13 22:15:08 -08:00
function writeAppRedirectNginxConfig(app, fqdn, bundle, callback) {
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof fqdn, 'string');
assert.strictEqual(typeof bundle, 'object');
assert.strictEqual(typeof callback, 'function');
var data = {
sourceDir: path.resolve(__dirname, '..'),
vhost: fqdn,
redirectTo: app.fqdn,
Move hasIPv6 into sysinfo
2019-07-25 11:26:53 -07:00
hasIPv6: sysinfo.hasIPv6(),
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
endpoint: 'redirect',
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
Add field to configure the reverse proxy part of #596
2019-10-13 18:22:03 -07:00
robotsTxtQuoted: null,
frameAncestors -> csp It seems we cannot separate frame ancestors from CSP because the hide header just hides everything and not a specific resource. This means that the user has to set or unset the full policy whole sale.
2019-10-14 16:59:22 -07:00
cspQuoted: null,
add support for protected sites https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ https://gock.net/blog/2020/nginx-subrequest-authentication-server/ https://github.com/andygock/auth-server
2020-11-09 20:34:48 -08:00
hideHeaders: [],
proxyAuth: add exclusion path had to move the ~ login/logout regexp inside. This is because of https://www.ruby-forum.com/t/proxy-pass-location-inheritance/239135 What it says is that a regexp inside a matching location prefix is given precedence regardless of how it appears in the file. This means that the negative regexp got precedence over login|logout and thus went into infinite redirect. By moving it to same level, the regexps are considered in order. Some notes on nginx location: * First, it will match the prefixes (= and the /). If =, the matching stops. If /xx then the longest match is "remembered" * It will then match the regex inside the longest match. First match wins * It will then match the rest of the regex locations. First match win * If no regex matched, it will then do the remembered longest prefix fixes #762
2021-01-08 14:10:11 -08:00
proxyAuth: { enabled: false, id: app.id, location: nginxLocation('/') }
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
Cleanup alternateDomain dns records and nginx config
2018-06-29 19:04:48 +02:00
// if we change the filename, also change it in unconfigureApp()
Put redirect label into alternateDomain nginx configs
2018-06-29 17:20:02 +02:00
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}-redirect-${fqdn}.conf`);
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
debug('writing config for "%s" redirecting to "%s" to %s with options %j', app.fqdn, fqdn, nginxConfigFilename, data);
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
debug('Error creating nginx redirect config for "%s" : %s', app.fqdn, safe.error.message);
Make reverseProxy return BoxError consistently
2019-10-24 10:28:38 -07:00
return callback(new BoxError(BoxError.FS_ERROR, safe.error));
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
}
reload(callback);
}
Add robotsTxt tests
2019-09-09 21:41:55 -07:00
function writeAppConfig(app, callback) {
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof callback, 'function');
implement domain aliases
2021-01-18 17:26:26 -08:00
let appDomains = [];
rename main to primary
2021-01-18 22:31:10 -08:00
appDomains.push({ domain: app.domain, fqdn: app.fqdn, type: 'primary' });
Add robotsTxt tests
2019-09-09 21:41:55 -07:00
implement domain aliases
2021-01-18 17:26:26 -08:00
app.alternateDomains.forEach(function (alternateDomain) {
appDomains.push({ domain: alternateDomain.domain, fqdn: alternateDomain.fqdn, type: 'alternate' });
});
Add robotsTxt tests
2019-09-09 21:41:55 -07:00
implement domain aliases
2021-01-18 17:26:26 -08:00
app.aliasDomains.forEach(function (aliasDomain) {
appDomains.push({ domain: aliasDomain.domain, fqdn: aliasDomain.fqdn, type: 'alias' });
});
Add robotsTxt tests
2019-09-09 21:41:55 -07:00
implement domain aliases
2021-01-18 17:26:26 -08:00
async.eachSeries(appDomains, function (appDomain, iteratorDone) {
getCertificate(appDomain.fqdn, appDomain.domain, function (error, bundle) {
if (error) return iteratorDone(error);
rename main to primary
2021-01-18 22:31:10 -08:00
if (appDomain.type === 'primary') {
implement domain aliases
2021-01-18 17:26:26 -08:00
writeAppNginxConfig(app, appDomain.fqdn, bundle, iteratorDone);
} else if (appDomain.type === 'alternate') {
writeAppRedirectNginxConfig(app, appDomain.fqdn, bundle, iteratorDone);
} else if (appDomain.type === 'alias') {
writeAppNginxConfig(app, appDomain.fqdn, bundle, iteratorDone);
}
Add robotsTxt tests
