diff --git a/backend/internal/access-list.js b/backend/internal/access-list.js index af65b9f0..59a0460a 100644 --- a/backend/internal/access-list.js +++ b/backend/internal/access-list.js @@ -3,13 +3,13 @@ const fs = require('fs'); const batchflow = require('batchflow'); const logger = require('../logger').access; const error = require('../lib/error'); +const utils = require('../lib/utils'); const accessListModel = require('../models/access_list'); const accessListAuthModel = require('../models/access_list_auth'); const accessListClientModel = require('../models/access_list_client'); const proxyHostModel = require('../models/proxy_host'); const internalAuditLog = require('./audit-log'); const internalNginx = require('./nginx'); -const utils = require('../lib/utils'); function omissions () { return ['is_deleted']; @@ -27,13 +27,13 @@ const internalAccessList = { .then((/*access_data*/) => { return accessListModel .query() - .omit(omissions()) .insertAndFetch({ name: data.name, satisfy_any: data.satisfy_any, pass_auth: data.pass_auth, owner_user_id: access.token.getUserId(1) - }); + }) + .then(utils.omitRow(omissions())); }) .then((row) => { data.id = row.id; @@ -256,35 +256,31 @@ const internalAccessList = { .joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0') .where('access_list.is_deleted', 0) .andWhere('access_list.id', data.id) - .allowEager('[owner,items,clients,proxy_hosts.[certificate,access_list.[clients,items]]]') - .omit(['access_list.is_deleted']) + .allowGraph('[owner,items,clients,proxy_hosts.[certificate,access_list.[clients,items]]]') .first(); if (access_data.permission_visibility !== 'all') { query.andWhere('access_list.owner_user_id', access.token.getUserId(1)); } - // Custom omissions - if (typeof data.omit !== 'undefined' && data.omit !== null) { - query.omit(data.omit); - } - if (typeof data.expand !== 'undefined' && data.expand !== null) { - query.eager('[' + data.expand.join(', ') + ']'); + query.withGraphFetched('[' + data.expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRow(omissions())); }) .then((row) => { - if (row) { - if (!skip_masking && typeof row.items !== 'undefined' && row.items) { - row = internalAccessList.maskItems(row); - } - - return _.omit(row, omissions()); - } else { + if (!row) { throw new error.ItemNotFoundError(data.id); } + if (!skip_masking && typeof row.items !== 'undefined' && row.items) { + row = internalAccessList.maskItems(row); + } + // Custom omissions + if (typeof data.omit !== 'undefined' && data.omit !== null) { + row = _.omit(row, data.omit); + } + return row; }); }, @@ -381,8 +377,7 @@ const internalAccessList = { .joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0') .where('access_list.is_deleted', 0) .groupBy('access_list.id') - .omit(['access_list.is_deleted']) - .allowEager('[owner,items,clients]') + .allowGraph('[owner,items,clients]') .orderBy('access_list.name', 'ASC'); if (access_data.permission_visibility !== 'all') { @@ -397,10 +392,10 @@ const internalAccessList = { } if (typeof expand !== 'undefined' && expand !== null) { - query.eager('[' + expand.join(', ') + ']'); + query.withGraphFetched('[' + expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRows(omissions())); }) .then((rows) => { if (rows) { diff --git a/backend/internal/audit-log.js b/backend/internal/audit-log.js index 422b4f46..cb48261b 100644 --- a/backend/internal/audit-log.js +++ b/backend/internal/audit-log.js @@ -19,7 +19,7 @@ const internalAuditLog = { .orderBy('created_on', 'DESC') .orderBy('id', 'DESC') .limit(100) - .allowEager('[user]'); + .allowGraph('[user]'); // Query is used for searching if (typeof search_query === 'string') { @@ -29,7 +29,7 @@ const internalAuditLog = { } if (typeof expand !== 'undefined' && expand !== null) { - query.eager('[' + expand.join(', ') + ']'); + query.withGraphFetched('[' + expand.join(', ') + ']'); } return query; diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js index f35cc950..44f7e0ff 100644 --- a/backend/internal/certificate.js +++ b/backend/internal/certificate.js @@ -120,8 +120,8 @@ const internalCertificate = { return certificateModel .query() - .omit(omissions()) - .insertAndFetch(data); + .insertAndFetch(data) + .then(utils.omitRow(omissions())); }) .then((certificate) => { if (certificate.provider === 'letsencrypt') { @@ -268,8 +268,8 @@ const internalCertificate = { return certificateModel .query() - .omit(omissions()) .patchAndFetchById(row.id, data) + .then(utils.omitRow(omissions())) .then((saved_row) => { saved_row.meta = internalCertificate.cleanMeta(saved_row.meta); data.meta = internalCertificate.cleanMeta(data.meta); @@ -287,7 +287,7 @@ const internalCertificate = { meta: _.omit(data, ['expires_on']) // this prevents json circular reference because expires_on might be raw }) .then(() => { - return _.omit(saved_row, omissions()); + return saved_row; }); }); }); @@ -312,30 +312,28 @@ const internalCertificate = { .query() .where('is_deleted', 0) .andWhere('id', data.id) - .allowEager('[owner]') + .allowGraph('[owner]') .first(); if (access_data.permission_visibility !