jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
11,383 Commits 33 Branches 583 Tags
89127e1df738a54213a05b9314f37f8319d088e3
Commit Graph

229 Commits

Author SHA1 Message Date
Girish Ramakrishnan
89127e1df7 reverseproxy: rework cert logic 
9c8f78a059 already fixed many of the cert issues.

However, some issues were caught in the CI:

* The TLS addon has to be rebuilt and not just restarted. For this reason, we now
  move things to a directory instead of mounting files. This way the container is just restarted.

* Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore,
  the certs are left dangling forever in the db.

* Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want.
 2022-11-29 11:07:23 +01:00
Girish Ramakrishnan
b70572a6e9 dns: fqdn only needs domain string 
This is from the caas days, when we had hyphenated subdomains flag
 2022-11-28 21:56:25 +01:00
Girish Ramakrishnan
817e950d47 Fix upstreamUri verification 2022-11-23 12:58:17 +01:00
Girish Ramakrishnan
5d0309f1ca reverseproxy: check renewal against cert instead of the files 2022-11-17 16:40:14 +01:00
Girish Ramakrishnan
00771d8197 reverseproxy: move dashboard config to subdir as well 2022-11-17 15:50:34 +01:00
Girish Ramakrishnan
641752a222 reverseproxy: remove getAcmeApiOptions 2022-11-17 12:39:23 +01:00
Girish Ramakrishnan
e3b0d3960a reverseproxy: create configs in subdirectories for easy management 2022-11-17 12:16:11 +01:00
Girish Ramakrishnan
cd90864bc3 typos 2022-11-17 11:46:29 +01:00
Girish Ramakrishnan
23cc0d6f0e acme2: do not pass around paths 2022-11-17 11:44:36 +01:00
Girish Ramakrishnan
35076b0e93 use vhost naming for nginx config terminology 2022-11-17 10:22:46 +01:00
Girish Ramakrishnan
293b8a0d34 remove location type from nginx filename 
this will keep it consistent with upcoming cert filenames
 2022-11-17 10:22:46 +01:00
Girish Ramakrishnan
0c8b8346f4 Move getLocationsSync into apps.js 2022-11-17 10:22:43 +01:00
Girish Ramakrishnan
e3642f4278 reverse proxy: rebuild configs on provider change 2022-11-16 12:42:06 +01:00
Girish Ramakrishnan
19b0d47988 remove obsolete fixme 2022-11-16 11:46:31 +01:00
Girish Ramakrishnan
f82f533f36 Add SIGHUP handler to reload certs 
we have to reload directory server certs out of process
 2022-11-16 08:24:42 +01:00
Girish Ramakrishnan
15d5dfd406 reverseproxy: move the reload out of the write functions 2022-11-16 07:55:26 +01:00
Girish Ramakrishnan
0843baad8b reverseproxy: remove options from renewCerts 2022-11-14 08:13:47 +01:00
Girish Ramakrishnan
5e2a55ecad add debug 2022-11-13 22:10:01 +01:00
Girish Ramakrishnan
c597d9fbaa add fixme 2022-11-13 21:55:13 +01:00
Girish Ramakrishnan
8b43d43e35 reverseproxy: compare the cert path on cert renewal 
fqdn will not match for wildcard certs
 2022-11-13 18:06:34 +01:00
Girish Ramakrishnan
5447181e41 cert: add some asserts 2022-11-13 17:27:05 +01:00
Girish Ramakrishnan
3caf77cee6 cert: add message for fallback cert 2022-11-13 16:59:22 +01:00
Girish Ramakrishnan
2515a0f18f cert: do not autoclean default cert 2022-11-13 16:56:51 +01:00
Girish Ramakrishnan
9c8f78a059 reverseproxy: simplify certificate renewal 
An issue was that mail container was not getting refreshed with the up to
date certs. The root cause is that it is refreshed only in the renewCerts()
cron job. If cert renewal was caused by an app task, then the cron job will
skip the restart (since cert is fresh).

The other issue is that we keep hitting 0 length certs when we run out of disk
space. The root cause is that when out of disk space, a cert renewal will
cause cert to be written but since it has no space it is 0 length. Then, when
the user tries to restart the server, the box code does not write the cert again.