2019-09-09 21:41:55 -07:00
});
implement domain aliases
2021-01-18 17:26:26 -08:00
}, callback);
Add robotsTxt tests
2019-09-09 21:41:55 -07:00
}
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
function configureApp(app, auditSource, callback) {
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
assert.strictEqual(typeof app, 'object');
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
assert.strictEqual(typeof auditSource, 'object');
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
assert.strictEqual(typeof callback, 'function');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
implement domain aliases
2021-01-18 17:26:26 -08:00
let appDomains = [];
rename main to primary
2021-01-18 22:31:10 -08:00
appDomains.push({ domain: app.domain, fqdn: app.fqdn, type: 'primary' });
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
implement domain aliases
2021-01-18 17:26:26 -08:00
app.alternateDomains.forEach(function (alternateDomain) {
appDomains.push({ domain: alternateDomain.domain, fqdn: alternateDomain.fqdn, type: 'alternate' });
});
Ensure certificates for alternateDomains
2018-06-29 16:02:33 +02:00
implement domain aliases
2021-01-18 17:26:26 -08:00
app.aliasDomains.forEach(function (aliasDomain) {
appDomains.push({ domain: aliasDomain.domain, fqdn: aliasDomain.fqdn, type: 'alias' });
});
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
implement domain aliases
2021-01-18 17:26:26 -08:00
async.eachSeries(appDomains, function (appDomain, iteratorDone) {
ensureCertificate(appDomain.fqdn, appDomain.domain, auditSource, function (error, bundle) {
if (error) return iteratorDone(error);
rename main to primary
2021-01-18 22:31:10 -08:00
if (appDomain.type === 'primary') {
implement domain aliases
2021-01-18 17:26:26 -08:00
writeAppNginxConfig(app, appDomain.fqdn, bundle, iteratorDone);
} else if (appDomain.type === 'alternate') {
writeAppRedirectNginxConfig(app, appDomain.fqdn, bundle, iteratorDone);
} else if (appDomain.type === 'alias') {
writeAppNginxConfig(app, appDomain.fqdn, bundle, iteratorDone);
}
Ensure certificates for alternateDomains
2018-06-29 16:02:33 +02:00
});
implement domain aliases
2021-01-18 17:26:26 -08:00
}, callback);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
}
function unconfigureApp(app, callback) {
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof callback, 'function');
Ensure we purge all nginx configs of an app
2018-06-29 23:01:22 +02:00
// we use globbing to find all nginx configs for an app
rimraf(path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}*.conf`), function (error) {
if (error) debug('Error removing nginx configurations of "%s":', app.fqdn, error);
Cleanup alternateDomain dns records and nginx config
2018-06-29 19:04:48 +02:00
Ensure we purge all nginx configs of an app
2018-06-29 23:01:22 +02:00
reload(callback);
Cleanup alternateDomain dns records and nginx config
2018-06-29 19:04:48 +02:00
});
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
}
Make certificate renewal a task
2018-12-10 20:20:53 -08:00
function renewCerts(options, auditSource, progressCallback, callback) {
Add route to renew certs of a domain
2018-10-24 13:01:45 -07:00
assert.strictEqual(typeof options, 'object');
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
assert.strictEqual(typeof auditSource, 'object');
Make certificate renewal a task
2018-12-10 20:20:53 -08:00
assert.strictEqual(typeof progressCallback, 'function');
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
assert.strictEqual(typeof callback, 'function');
apps.getAll(function (error, allApps) {
if (error) return callback(error);
implement domain aliases
2021-01-18 17:26:26 -08:00
let appDomains = [];
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
// add webadmin and mail domain
if (settings.mailFqdn() === settings.adminFqdn()) {
appDomains.push({ domain: settings.adminDomain(), fqdn: settings.adminFqdn(), type: 'webadmin+mail', nginxConfigFilename: path.join(paths.NGINX_APPCONFIG_DIR, `${settings.adminFqdn()}.conf`) });
} else {
appDomains.push({ domain: settings.adminDomain(), fqdn: settings.adminFqdn(), type: 'webadmin', nginxConfigFilename: path.join(paths.NGINX_APPCONFIG_DIR, `${settings.adminFqdn()}.conf`) });
appDomains.push({ domain: settings.mailDomain(), fqdn: settings.mailFqdn(), type: 'mail' });
}
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
allApps.forEach(function (app) {
Stopped apps should not renew certificates We had a case where a stopped/ununsed app was generating cert renewal errors. One idea might be to suppress the notification as well.
