reverseProxy: single writeAppNginxConfig()
this prepares for secondary domains
This commit is contained in:
Girish Ramakrishnan
@@ -463,83 +463,61 @@ async function writeDashboardConfig(domainObject) {
|
||||
await writeDashboardNginxConfig(dashboardFqdn, bundle);
|
||||
}
|
||||
|
||||
async function writeAppNginxConfig(app, fqdn, bundle) {
|
||||
assert.strictEqual(typeof app, 'object');
|
||||
assert.strictEqual(typeof fqdn, 'string');
|
||||
assert.strictEqual(typeof bundle, 'object');
|
||||
|
||||
var sourceDir = path.resolve(__dirname, '..');
|
||||
var endpoint = 'app';
|
||||
|
||||
let robotsTxtQuoted = null, hideHeaders = [], cspQuoted = null;
|
||||
const reverseProxyConfig = app.reverseProxyConfig || {}; // some of our code uses fake app objects
|
||||
if (reverseProxyConfig.robotsTxt) robotsTxtQuoted = JSON.stringify(app.reverseProxyConfig.robotsTxt);
|
||||
if (reverseProxyConfig.csp) {
|
||||
cspQuoted = `"${app.reverseProxyConfig.csp}"`;
|
||||
hideHeaders = [ 'Content-Security-Policy' ];
|
||||
if (reverseProxyConfig.csp.includes('frame-ancestors ')) hideHeaders.push('X-Frame-Options');
|
||||
}
|
||||
|
||||
const data = {
|
||||
sourceDir: sourceDir,
|
||||
vhost: fqdn,
|
||||
hasIPv6: sysinfo.hasIPv6(),
|
||||
ip: app.containerIp,
|
||||
port: app.manifest.httpPort,
|
||||
endpoint,
|
||||
certFilePath: bundle.certFilePath,
|
||||
keyFilePath: bundle.keyFilePath,
|
||||
robotsTxtQuoted,
|
||||
cspQuoted,
|
||||
hideHeaders,
|
||||
proxyAuth: {
|
||||
enabled: app.sso && app.manifest.addons && app.manifest.addons.proxyAuth,
|
||||
id: app.id,
|
||||
location: nginxLocation(safe.query(app.manifest, 'addons.proxyAuth.path') || '/')
|
||||
},
|
||||
ocsp: await isOcspEnabled(bundle.certFilePath)
|
||||
};
|
||||
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
|
||||
const aliasSuffix = app.fqdn === fqdn ? '' : `-alias-${fqdn.replace('*', '_')}`;
|
||||
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}${aliasSuffix}.conf`);
|
||||
debug('writeAppNginxConfig: writing config for "%s" to %s with options %j', fqdn, nginxConfigFilename, data);
|
||||
|
||||
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
|
||||
debug('Error creating nginx config for "%s" : %s', app.fqdn, safe.error.message);
|
||||
throw new BoxError(BoxError.FS_ERROR, safe.error);
|
||||
}
|
||||
|
||||
await reload();
|
||||
}
|
||||
|
||||
async function writeAppRedirectNginxConfig(app, fqdn, bundle) {
|
||||
async function writeAppNginxConfig(app, fqdn, type, bundle) {
|
||||
assert.strictEqual(typeof app, 'object');
|
||||
assert.strictEqual(typeof fqdn, 'string');
|
||||
assert.strictEqual(typeof type, 'string');
|
||||
assert.strictEqual(typeof bundle, 'object');
|
||||
|
||||
const data = {
|
||||
sourceDir: path.resolve(__dirname, '..'),
|
||||
vhost: fqdn,
|
||||
redirectTo: app.fqdn,
|
||||
hasIPv6: sysinfo.hasIPv6(),
|
||||
endpoint: 'redirect',
|
||||
ip: null,
|
||||
port: null,
|
||||
endpoint: null,
|
||||
redirectTo: null,
|
||||
certFilePath: bundle.certFilePath,
|
||||
keyFilePath: bundle.keyFilePath,
|
||||
robotsTxtQuoted: null,
|
||||
cspQuoted: null,
|
||||
hideHeaders: [],
|
||||
proxyAuth: { enabled: false, id: app.id, location: nginxLocation('/') },
|
||||
proxyAuth: null,
|
||||
ocsp: await isOcspEnabled(bundle.certFilePath)
|
||||
};
|
||||
|
||||
let nginxConfigFilenameSuffix = '';
|
||||
if (type === apps.SUBDOMAIN_TYPE_PRIMARY || type === apps.SUBDOMAIN_TYPE_ALIAS) {
|
||||
const reverseProxyConfig = app.reverseProxyConfig || {}; // some of our code uses fake app objects
|
||||
if (reverseProxyConfig.robotsTxt) data.robotsTxtQuoted = JSON.stringify(app.reverseProxyConfig.robotsTxt);
|
||||
if (reverseProxyConfig.csp) {
|
||||
data.cspQuoted = `"${app.reverseProxyConfig.csp}"`;
|
||||