== 'all') { query.andWhere('owner_user_id', access.token.getUserId(1)); } - // Custom omissions - if (typeof data.omit !== 'undefined' && data.omit !== null) { - query.omit(data.omit); - } - if (typeof data.expand !== 'undefined' && data.expand !== null) { - query.eager('[' + data.expand.join(', ') + ']'); + query.withGraphFetched('[' + data.expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRow(omissions())); }) .then((row) => { - if (row) { - return _.omit(row, omissions()); - } else { + if (!row) { throw new error.ItemNotFoundError(data.id); } + // Custom omissions + if (typeof data.omit !== 'undefined' && data.omit !== null) { + row = _.omit(row, data.omit); + } + return row; }); }, @@ -465,8 +463,7 @@ const internalCertificate = { .query() .where('is_deleted', 0) .groupBy('id') - .omit(['is_deleted']) - .allowEager('[owner]') + .allowGraph('[owner]') .orderBy('nice_name', 'ASC'); if (access_data.permission_visibility !== 'all') { @@ -481,10 +478,10 @@ const internalCertificate = { } if (typeof expand !== 'undefined' && expand !== null) { - query.eager('[' + expand.join(', ') + ']'); + query.withGraphFetched('[' + expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRows(omissions())); }); }, @@ -669,7 +666,6 @@ const internalCertificate = { meta: _.clone(row.meta) // Prevent the update method from changing this value that we'll use later }) .then((certificate) => { - console.log('ROWMETA:', row.meta); certificate.meta = row.meta; return internalCertificate.writeCustomCert(certificate); }); diff --git a/backend/internal/dead-host.js b/backend/internal/dead-host.js index d35fec25..2a6258e9 100644 --- a/backend/internal/dead-host.js +++ b/backend/internal/dead-host.js @@ -1,5 +1,6 @@ const _ = require('lodash'); const error = require('../lib/error'); +const utils = require('../lib/utils'); const deadHostModel = require('../models/dead_host'); const internalHost = require('./host'); const internalNginx = require('./nginx'); @@ -49,8 +50,8 @@ const internalDeadHost = { return deadHostModel .query() - .omit(omissions()) - .insertAndFetch(data); + .insertAndFetch(data) + .then(utils.omitRow(omissions())); }) .then((row) => { if (create_certificate) { @@ -218,31 +219,28 @@ const internalDeadHost = { .query() .where('is_deleted', 0) .andWhere('id', data.id) - .allowEager('[owner,certificate]') + .allowGraph('[owner,certificate]') .first(); if (access_data.permission_visibility !== 'all') { query.andWhere('owner_user_id', access.token.getUserId(1)); } - // Custom omissions - if (typeof data.omit !== 'undefined' && data.omit !== null) { - query.omit(data.omit); - } - if (typeof data.expand !== 'undefined' && data.expand !== null) { - query.eager('[' + data.expand.join(', ') + ']'); + query.withGraphFetched('[' + data.expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRow(omissions())); }) .then((row) => { - if (row) { - row = internalHost.cleanRowCertificateMeta(row); - return _.omit(row, omissions()); - } else { + if (!row) { throw new error.ItemNotFoundError(data.id); } + // Custom omissions + if (typeof data.omit !== 'undefined' && data.omit !== null) { + row = _.omit(row, data.omit); + } + return row; }); }, @@ -404,8 +402,7 @@ const internalDeadHost = { .query() .where('is_deleted', 0) .groupBy('id') - .omit(['is_deleted']) - .allowEager('[owner,certificate]') + .allowGraph('[owner,certificate]') .orderBy('domain_names', 'ASC'); if (access_data.permission_visibility !== 'all') { @@ -420,10 +417,10 @@ const internalDeadHost = { } if (typeof expand !== 'undefined' && expand !