Added template engine

backend/embed/main.go

@@ -2,6 +2,10 @@ package embed
 
 import "embed"
 
+// AcmeSh script
+//go:embed acme.sh
+var AcmeSh string
+
 // APIDocFiles contain all the files used for swagger schema generation
 //go:embed api_docs
 var APIDocFiles embed.FS
@@ -14,6 +18,6 @@ var Assets embed.FS
 //go:embed migrations/*.sql
 var MigrationFiles embed.FS
 
-// AcmeSh script
-//go:embed acme.sh
-var AcmeSh string
+// NginxFiles hold nginx config templates
+//go:embed nginx
+var NginxFiles embed.FS

backend/embed/nginx/_assets.conf.hbs

@@ -0,0 +1,4 @@
+{{#if caching_enabled}}
+	# Asset Caching
+	include conf.d/include/assets.conf;
+{{/if}}

backend/embed/nginx/_certificates.conf.hbs

@@ -0,0 +1,13 @@
+{{#if certificate}}
+	{{#if (equal certificate.certificate_authority_id "0")}}
+		# Custom SSL
+		ssl_certificate {{npm_data_dir}}/custom_ssl/npm-{{certificate.id}}/fullchain.pem;
+		ssl_certificate_key {{npm_data_dir}}/custom_ssl/npm-{{certificate.id}}/privkey.pem;
+	{{else}}
+		# Acme SSL
+		include {{nginx_conf_dir}}/npm/conf.d/acme-challenge.conf;
+		include {{nginx_conf_dir}}/npm/conf.d/include/ssl-ciphers.conf;
+		ssl_certificate {{acme_certs_dir}}/npm-{{certificate.id}}/fullchain.pem;
+		ssl_certificate_key {{acme_certs_dir}}/npm-{{certificate.id}}/privkey.pem;
+	{{/if}}
+{{/if}}

backend/embed/nginx/_forced_ssl.conf.hbs

@@ -0,0 +1,6 @@
+{{#if certificate}}
+	{{#if ssl_forced}}
+		# Force SSL
+		include {{nginx_conf_dir}}/npm/conf.d/include/force-ssl.conf;
+	{{/if}}
+{{/if}}

backend/embed/nginx/_hsts.conf.hbs

@@ -0,0 +1,8 @@
+{{#if certificate}}
+	{{#if ssl_forced}}
+		{{#if hsts_enabled}}
+			# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
+			add_header Strict-Transport-Security "max-age=63072000;{{#if hsts_subdomains}} includeSubDomains;{{/if}} preload" always;
+		{{/if}}
+	{{/if}}
+{{/if}}

backend/embed/nginx/_listen.conf.hbs

@@ -0,0 +1,18 @@
+listen 80;
+
+{{#if ipv6}}
+	listen [::]:80;
+{{else}}
+	#listen [::]:80;
+{{/if}}
+
+{{#if certificate}}
+	listen 443 ssl{% if http2_support %} http2{% endif %};
+	{{#if ipv6}}
+		listen [::]:443;
+	{{else}}
+		#listen [::]:443;
+	{{/if}}
+{{/if}}
+
+server_name{{#each domain_names}} {{this}}{{/each}};

backend/embed/nginx/_location.conf.hbs

@@ -0,0 +1,40 @@
+location {{path}} {
+	proxy_set_header Host $host;
+	proxy_set_header X-Forwarded-Scheme $scheme;
+	proxy_set_header X-Forwarded-Proto  $scheme;
+	proxy_set_header X-Forwarded-For    $remote_addr;
+	proxy_set_header X-Real-IP          $remote_addr;
+	proxy_pass       {{forward_scheme}}://{{forward_host}}:{{forward_port}}{{forward_path}};
+
+	{{#if access_list}}
+		{{#if access_list.items}}
+			# Authorization
+			auth_basic            "Authorization required";
+			auth_basic_user_file  {{npm_data_dir}}/access/{{access_list.id}};
+			{{access_list.passauth}}
+		{{/if}}
+
+		# Access Rules
+		{{#each access_list.clients as |client clientIdx|}}
+			{{client.rule}};
+		{{/each}}deny all;
+
+		# Access checks must...
+		{{#if access_list.satisfy}}
+			{{access_list.satisfy}};
+		{{/if}}
+	{{/if}}
+
+	{{> inc_assets}}
+	{{> inc_forced_ssl}}
+	{{> inc_hsts}}
+
+	{{#if allow_websocket_upgrade}}
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $http_connection;
+		proxy_http_version 1.1;
+	{{/if}}
+
+	{{advanced_config}}
+ }
+