2020-01-26 16:05:23 -08:00
if (app.runState === apps.RSTATE_STOPPED) return; // do not renew certs of stopped apps
rename main to primary
2021-01-18 22:31:10 -08:00
appDomains.push({ domain: app.domain, fqdn: app.fqdn, type: 'primary', app: app, nginxConfigFilename: path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf') });
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
Use alternateDomain fqdn for ensuring certificate this makes it work for hyphenated domains as well
2018-09-22 16:10:46 -07:00
app.alternateDomains.forEach(function (alternateDomain) {
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}-redirect-${alternateDomain.fqdn}.conf`);
appDomains.push({ domain: alternateDomain.domain, fqdn: alternateDomain.fqdn, type: 'alternate', app: app, nginxConfigFilename });
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
});
implement domain aliases
2021-01-18 17:26:26 -08:00
app.aliasDomains.forEach(function (aliasDomain) {
replace * in alias domain with _ for better filenames this is similar to what we do for cert filenames
2021-01-19 13:36:17 -08:00
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}-alias-${aliasDomain.fqdn.replace('*', '_')}.conf`);
implement domain aliases
2021-01-18 17:26:26 -08:00
appDomains.push({ domain: aliasDomain.domain, fqdn: aliasDomain.fqdn, type: 'alias', app: app, nginxConfigFilename });
});
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
});
Add route to renew certs of a domain
2018-10-24 13:01:45 -07:00
if (options.domain) appDomains = appDomains.filter(function (appDomain) { return appDomain.domain === options.domain; });
Fix bug where nginx was not reloaded on cert renewal Looks like it worked so far because nginx got reloaded in situations like apptask or server reboot.
2019-10-01 11:25:17 -07:00
let progress = 1, renewed = [];
rework args to ensureCertificate
2018-09-12 12:50:04 -07:00
async.eachSeries(appDomains, function (appDomain, iteratorCallback) {
Make certificate renewal a task
2018-12-10 20:20:53 -08:00
progressCallback({ percent: progress, message: `Renewing certs of ${appDomain.fqdn}` });
progress += Math.round(100/appDomains.length);
Fix bug where nginx was not reloaded on cert renewal Looks like it worked so far because nginx got reloaded in situations like apptask or server reboot.
2019-10-01 11:25:17 -07:00
ensureCertificate(appDomain.fqdn, appDomain.domain, auditSource, function (error, bundle, state) {
Fix crash when renewAll is called when cloudron is not setup yet
2018-06-05 21:27:32 -07:00
if (error) return iteratorCallback(error); // this can happen if cloudron is not setup yet
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
Fix bug where nginx was not reloaded on cert renewal Looks like it worked so far because nginx got reloaded in situations like apptask or server reboot.
2019-10-01 11:25:17 -07:00
if (state.renewed) renewed.push(appDomain.fqdn);
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
if (appDomain.type === 'mail') return iteratorCallback(); // mail has no nginx config to check current cert
Pass around domainObject
2018-11-14 19:36:12 -08:00
// hack to check if the app's cert changed or not. this doesn't handle prod/staging le change since they use same file name
select app's cert based on domain's wildcard flag this also removes the confusing type field in the bundle. we instead check the current nginx config to see what cert is in use.
2018-09-12 14:19:25 -07:00
let currentNginxConfig = safe.fs.readFileSync(appDomain.nginxConfigFilename, 'utf8') || '';
if (currentNginxConfig.includes(bundle.certFilePath)) return iteratorCallback();
Add a debug
2018-10-24 20:06:43 -07:00
debug(`renewCerts: creating new nginx config since ${appDomain.nginxConfigFilename} does not have ${bundle.certFilePath}`);
select app's cert based on domain's wildcard flag this also removes the confusing type field in the bundle. we instead check the current nginx config to see what cert is in use.