== null) { - query.eager('[' + expand.join(', ') + ']'); + query.withGraphFetched('[' + expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRows(omissions())); }) .then((rows) => { if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) { diff --git a/backend/internal/ip_ranges.js b/backend/internal/ip_ranges.js index 8999dd93..f74eb434 100644 --- a/backend/internal/ip_ranges.js +++ b/backend/internal/ip_ranges.js @@ -2,8 +2,8 @@ const https = require('https'); const fs = require('fs'); const logger = require('../logger').ip_ranges; const error = require('../lib/error'); +const utils = require('../lib/utils'); const internalNginx = require('./nginx'); -const { Liquid } = require('liquidjs'); const CLOUDFRONT_URL = 'https://ip-ranges.amazonaws.com/ip-ranges.json'; const CLOUDFARE_V4_URL = 'https://www.cloudflare.com/ips-v4'; @@ -119,10 +119,7 @@ const internalIpRanges = { * @returns {Promise} */ generateConfig: (ip_ranges) => { - let renderEngine = new Liquid({ - root: __dirname + '/../templates/' - }); - + const renderEngine = utils.getRenderEngine(); return new Promise((resolve, reject) => { let template = null; let filename = '/usr/local/nginx/conf/conf.d/include/ip_ranges.conf'; diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js index c319de60..13619df8 100644 --- a/backend/internal/nginx.js +++ b/backend/internal/nginx.js @@ -3,7 +3,6 @@ const fs = require('fs'); const logger = require('../logger').nginx; const utils = require('../lib/utils'); const error = require('../lib/error'); -const { Liquid } = require('liquidjs'); const debug_mode = process.env.NODE_ENV !== 'production' || !!process.env.DEBUG; const internalNginx = { @@ -29,7 +28,9 @@ const internalNginx = { .then(() => { // Nginx is OK // We're deleting this config regardless. - return internalNginx.deleteConfig(host_type, host); // Don't throw errors, as the file may not exist at all + // Don't throw errors, as the file may not exist at all + // Delete the .err file too + return internalNginx.deleteConfig(host_type, host, false, true); }) .then(() => { return internalNginx.generateConfig(host_type, host); @@ -80,6 +81,9 @@ const internalNginx = { .patch({ meta: combined_meta }) + .then(() => { + internalNginx.renameConfigAsError(host_type, host); + }) .then(() => { return internalNginx.deleteConfig(host_type, host, true); }); @@ -121,13 +125,10 @@ const internalNginx = { * @returns {String} */ getConfigName: (host_type, host_id) => { - host_type = host_type.replace(new RegExp('-', 'g'), '_'); - if (host_type === 'default') { return '/data/nginx/default.conf'; } - - return '/data/nginx/' + host_type + '/' + host_id + '.conf'; + return '/data/nginx/' + internalNginx.getFileFriendlyHostType(host_type) + '/' + host_id + '.conf'; }, /** @@ -136,8 +137,6 @@ const internalNginx = { * @returns {Promise} */ renderLocations: (host) => { - - //logger.info('host = ' + JSON.stringify(host, null, 2)); return new Promise((resolve, reject) => { let template; @@ -148,19 +147,17 @@ const internalNginx = { return; } - let renderer = new Liquid({ - root: __dirname + '/../templates/' - }); + const renderEngine = utils.getRenderEngine(); let renderedLocations = ''; const locationRendering = async () => { for (let i = 0; i < host.locations.length; i++) { - let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, + let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, {ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits}, {allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support}, {hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list}, {certificate: host.certificate}, host.locations[i]); - + if (locationCopy.forward_host.indexOf('/') > -1) { const splitted = locationCopy.forward_host.split('/'); @@ -168,16 +165,14 @@ const internalNginx = { locationCopy.forward_path = `/${splitted.join('/')}`; } - //logger.info('locationCopy = ' + JSON.stringify(locationCopy, null, 2)); - // eslint-disable-next-line - renderedLocations += await renderer.parseAndRender(template, locationCopy); + renderedLocations += await renderEngine.parseAndRender(template, locationCopy); } }; locationRendering().then(() => resolve(renderedLocations)); - + }); }, @@ -187,24 +182,20 @@ const internalNginx = { * @returns {Promise} */ generateConfig: (host_type, host) => { - host_type = host_type.replace(new RegExp('-', 'g'), '_'); + const nice_host_type = internalNginx.getFileFriendlyHostType(host_type); if (debug_mode) { - logger.info('Generating ' + host_type + ' Config:', host); + logger.info('Generating ' + nice_host_type + ' Config:', JSON.stringify(host, null, 2)); } - // logger.info('host = ' + JSON.stringify(host, null, 2)); - - let renderEngine = new Liquid({ - root: __dirname + '/../templates/' - }); + const renderEngine = utils.getRenderEngine(); return new Promise((resolve, reject) => { let template = null; - let filename = internalNginx.getConfigName(host_type, host.id); + let filename = internalNginx.getConfigName(nice_host_type, host.id); try { - template = fs.readFileSync(__dirname + '/../templates/' + host_type + '.conf', {encoding: 'utf8'}); + template = fs.readFileSync(__dirname + '/../templates/' + nice_host_type + '.conf', {encoding: 'utf8'}); } catch (err) { reject(new error.ConfigurationError(err.message)); return; @@ -214,7 +205,7 @@ const internalNginx = { let origLocations; // Manipulate the data a bit before sending it to the template - if (host_type !