jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
d57b772adacfb1b95fd656b21d0c87bc4b9f2bf8
cloudron-box/src/reverseproxy.js

438 lines
18 KiB
JavaScript
Raw Normal View History

add certificate manager stub
2015-12-10 13:31:47 -08:00
'use strict';
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
exports = module.exports = {
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
ReverseProxyError: ReverseProxyError,
Move nginx config and cert generation to box code
2017-01-05 14:38:36 -08:00
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
setFallbackCertificate: setFallbackCertificate,
allow to set domain specific fallback certs
2017-11-12 00:53:28 +01:00
getFallbackCertificate: getFallbackCertificate,
make code a bit readable
2017-01-17 09:57:15 -08:00
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
validateCertificate: validateCertificate,
make code a bit readable
2017-01-17 09:57:15 -08:00
Rename getAdminCerticate to getCertificate
2018-01-30 10:13:28 -08:00
getCertificate: getCertificate,
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
make code a bit readable
2017-01-17 09:57:15 -08:00
renewAll: renewAll,
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
configureDefaultServer: configureDefaultServer,
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
configureAdmin: configureAdmin,
configureApp: configureApp,
unconfigureApp: unconfigureApp,
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
reload: reload,
removeAppConfigs: removeAppConfigs,
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
// exported for testing
_getApi: getApi
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
};
add certificate manager stub
2015-12-10 13:31:47 -08:00
var acme = require('./cert/acme.js'),
use fallback certs if renewal fails
2016-03-17 12:20:02 -07:00
apps = require('./apps.js'),
add certificate manager stub
2015-12-10 13:31:47 -08:00
assert = require('assert'),
add getApi
2015-12-14 12:28:00 -08:00
async = require('async'),
add a backend for caas
2015-12-13 19:06:19 -08:00
caas = require('./cert/caas.js'),
add certificate manager stub
2015-12-10 13:31:47 -08:00
config = require('./config.js'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
constants = require('./constants.js'),
remove src/ prefix in debug tags
2017-04-23 21:53:59 -07:00
debug = require('debug')('box:certificates'),
Use tlsConfig from the domain, not from settings
2018-01-31 18:27:18 +01:00
domains = require('./domains.js'),
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
ejs = require('ejs'),
add certificate renew event
2016-04-30 22:27:33 -07:00
eventlog = require('./eventlog.js'),
Add fallback certificate backend
2016-12-05 17:01:23 +01:00
fallback = require('./cert/fallback.js'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
fs = require('fs'),
send a message for cert renewal status
2016-03-19 20:40:03 -07:00
mailer = require('./mailer.js'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
path = require('path'),
add certificate manager stub
2015-12-10 13:31:47 -08:00
paths = require('./paths.js'),
remove overcomplicated certificate events
2018-01-26 22:35:08 -08:00
platform = require('./platform.js'),
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
safe = require('safetydance'),
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
shell = require('./shell.js'),
use fallback cert of altDomain
2018-02-02 20:29:04 -08:00
tld = require('tldjs'),
acme: update account with owner email fixes #544
2016-01-13 14:21:23 -08:00
user = require('./user.js'),
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
util = require('util');
add certificate manager stub
2015-12-10 13:31:47 -08:00
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh'),
NOOP_CALLBACK = function (error) { if (error) debug(error); };
function ReverseProxyError(reason, errorOrMessage) {
Add CertificatesError
2015-12-11 13:43:33 -08:00
assert.strictEqual(typeof reason, 'string');
assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
Error.call(this);
Error.captureStackTrace(this, this.constructor);
this.name = this.constructor.name;
this.reason = reason;
if (typeof errorOrMessage === 'undefined') {
this.message = reason;
} else if (typeof errorOrMessage === 'string') {
this.message = errorOrMessage;
} else {
this.message = 'Internal error';
this.nestedError = errorOrMessage;
}
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
util.inherits(ReverseProxyError, Error);
ReverseProxyError.INTERNAL_ERROR = 'Internal Error';
ReverseProxyError.INVALID_CERT = 'Invalid certificate';
ReverseProxyError.NOT_FOUND = 'Not Found';
Add CertificatesError
2015-12-11 13:43:33 -08:00
use the acme backend when using altDomain
2016-04-19 08:21:23 -07:00
function getApi(app, callback) {
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof callback, 'function');
Use tlsConfig from the domain, not from settings
2018-01-31 18:27:18 +01:00
domains.get(app.domain, function (error, domain) {
add getApi
2015-12-14 12:28:00 -08:00
if (error) return callback(error);
Use tlsConfig from the domain, not from settings
2018-01-31 18:27:18 +01:00
if (domain.tlsConfig.provider === 'fallback') return callback(null, fallback, {});
Add fallback certificate backend
2016-12-05 17:01:23 +01:00
Remove all occurances of altDomain in the code Tests are pending
2018-02-07 20:54:43 +01:00
var api = domain.tlsConfig.provider === 'caas' ? caas : acme;
add getApi
2015-12-14 12:28:00 -08:00
set prod option based on provider
2015-12-17 13:17:46 -08:00
var options = { };
Use tlsConfig from the domain, not from settings
2018-01-31 18:27:18 +01:00
if (domain.tlsConfig.provider === 'caas') {
Remove all occurances of altDomain in the code Tests are pending
2018-02-07 20:54:43 +01:00
options.prod = true;
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
} else { // acme
le -> letsencrypt
2018-01-31 18:37:05 -08:00
options.prod = domain.tlsConfig.provider.match(/.*-prod/) !== null; // matches 'le-prod' or 'letsencrypt-prod'
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
}
acme: update account with owner email fixes #544
2016-01-13 14:21:23 -08:00
allow email to be configured
2016-01-13 12:15:27 -08:00
// registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
// we cannot use admin@fqdn because the user might not have set it up.