backend/embed/nginx/acme-request.conf.hbs

@@ -0,0 +1,15 @@
+server {
+	listen 80;
+	{{#if ipv6}}
+		listen [::]:80;
+	{{/if}}
+
+	server_name{{#each domain_names}} {{this}}{{/each}};
+	access_log {{npm_data_dir}}/logs/acme-requests_access.log standard;
+	error_log {{npm_data_dir}}/logs/acme-requests_error.log warn;
+	{{nginx_conf_dir}}/npm/conf.d/include/letsencrypt-acme-challenge.conf;
+
+	location / {
+		return 404;
+	}
+}

backend/embed/nginx/dead_host.conf.hbs

@@ -0,0 +1,20 @@
+{{#if enabled}}
+	server {
+		{{> inc_listen}}
+		{{> inc_certificates}}
+		{{> inc_hsts}}
+		{{> inc_forced_ssl}}
+
+		access_log {{npm_data_dir}}/logs/dead-host-{{id}}_access.log standard;
+		error_log {{npm_data_dir}}/logs/dead-host-{{id}}_error.log warn;
+
+		{{advanced_config}}
+
+		{{#if use_default_location}}
+			location / {
+				{{> inc_hsts}}
+				return 404;
+			}
+		{{/if}}
+	}
+{{/if}}

backend/embed/nginx/default.conf.hbs

@@ -0,0 +1,35 @@
+{{#if (equal value "congratulations")}}
+	# Skipping output, congratulations page configration is baked in.
+{{else}}
+	server {
+		listen 80 default;
+		{{#if ipv6}}
+			listen [::]:80;
+		{{else}}
+			#listen [::]:80;
+		{{/if}}
+
+		server_name default-host.localhost;
+		access_log {{npm_data_dir}}/logs/default-host_access.log combined;
+		error_log {{npm_data_dir}}/logs/default-host_error.log warn;
+
+		{{#if (equal value "404")}}
+			location / {
+				return 404;
+			}
+		{{/if}}
+
+		{{#if (equal value "redirect")}}
+			location / {
+				return 301 {{meta.redirect}};
+			}
+		{{/if}}
+
+		{{#if (equal value "html")}}
+			root {{npm_data_dir}}/nginx/default_www;
+			location / {
+				try_files $uri /index.html;
+			}
+		{{/if}}
+	}
+{{/if}}

backend/embed/nginx/ip_ranges.conf.hbs

@@ -0,0 +1,3 @@
+{{#each ip_ranges as |range rangeIdx|}}
+	set_real_ip_from {{range}};
+{{/each}}

backend/embed/nginx/proxy_host.conf.hbs

@@ -0,0 +1,62 @@
+{{#if enabled}}
+	server {
+		set $forward_scheme {{forward_scheme}};
+		set $server         "{{forward_host}}";
+		set $port           {{forward_port}};
+
+		{{> inc_listen}}
+		{{> inc_certificates}}
+		{{> inc_assets}}
+		{{> inc_hsts}}
+		{{> inc_forced_ssl}}
+
+		{{#if allow_websocket_upgrade}}
+			proxy_set_header Upgrade $http_upgrade;
+			proxy_set_header Connection $http_connection;
+			proxy_http_version 1.1;
+		{{/if}}
+
+		access_log {{npm_data_dir}}/logs/proxy-host-{{id}}_access.log proxy;
+		error_log {{npm_data_dir}}/logs/proxy-host-{{id}}_error.log warn;
+
+		{{advanced_config}}
+		{{locations}}
+
+		{{#if use_default_location}}
+			location / {
+				{{#if access_list}}
+					{{#if access_list.items}}
+						# Authorization
+						auth_basic            "Authorization required";
+						auth_basic_user_file  {{npm_data_dir}}/access/{{access_list.id}};
+						{{access_list.passauth}}
+					{{/if}}
+
+					# Access Rules
+					{{#each access_list.clients as |client clientIdx|}}
+						{{client.rule}};
+					{{/each}}deny all;
+
+					# Access checks must...
+					{{#if access_list.satisfy}}
+						{{access_list.satisfy}};
+					{{/if}}
+				{{/if}}
+
+				{{> inc_hsts}}
+
+				{{#if allow_websocket_upgrade}}
+					proxy_set_header Upgrade $http_upgrade;
+					proxy_set_header Connection $http_connection;
+					proxy_http_version 1.1;
+				{{/if}}
+
+				# Proxy!
+				include {{nginx_conf_dir}}/npm/conf.d/include/proxy.conf;
+			}
+		{{/if}}
+
+		# Custom
+		include {{npm_data_dir}}/nginx/custom/server_proxy[.]conf;
+	}
+{{/if}}