2018-09-12 14:19:25 -07:00
// reconfigure since the cert changed
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
if (appDomain.type === 'webadmin') {
rename writeAdmin to writeDashboard
2020-09-23 15:45:04 -07:00
return writeDashboardNginxConfig(bundle, `${settings.adminFqdn()}.conf`, settings.adminFqdn(), iteratorCallback);
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
} else if (appDomain.type === 'webadmin+mail') {
return async.series([
mail.handleCertChanged,
rename writeAdmin to writeDashboard
2020-09-23 15:45:04 -07:00
writeDashboardNginxConfig.bind(null, bundle, `${settings.adminFqdn()}.conf`, settings.adminFqdn())
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
], iteratorCallback);
rename main to primary
2021-01-18 22:31:10 -08:00
} else if (appDomain.type === 'primary') {
implement domain aliases
2021-01-18 17:26:26 -08:00
return writeAppNginxConfig(appDomain.app, appDomain.fqdn, bundle, iteratorCallback);
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
} else if (appDomain.type === 'alternate') {
return writeAppRedirectNginxConfig(appDomain.app, appDomain.fqdn, bundle, iteratorCallback);
implement domain aliases
2021-01-18 17:26:26 -08:00
} else if (appDomain.type === 'alias') {
return writeAppNginxConfig(appDomain.app, appDomain.fqdn, bundle, iteratorCallback);
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
}
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
iteratorCallback(new BoxError(BoxError.INTERNAL_ERROR, `Unknown domain type for ${appDomain.fqdn}. This should never happen`));
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
});
Fix bug where nginx was not reloaded on cert renewal Looks like it worked so far because nginx got reloaded in situations like apptask or server reboot.
2019-10-01 11:25:17 -07:00
}, function (error) {
if (error) return callback(error);
debug(`renewCerts: Renewed certs of ${JSON.stringify(renewed)}`);
if (renewed.length === 0) return callback(null);
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
async.series([
(next) => { return renewed.includes(settings.mailFqdn()) ? mail.handleCertChanged(next) : next(); },// mail cert renewed
tls addon: restart apps on cert change
2021-02-18 09:43:42 -08:00
reload, // reload nginx if any certs were updated but the config was not rewritten
(next) => { // restart tls apps on cert change
const tlsApps = allApps.filter(app => app.manifest.addons && app.manifest.addons.tls && renewed.includes(app.fqdn));
async.eachSeries(tlsApps, function (app, iteratorDone) {
apps.restart(app, auditSource, () => iteratorDone());
}, next);
}
Allow mail server name to be configurable Fixes #721
2020-08-15 23:17:47 -07:00
], callback);
Fix bug where nginx was not reloaded on cert renewal Looks like it worked so far because nginx got reloaded in situations like apptask or server reboot.
2019-10-01 11:25:17 -07:00
});
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
function removeAppConfigs() {
Do not remove default.conf and admin.conf when re-configuring apps
2018-11-10 22:02:42 -08:00
for (let appConfigFile of fs.readdirSync(paths.NGINX_APPCONFIG_DIR)) {
Write nginx config into my.<domain>.conf This way we can switch the domain as an independent task that does not affect the existing admin conf
2018-12-13 22:36:11 -08:00
if (appConfigFile !== constants.NGINX_DEFAULT_CONFIG_FILE_NAME && !appConfigFile.startsWith(constants.ADMIN_LOCATION)) {
Do not remove default.conf and admin.conf when re-configuring apps
2018-11-10 22:02:42 -08:00
fs.unlinkSync(path.join(paths.NGINX_APPCONFIG_DIR, appConfigFile));
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
}
}
nginx: add separate endpoint for ip/setup screens 'setup' endpoint for setup/restore. we show the setup wizard. 'ip' endpoint is post activation. we show a splash screen here. Also, the https://ip will not respond to any api calls anymore (since this will leak the admin fqdn otherwise). We should probably make this customizable at some point. Fixes #739
2020-09-23 22:13:02 -07:00
function writeDefaultConfig(options, callback) {
assert.strictEqual(typeof options, 'object');
Do not crash if platform.start fails With this change, the box code always starts up even if nginx fails, docker fails etc.