acme: update account with owner email fixes #544
2016-01-13 14:21:23 -08:00
// we simply update the account with the latest email we have each time when getting letsencrypt certs
// https://github.com/ietf-wg-acme/acme/issues/30
user.getOwner(function (error, owner) {
Replace alternateEmail with fallbackEmail
2018-01-21 14:50:24 +01:00
options.email = error ? 'support@cloudron.io' : (owner.fallbackEmail || owner.email); // can error if not activated yet
set prod option based on provider
2015-12-17 13:17:46 -08:00
acme: update account with owner email fixes #544
2016-01-13 14:21:23 -08:00
callback(null, api, options);
});
add getApi
2015-12-14 12:28:00 -08:00
});
}
do not renew apps without any cert autoRenew was mistakenly reconfiguring app without a cert (this is the common case for apps in non-custom domain)
2016-03-23 08:49:08 -07:00
function isExpiringSync(certFilePath, hours) {
assert.strictEqual(typeof certFilePath, 'string');
Refactor code to take hours
2016-03-18 22:59:51 -07:00
assert.strictEqual(typeof hours, 'number');
refactor expiry check
2016-03-19 12:50:31 -07:00
do not renew apps without any cert autoRenew was mistakenly reconfiguring app without a cert (this is the common case for apps in non-custom domain)
2016-03-23 08:49:08 -07:00
if (!fs.existsSync(certFilePath)) return 2; // not found
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
fix linter errors
2016-03-19 13:22:38 -07:00
var result = safe.child_process.spawnSync('/usr/bin/openssl', [ 'x509', '-checkend', String(60 * 60 * hours), '-in', certFilePath ]);
Refactor code to take hours
2016-03-18 22:59:51 -07:00
trim the output string
2016-03-21 08:25:10 -07:00
debug('isExpiringSync: %s %s %s', certFilePath, result.stdout.toString('utf8').trim(), result.status);
cert: check expiry correctly
2016-03-14 22:50:06 -07:00
return result.status === 1; // 1 - expired 0 - not expired
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
}
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
// note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
// servers certificate appears first (and not the intermediate cert)
change order of validateCertificate args
2018-01-26 20:34:15 -08:00
function validateCertificate(domain, cert, key) {
fqdn -> domain
2018-01-24 14:28:35 -08:00
assert.strictEqual(typeof domain, 'string');
certificates: cert/key cannot be null
2018-01-26 19:31:06 -08:00
assert.strictEqual(typeof cert, 'string');
assert.strictEqual(typeof key, 'string');
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
fqdn -> domain
2018-01-24 14:28:35 -08:00
function matchesDomain(candidate) {
if (typeof candidate !== 'string') return false;
if (candidate === domain) return true;
if (candidate.indexOf('*') === 0 && candidate.slice(2) === domain.slice(domain.indexOf('.') + 1)) return true;
Bring back code for alt domain match There are no actual tests for this yet. Should be added.
2017-05-11 21:55:25 +02:00
return false;
}
certificates: cert/key cannot be null
2018-01-26 19:31:06 -08:00
// check for empty cert and key strings
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!cert && key) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'missing cert');
if (cert && !key) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'missing key');
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
fqdn -> domain
2018-01-24 14:28:35 -08:00
var result = safe.child_process.execSync('openssl x509 -noout -checkhost "' + domain + '"', { encoding: 'utf8', input: cert });
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!result) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'Unable to get certificate subject.');
Bring back code for alt domain match There are no actual tests for this yet. Should be added.