backend/embed/nginx/redirection_host.conf.hbs

@@ -0,0 +1,28 @@
+{{#if enabled}}
+	server {
+		{{> inc_listen}}
+		{{> inc_certificates}}
+		{{> inc_assets}}
+		{{> inc_hsts}}
+		{{> inc_forced_ssl}}
+
+		access_log {{npm_data_dir}}/logs/redirection-host-{{ id }}_access.log standard;
+		error_log {{npm_data_dir}}/logs/redirection-host-{{ id }}_error.log warn;
+
+		{{advanced_config}}
+
+		{{#if use_default_location}}
+			location / {
+				{{> inc_hsts}}
+				{{#if preserve_path}}
+					return {{forward_http_code}} {{forward_scheme}}://{{forward_domain_name}}$request_uri;
+				{{else}}
+					return {{forward_http_code}} {{forward_scheme}}://{{forward_domain_name}};
+				{{/if}}
+			}
+		{{/if}}
+
+		# Custom
+		include {{npm_data_dir}}/nginx/custom/server_redirect[.]conf;
+	}
+{{/if}}

backend/embed/nginx/stream.conf.hbs

@@ -0,0 +1,34 @@
+{{#if enabled}}
+	{{#if tcp_forwarding}}
+		server {
+			listen {{incoming_port}};
+			{{#if ipv6}}
+				listen [::]:{{incoming_port}};
+			{{else}}
+				#listen [::]:{{incoming_port}};
+			{{/if}}
+
+			proxy_pass {{forward_ip}}:{{forwarding_port}};
+
+			# Custom
+			include {{npm_data_dir}}/nginx/custom/server_stream[.]conf;
+			include {{npm_data_dir}}/nginx/custom/server_stream_tcp[.]conf;
+		}
+	{{/if}}
+
+	{{#if udp_forwarding}}
+		server {
+			listen {{incoming_port}} udp;
+			{{#if ipv6}}
+				listen [::]:{{ incoming_port }} udp;
+			{{else}}
+				#listen [::]:{{incoming_port}} udp;
+			{{/if}}
+			proxy_pass {{forward_ip}}:{{forwarding_port}};
+
+			# Custom
+			include {{npm_data_dir}}/nginx/custom/server_stream[.]conf;
+			include {{npm_data_dir}}/nginx/custom/server_stream_udp[.]conf;
+		}
+	{{/if}}
+{{/if}}

backend/go.mod

@@ -3,6 +3,7 @@ module npm
 go 1.16
 
 require (
+	github.com/aymerick/raymond v2.0.3-0.20180322193309-b565731e1464+incompatible
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/drexedam/gravatar v0.0.0-20210327211422-e94eea8c338e
 	github.com/fatih/color v1.10.0

backend/go.sum

@@ -6,6 +6,7 @@ github.com/Joker/hpp v1.0.0/go.mod h1:8x5n+M1Hp5hC0g8okX3sR3vFQwynaX/UgSOM9MeBKz
 github.com/Shopify/goreferrer v0.0.0-20181106222321-ec9c9a553398/go.mod h1:a1uqRtAwp2Xwc6WNPJEufxJ7fx3npB4UV/JOLmbu5I0=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/aymerick/raymond v2.0.3-0.20180322193309-b565731e1464+incompatible h1:Ppm0npCCsmuR9oQaBtRuZcmILVE74aXE+AmrJj8L2ns=
 github.com/aymerick/raymond v2.0.3-0.20180322193309-b565731e1464+incompatible/go.mod h1:osfaiScAUVup+UC9Nfq76eWqDhXlp+4UYaA8uhTBO6g=
 github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -246,6 +247,7 @@ gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3M
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20191120175047-4206685974f2/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

backend/internal/nginx/templates.go

@@ -0,0 +1,31 @@
+package nginx
+
+import (
+	"io/fs"
+	"io/ioutil"
+
+	"npm/embed"
+
+	"github.com/aymerick/raymond"
+)
+
+// WriteTemplate will load, parse and write a template file
+func WriteTemplate(templateName, outputFilename string, data map[string]interface{}) error {
+	// get template file content
+	subFs, _ := fs.Sub(embed.NginxFiles, "nginx")
+	template, err := fs.ReadFile(subFs, templateName)
+
+	if err != nil {
+		return err
+	}
+
+	// Render
+	parsedFile, err := raymond.Render(string(template), data)
+	if err != nil {
+		return err
+	}
+
+	// Write it
+	// nolint: gosec
+	return ioutil.WriteFile(outputFilename, []byte(parsedFile), 0644)
+}