data.hideHeaders = [ 'Content-Security-Policy' ];
|
||||
if (reverseProxyConfig.csp.includes('frame-ancestors ')) data.hideHeaders.push('X-Frame-Options');
|
||||
}
|
||||
data.proxyAuth = {
|
||||
enabled: app.sso && app.manifest.addons && app.manifest.addons.proxyAuth,
|
||||
id: app.id,
|
||||
location: nginxLocation(safe.query(app.manifest, 'addons.proxyAuth.path') || '/')
|
||||
};
|
||||
data.endpoint = 'app';
|
||||
data.ip = app.containerIp;
|
||||
data.port = app.manifest.httpPort;
|
||||
if (type === apps.SUBDOMAIN_TYPE_ALIAS) nginxConfigFilenameSuffix = `-alias-${fqdn.replace('*', '_')}`;
|
||||
} else if (type === apps.SUBDOMAIN_TYPE_REDIRECT) {
|
||||
data.proxyAuth = { enabled: false, id: app.id, location: nginxLocation('/') };
|
||||
data.endpoint = 'redirect';
|
||||
data.redirectTo = app.fqdn;
|
||||
nginxConfigFilenameSuffix = `-redirect-${fqdn}`;
|
||||
}
|
||||
|
||||
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
|
||||
// if we change the filename, also change it in unconfigureApp()
|
||||
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}-redirect-${fqdn}.conf`);
|
||||
debug('writing config for "%s" redirecting to "%s" to %s with options %j', app.fqdn, fqdn, nginxConfigFilename, data);
|
||||
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}${nginxConfigFilenameSuffix}.conf`);
|
||||
debug(`writeAppNginxConfig: writing config for "${fqdn}" to ${nginxConfigFilename} with options ${JSON.stringify(data)}`);
|
||||
|
||||
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
|
||||
debug('Error creating nginx redirect config for "%s" : %s', app.fqdn, safe.error.message);
|
||||
debug(`Error creating nginx config for "${app.fqdn}" : ${safe.error.message}`);
|
||||
throw new BoxError(BoxError.FS_ERROR, safe.error);
|
||||
}
|
||||
|
||||
@@ -555,14 +533,7 @@ async function writeAppConfig(app) {
|
||||
|
||||
for (const appDomain of appDomains) {
|
||||
const bundle = await getCertificatePath(appDomain.fqdn, appDomain.domain);
|
||||
|
||||
if (appDomain.type === apps.SUBDOMAIN_TYPE_PRIMARY) {
|
||||
await writeAppNginxConfig(app, appDomain.fqdn, bundle);
|
||||
} else if (appDomain.type === apps.SUBDOMAIN_TYPE_REDIRECT) {
|
||||
await writeAppRedirectNginxConfig(app, appDomain.fqdn, bundle);
|
||||
} else if (appDomain.type === apps.SUBDOMAIN_TYPE_ALIAS) {
|
||||
await writeAppNginxConfig(app, appDomain.fqdn, bundle);
|
||||
}
|
||||
await writeAppNginxConfig(app, appDomain.fqdn, appDomain.type, bundle);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -578,7 +549,7 @@ async function configureApp(app, auditSource) {
|
||||
await ensureCertificate(appDomain.fqdn, appDomain.domain, auditSource);
|
||||
}
|
||||
|
||||
writeAppConfig(app);
|
||||
await writeAppConfig(app);
|
||||
}
|
||||
|
||||
async function unconfigureApp(app) {
|
||||
@@ -652,14 +623,8 @@ async function renewCerts(options, auditSource, progressCallback) {
|
||||
// reconfigure since the cert changed
|
||||
if (appDomain.type === 'webadmin' || appDomain.type === 'webadmin+mail') {
|
||||
await writeDashboardNginxConfig(settings.dashboardFqdn(), bundle);
|
||||
} else if (appDomain.type === apps.SUBDOMAIN_TYPE_PRIMARY) {
|
||||
await writeAppNginxConfig(appDomain.app, appDomain.fqdn, bundle);
|
||||
} else if (appDomain.type === apps.SUBDOMAIN_TYPE_REDIRECT) {
|
||||
await writeAppRedirectNginxConfig(appDomain.app, appDomain.fqdn, bundle);
|
||||
} else if (appDomain.type === apps.SUBDOMAIN_TYPE_ALIAS) {
|
||||
await writeAppNginxConfig(appDomain.app, appDomain.fqdn, bundle);
|
||||
} else {
|
||||
throw new BoxError(BoxError.INTERNAL_ERROR, `Unknown domain type for ${appDomain.fqdn}. This should never happen`);
|
||||
await writeAppNginxConfig(appDomain.app, appDomain.fqdn, appDomain.type, bundle);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user