2017-05-11 21:55:25 +02:00
// if no match, check alt names
if (result.indexOf('does match certificate') === -1) {
// https://github.com/drwetter/testssl.sh/pull/383
lint
2017-11-27 10:39:42 -08:00
var cmd = 'openssl x509 -noout -text | grep -A3 "Subject Alternative Name" | \
Bring back code for alt domain match There are no actual tests for this yet. Should be added.
2017-05-11 21:55:25 +02:00
grep "DNS:" | \
lint
2017-11-27 10:39:42 -08:00
sed -e "s/DNS://g" -e "s/ //g" -e "s/,/ /g" -e "s/othername:<unsupported>//g"';
Bring back code for alt domain match There are no actual tests for this yet. Should be added.
2017-05-11 21:55:25 +02:00
result = safe.child_process.execSync(cmd, { encoding: 'utf8', input: cert });
var altNames = result ? [ ] : result.trim().split(' '); // might fail if cert has no SAN
debug('validateCertificate: detected altNames as %j', altNames);
// check altNames
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!altNames.some(matchesDomain)) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, util.format('Certificate is not valid for this domain. Expecting %s in %j', domain, altNames));
Bring back code for alt domain match There are no actual tests for this yet. Should be added.
2017-05-11 21:55:25 +02:00
}
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
// http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
var certModulus = safe.child_process.execSync('openssl x509 -noout -modulus', { encoding: 'utf8', input: cert });
var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (certModulus !== keyModulus) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'Key does not match the certificate.');
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
lint
2017-11-27 10:39:42 -08:00
// check expiration
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
result = safe.child_process.execSync('openssl x509 -checkend 0', { encoding: 'utf8', input: cert });
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!result) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'Certificate has expired.');
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
return null;
}
refactor certificate settings
2015-12-11 13:52:21 -08:00
Move the BOX_ENV check for more test coverage
2018-01-30 16:14:05 -08:00
function reload(callback) {
if (process.env.BOX_ENV === 'test') return callback();
shell.sudo('reload', [ RELOAD_NGINX_CMD ], callback);
}
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
function setFallbackCertificate(domain, fallback, callback) {
fqdn -> domain
2018-01-24 14:28:35 -08:00
assert.strictEqual(typeof domain, 'string');
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
assert.strictEqual(typeof fallback, 'object');
refactor certificate settings
2015-12-11 13:52:21 -08:00
assert.strictEqual(typeof callback, 'function');
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
const certFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`);
const keyFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.key`);
do not regenerate fallback certificate
2018-01-26 22:27:32 -08:00
if (fallback) {
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
// backup the cert
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`), fallback.cert)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.key`), fallback.key)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
do not regenerate fallback certificate
2018-01-26 22:27:32 -08:00
} else if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) { // generate it
var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=*.%s -nodes', keyFilePath, certFilePath, domain);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!safe.child_process.execSync(certCommand)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
}
refactor certificate settings
2015-12-11 13:52:21 -08:00
remove overcomplicated certificate events
2018-01-26 22:35:08 -08:00
platform.handleCertChanged('*.' + domain);
listen for cert changed events and restart mail container neither haraka nor dovecot restarts on cert change Fixes #47
2017-01-17 10:53:26 -08:00
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
reload(function (error) {
if (error) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, error));
refactor certificate settings
2015-12-11 13:52:21 -08:00
return callback(null);
});
}
fqdn -> domain
2018-01-24 14:28:35 -08:00
function getFallbackCertificate(domain, callback) {
assert.strictEqual(typeof domain, 'string');
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
assert.strictEqual(typeof callback, 'function');
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
// check for any pre-provisioned (caas) certs. they get first priority
var certFilePath = path.join(paths.NGINX_CERT_DIR, `${domain}.host.cert`);
var keyFilePath = path.join(paths.NGINX_CERT_DIR, `${domain}.host.key`);
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
// check for auto-generated or user set fallback certs
certFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.key`);
callback(null, { certFilePath, keyFilePath });
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
}
Rename getAdminCerticate to getCertificate
2018-01-30 10:13:28 -08:00
function getCertificate(app, callback) {
assert.strictEqual(typeof app, 'object');
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
assert.strictEqual(typeof callback, 'function');
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
var certFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.user.cert`);
var keyFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.user.key`);
check user cert and then the le cert part of #47
2017-01-17 09:58:55 -08:00
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
check user cert and then the le cert part of #47
2017-01-17 09:58:55 -08:00