2018-11-10 18:21:15 -08:00
assert.strictEqual(typeof callback, 'function');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
nginx: add separate endpoint for ip/setup screens 'setup' endpoint for setup/restore. we show the setup wizard. 'ip' endpoint is post activation. we show a splash screen here. Also, the https://ip will not respond to any api calls anymore (since this will leak the admin fqdn otherwise). We should probably make this customizable at some point. Fixes #739
2020-09-23 22:13:02 -07:00
const certFilePath = path.join(paths.NGINX_CERT_DIR, 'default.cert');
const keyFilePath = path.join(paths.NGINX_CERT_DIR, 'default.key');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) {
reverseproxy: rename to writeDefaultConfig
2019-09-30 15:28:05 -07:00
debug('writeDefaultConfig: create new cert');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
nginx: add separate endpoint for ip/setup screens 'setup' endpoint for setup/restore. we show the setup wizard. 'ip' endpoint is post activation. we show a splash screen here. Also, the https://ip will not respond to any api calls anymore (since this will leak the admin fqdn otherwise). We should probably make this customizable at some point. Fixes #739
2020-09-23 22:13:02 -07:00
const cn = 'cloudron-' + (new Date()).toISOString(); // randomize date a bit to keep firefox happy
reduce the duration of self-signed certs https://support.apple.com/en-us/HT210176 https://forum.cloudron.io/topic/3346/automatically-generated-self-signed-wildcard-certificate-doesn-t-appear-to-be-able-to-be-trusted-by-ios-13-or-greater
2020-10-08 14:38:52 -07:00
// the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)
if (!safe.child_process.execSync(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=${cn} -nodes`)) {
reverseproxy: rename to writeDefaultConfig
2019-09-30 15:28:05 -07:00
debug(`writeDefaultConfig: could not generate certificate: ${safe.error.message}`);
Make reverseProxy return BoxError consistently
2019-10-24 10:28:38 -07:00
return callback(new BoxError(BoxError.OPENSSL_ERROR, safe.error));
Fix error handling of all the execSync usage
2018-11-23 11:39:00 -08:00
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
}
nginx: add separate endpoint for ip/setup screens 'setup' endpoint for setup/restore. we show the setup wizard. 'ip' endpoint is post activation. we show a splash screen here. Also, the https://ip will not respond to any api calls anymore (since this will leak the admin fqdn otherwise). We should probably make this customizable at some point. Fixes #739
2020-09-23 22:13:02 -07:00
const data = {
sourceDir: path.resolve(__dirname, '..'),
adminOrigin: settings.adminOrigin(),
vhost: '',
hasIPv6: sysinfo.hasIPv6(),
endpoint: options.activated ? 'ip' : 'setup',
certFilePath,
keyFilePath,
add support for protected sites https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ https://gock.net/blog/2020/nginx-subrequest-authentication-server/ https://github.com/andygock/auth-server
2020-11-09 20:34:48 -08:00
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
proxyAuth: add exclusion path had to move the ~ login/logout regexp inside. This is because of https://www.ruby-forum.com/t/proxy-pass-location-inheritance/239135 What it says is that a regexp inside a matching location prefix is given precedence regardless of how it appears in the file. This means that the negative regexp got precedence over login|logout and thus went into infinite redirect. By moving it to same level, the regexps are considered in order. Some notes on nginx location: * First, it will match the prefixes (= and the /). If =, the matching stops. If /xx then the longest match is "remembered" * It will then match the regex inside the longest match. First match wins * It will then match the rest of the regex locations. First match win * If no regex matched, it will then do the remembered longest prefix fixes #762
2021-01-08 14:10:11 -08:00
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') }
nginx: add separate endpoint for ip/setup screens 'setup' endpoint for setup/restore. we show the setup wizard. 'ip' endpoint is post activation. we show a splash screen here. Also, the https://ip will not respond to any api calls anymore (since this will leak the admin fqdn otherwise). We should probably make this customizable at some point. Fixes #739
2020-09-23 22:13:02 -07:00
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, constants.NGINX_DEFAULT_CONFIG_FILE_NAME);
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
some logs for tracking the cron issue
2020-10-07 14:47:51 -07:00
debug(`writeDefaultConfig: writing configs for endpoint "${data.endpoint}"`);
nginx: add separate endpoint for ip/setup screens 'setup' endpoint for setup/restore. we show the setup wizard. 'ip' endpoint is post activation. we show a splash screen here. Also, the https://ip will not respond to any api calls anymore (since this will leak the admin fqdn otherwise). We should probably make this customizable at some point. Fixes #739
2020-09-23 22:13:02 -07:00
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(new BoxError(BoxError.FS_ERROR, safe.error));
remove IP nginx configuration that redirects to dashboard after activation fixes #728
2020-08-13 14:00:55 -07:00
reload(callback);
}
Reference in New Issue Copy Permalink