This change fixes the above two including:
* To simplify, we use the fallback cert only if we failed to get a LE cert. Expired LE certs
  will continue to be used. nginx is fine with this.

* restart directory as well on renewal
 2022-11-13 11:55:12 +01:00
Johannes Zellner
d20f8d5e75 Fix acme refactoring 2022-08-22 12:55:43 +02:00
Girish Ramakrishnan
116cde19f9 constants: location -> subdomain 2022-07-14 15:18:17 +05:30
Girish Ramakrishnan
14fc089f05 Fixup user and acme cert syncing 2022-07-14 15:04:45 +05:30
Girish Ramakrishnan
885d60f7cc reverseproxy: add setUserCertificate 2022-07-14 13:25:41 +05:30
Girish Ramakrishnan
d33fd7b886 do not use bundle terminology 
apparently, bundle is also like a cert chain
 2022-07-14 12:39:41 +05:30
Girish Ramakrishnan
ba067a959c reverseproxy: per location user certificates 2022-07-14 12:21:30 +05:30
Girish Ramakrishnan
a246cb7e73 return location certificates 2022-07-14 11:57:04 +05:30
Girish Ramakrishnan
2af29fd844 cleanupCerts: add progress 2022-07-13 11:22:47 +05:30
Girish Ramakrishnan
1549f6a4d0 fix various terminology in code 
subdomain, domain - strings
location - { subdomain, domain }
bundle - { cert, key }
bundlePath - { certFilePath, keyFilePath }

vhost is really just for virtual hosting
fqdn for others
 2022-07-13 10:15:09 +05:30
Johannes Zellner
11d7dfa071 Accept upstreamUri as string for proxy app install 2022-06-09 14:35:05 +02:00
Johannes Zellner
923a9f6560 Rename RELAY_APPSTORE_ID to PROXY_APP_APPSTORE_ID 2022-06-09 13:57:57 +02:00
Johannes Zellner
f854d86986 Use upstreamUri in reverseproxy config 2022-06-09 10:48:54 +02:00
Johannes Zellner
a955457ee7 Support proxy app 2022-06-09 10:48:54 +02:00
Girish Ramakrishnan
6839ff4cf6 reverseproxy: fix typo 
this type was causing nginx configs of the primary domain being re-written
everytime we try to renew certs
 2022-04-04 10:30:32 -07:00
Girish Ramakrishnan
a662a60332 eventlog: add event for certificate cleanup 2022-02-24 19:55:43 -08:00
Girish Ramakrishnan
eb3e87c340 add debug 2022-02-17 11:08:22 -08:00
Girish Ramakrishnan
012a3e2984 ensure certificate of secondary domains 2022-02-16 20:32:04 -08:00
Girish Ramakrishnan
46b497d87e rename SUBDOMAIN_ to LOCATION_ 
location is { subdomain, domain } pair
 2022-02-07 13:48:08 -08:00
Girish Ramakrishnan
964c1a5f5a remove field from errors 
we have standardized on indexOf in error.message by now
 2022-02-07 13:44:29 -08:00
Girish Ramakrishnan
67fe17d20c Fix crash with alias domains 2022-02-01 21:28:43 -08:00
Girish Ramakrishnan
19ddff058e reverseproxy: fix crash because of missing app property 2022-01-29 16:53:26 -08:00
Girish Ramakrishnan
5382e3d832 remove nginx config of stopped apps 
when the cert of a stopped app gets auto-cleaned up, nginx does not
start anymore since the config references the cert.

there are two possible fixes:
* do not cleanup cert of stopped apps
* remove the nginx config of stopped apps

this implements the second approach
 2022-01-28 10:23:56 -08:00
Girish Ramakrishnan
f017e297f7 secondaryDomains are always required 
they can still become empty after an update but install and change_location
requires them

part of #809
 2022-01-21 10:03:30 -08:00
Girish Ramakrishnan
1e2f01cc69 reverseProxy: refactor filename logic 2022-01-16 12:22:29 -08:00
Girish Ramakrishnan
b34f66b115 add secondary domains 
note that for updates to work, we keep the secondary domain optional,
even though they are really not.

part of #809
 2022-01-16 12:10:48 -08:00
Girish Ramakrishnan
d18977ccad reverseProxy: single writeAppNginxConfig() 
this prepares for secondary domains
 2022-01-16 11:29:21 -08:00