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
certFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.key`);
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
return getFallbackCertificate(app.domain, callback);
generate cert files for mail container this allows us to not track paths anymore part of #47
2017-01-17 10:21:42 -08:00
}
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
function ensureCertificate(app, auditSource, callback) {
ensureCertificate now takes app object
2016-04-19 08:13:44 -07:00
assert.strictEqual(typeof app, 'object');
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
assert.strictEqual(typeof auditSource, 'object');
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
assert.strictEqual(typeof callback, 'function');
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
var certFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.user.cert`);
var keyFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.user.key`);
Save user certs separately from automatic certs Fixing the admin cert is a bit more complex since it is used in setup script as well. Can do that in a later task. Fixes #44
2016-09-12 01:21:51 -07:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
debug('ensureCertificate: %s. user certificate already exists at %s', app.fqdn, keyFilePath);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
return callback(null, { certFilePath, keyFilePath, reason: 'user' });
Save user certs separately from automatic certs Fixing the admin cert is a bit more complex since it is used in setup script as well. Can do that in a later task. Fixes #44
2016-09-12 01:21:51 -07:00
}
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
certFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.key`);
do not renew apps without any cert autoRenew was mistakenly reconfiguring app without a cert (this is the common case for apps in non-custom domain)
2016-03-23 08:49:08 -07:00
Save user certs separately from automatic certs Fixing the admin cert is a bit more complex since it is used in setup script as well. Can do that in a later task. Fixes #44
2016-09-12 01:21:51 -07:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
debug('ensureCertificate: %s. certificate already exists at %s', app.fqdn, keyFilePath);
fix linter errors
2016-03-19 13:22:38 -07:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
if (!isExpiringSync(certFilePath, 24 * 30)) return callback(null, { certFilePath, keyFilePath, reason: 'existing-le' });
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
debug('ensureCertificate: %s cert require renewal', app.fqdn);
Correct debug lines for cert renewal or not existing
2017-01-17 10:35:42 +01:00
} else {
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
debug('ensureCertificate: %s cert does not exist', app.fqdn);
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
}
use the acme backend when using altDomain
2016-04-19 08:21:23 -07:00
getApi(app, function (error, api, apiOptions) {
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
if (error) return callback(error);
use tlsConfig to determine acme or not
2015-12-11 22:25:22 -08:00
caas: make the cert provider use domain fallback certs
2018-01-30 14:18:25 -08:00
debug('ensureCertificate: getting certificate for %s with options %j', vhost, apiOptions);
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
caas: make the cert provider use domain fallback certs
2018-01-30 14:18:25 -08:00
api.getCertificate(vhost, apiOptions, function (error, certFilePath, keyFilePath) {
Fix crash when cert renewal fails
2018-02-02 21:21:51 -08:00
var errorMessage = error ? error.message : '';
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
if (error) {
debug('ensureCertificate: could not get certificate. using fallback certs', error);
mailer.certificateRenewalError(vhost, errorMessage);
}
eventlog.add(eventlog.ACTION_CERTIFICATE_RENEWAL, auditSource, { domain: vhost, errorMessage: errorMessage });
allow to set domain specific fallback certs
2017-11-12 00:53:28 +01:00
caas: make the cert provider use domain fallback certs
2018-01-30 14:18:25 -08:00
// if no cert was returned use fallback. the fallback/caas provider will not provide any for example
Remove all occurances of altDomain in the code Tests are pending
2018-02-07 20:54:43 +01:00
if (!certFilePath || !keyFilePath) return getFallbackCertificate(app.domain, callback);
simply use fallback certs if LE fails currently, it fails if we cannot get a cert. This means that we need to provide some option to simply use fallback cert. This requires UI changes that I want to avoid :-)
2015-12-14 17:09:40 -08:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
callback(null, { certFilePath, keyFilePath, reason: 'new-le' });
simply use fallback certs if LE fails currently, it fails if we cannot get a cert. This means that we need to provide some option to simply use fallback cert. This requires UI changes that I want to avoid :-)
2015-12-14 17:09:40 -08:00
});
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
function configureAdminInternal(bundle, configFileName, vhost, callback) {
assert.strictEqual(typeof bundle, 'object');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
assert.strictEqual(typeof configFileName, 'string');
assert.strictEqual(typeof vhost, 'string');
assert.strictEqual(typeof callback, 'function');
var data = {
sourceDir: path.resolve(__dirname, '..'),
adminOrigin: config.adminOrigin(),
vhost: vhost, // if vhost is empty it will become the default_server
hasIPv6: config.hasIPv6(),
endpoint: 'admin',
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
xFrameOptions: 'SAMEORIGIN',
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n')
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(safe.error);
reload(callback);
}
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
function configureAdmin(auditSource, callback) {
typos
2018-01-30 19:59:09 -08:00
assert.strictEqual(typeof auditSource, 'object');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
assert.strictEqual(typeof callback, 'function');
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
var adminApp = { domain: config.adminDomain(), fqdn: config.adminFqdn() };
typos
2018-01-30 19:59:09 -08:00
ensureCertificate(adminApp, auditSource, function (error, bundle) {
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
if (error) return callback(error);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
configureAdminInternal(bundle, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn(), callback);
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
function configureAppInternal(app, bundle, callback) {
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof bundle, 'object');
assert.strictEqual(typeof callback, 'function');
var sourceDir = path.resolve(__dirname, '..');
var endpoint = 'app';
var data = {
sourceDir: sourceDir,
adminOrigin: config.adminOrigin(),
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
vhost: app.fqdn,
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
hasIPv6: config.hasIPv6(),
port: app.httpPort,
endpoint: endpoint,
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
robotsTxtQuoted: app.robotsTxt ? JSON.stringify(app.robotsTxt) : null,
xFrameOptions: app.xFrameOptions || 'SAMEORIGIN' // once all apps have been updated/
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
debug('writing config for "%s" to %s with options %j', app.fqdn, nginxConfigFilename, data);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
debug('Error creating nginx config for "%s" : %s', app.fqdn, safe.error.message);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
return callback(safe.error);
}
reload(callback);
}
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
function configureApp(app, auditSource, callback) {
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
assert.strictEqual(typeof app, 'object');
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
assert.strictEqual(typeof auditSource, 'object');
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
assert.strictEqual(typeof callback, 'function');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
ensureCertificate(app, auditSource, function (error, bundle) {
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
if (error) return callback(error);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
configureAppInternal(app, bundle, callback);
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
});
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
}
function unconfigureApp(app, callback) {
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof callback, 'function');
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
if (!safe.fs.unlinkSync(nginxConfigFilename)) {
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
if (safe.error.code !== 'ENOENT') debug('Error removing nginx configuration of "%s": %s', app.fqdn, safe.error.message);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
return callback(null);
}
reload(callback);
}
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
function renewAll(auditSource, callback) {
assert.strictEqual(typeof auditSource, 'object');
assert.strictEqual(typeof callback, 'function');
debug('renewAll: Checking certificates for renewal');
apps.getAll(function (error, allApps) {
if (error) return callback(error);
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
allApps.push({ domain: config.adminDomain(), fqdn: config.adminFqdn() }); // inject fake webadmin app
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
async.eachSeries(allApps, function (app, iteratorCallback) {
ensureCertificate(app, auditSource, function (error, bundle) {
if (bundle.reason !== 'new-le' && bundle.reason !== 'fallback') return iteratorCallback();
// reconfigure for the case where we got a renewed cert after fallback
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
var configureFunc = app.fqdn === config.adminFqdn() ?
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
configureAdminInternal.bind(null, bundle, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn())
: configureAppInternal.bind(null, app, bundle);
configureFunc(function (ignoredError) {
if (ignoredError) debug('fallbackExpiredCertificates: error reconfiguring app', ignoredError);
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
platform.handleCertChanged(app.fqdn);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
iteratorCallback(); // move to next app
});
});
});
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
function removeAppConfigs() {
for (var appConfigFile of fs.readdirSync(paths.NGINX_APPCONFIG_DIR)) {
fs.unlinkSync(path.join(paths.NGINX_APPCONFIG_DIR, appConfigFile));
}
}
function configureDefaultServer(callback) {
callback = callback || NOOP_CALLBACK;
var certFilePath = path.join(paths.NGINX_CERT_DIR, 'default.cert');
var keyFilePath = path.join(paths.NGINX_CERT_DIR, 'default.key');
if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) {
debug('configureDefaultServer: create new cert');
var cn = 'cloudron-' + (new Date()).toISOString(); // randomize date a bit to keep firefox happy
var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=%s -nodes', keyFilePath, certFilePath, cn);
safe.child_process.execSync(certCommand);
}
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
configureAdminInternal({ certFilePath, keyFilePath }, 'default.conf', '', function (error) {
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (error) return callback(error);
debug('configureDefaultServer: done');
callback(null);
});
}
Reference in New Issue Copy Permalink