== 'default') { + if (nice_host_type !== 'default') { host.use_default_location = true; if (typeof host.advanced_config !== 'undefined' && host.advanced_config) { host.use_default_location = !internalNginx.advancedConfigHasDefaultLocation(host.advanced_config); @@ -281,9 +272,7 @@ const internalNginx = { logger.info('Generating certbot Request Config:', certificate); } - let renderEngine = new Liquid({ - root: __dirname + '/../templates/' - }); + const renderEngine = utils.getRenderEngine(); return new Promise((resolve, reject) => { let template = null; @@ -319,33 +308,39 @@ const internalNginx = { }); }, + /** + * A simple wrapper around unlinkSync that writes to the logger + * + * @param {String} filename + */ + deleteFile: (filename) => { + logger.debug('Deleting file: ' + filename); + try { + fs.unlinkSync(filename); + } catch (err) { + logger.debug('Could not delete file:', JSON.stringify(err, null, 2)); + } + }, + + /** + * + * @param {String} host_type + * @returns String + */ + getFileFriendlyHostType: (host_type) => { + return host_type.replace(new RegExp('-', 'g'), '_'); + }, + /** * This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig` * * @param {Object} certificate - * @param {Boolean} [throw_errors] * @returns {Promise} */ - deleteLetsEncryptRequestConfig: (certificate, throw_errors) => { - return new Promise((resolve, reject) => { - try { - let config_file = '/usr/local/nginx/conf/conf.d/letsencrypt_' + certificate.id + '.conf'; - - if (debug_mode) { - logger.warn('Deleting nginx config: ' + config_file); - } - - fs.unlinkSync(config_file); - } catch (err) { - if (debug_mode) { - logger.warn('Could not delete config:', err.message); - } - - if (throw_errors) { - reject(err); - } - } - + deleteLetsEncryptRequestConfig: (certificate) => { + const config_file = '/usr/local/nginx/conf/conf.d/letsencrypt_' + certificate.id + '.conf'; + return new Promise((resolve/*, reject*/) => { + internalNginx.deleteFile(config_file); resolve(); }); }, @@ -353,35 +348,42 @@ const internalNginx = { /** * @param {String} host_type * @param {Object} [host] - * @param {Boolean} [throw_errors] + * @param {Boolean} [delete_err_file] * @returns {Promise} */ - deleteConfig: (host_type, host, throw_errors) => { - host_type = host_type.replace(new RegExp('-', 'g'), '_'); + deleteConfig: (host_type, host, delete_err_file) => { + const config_file = internalNginx.getConfigName(internalNginx.getFileFriendlyHostType(host_type), typeof host === 'undefined' ? 0 : host.id); + const config_file_err = config_file + '.err'; - return new Promise((resolve, reject) => { - try { - let config_file = internalNginx.getConfigName(host_type, typeof host === 'undefined' ? 0 : host.id); - - if (debug_mode) { - logger.warn('Deleting nginx config: ' + config_file); - } - - fs.unlinkSync(config_file); - } catch (err) { - if (debug_mode) { - logger.warn('Could not delete config:', err.message); - } - - if (throw_errors) { - reject(err); - } + return new Promise((resolve/*, reject*/) => { + internalNginx.deleteFile(config_file); + if (delete_err_file) { + internalNginx.deleteFile(config_file_err); } - resolve(); }); }, + /** + * @param {String} host_type + * @param {Object} [host] + * @returns {Promise} + */ + renameConfigAsError: (host_type, host) => { + const config_file = internalNginx.getConfigName(internalNginx.getFileFriendlyHostType(host_type), typeof host === 'undefined' ? 0 : host.id); + const config_file_err = config_file + '.err'; + + return new Promise((resolve/*, reject*/) => { + fs.unlink(config_file, () => { + // ignore result, continue + fs.rename(config_file, config_file_err, () => { + // also ignore result, as this is a debugging informative file anyway + resolve(); + }); + }); + }); + }, + /** * @param {String} host_type * @param {Array} hosts @@ -399,13 +401,12 @@ const internalNginx = { /** * @param {String} host_type * @param {Array} hosts - * @param {Boolean} [throw_errors] * @returns {Promise} */ - bulkDeleteConfigs: (host_type, hosts, throw_errors) => { + bulkDeleteConfigs: (host_type, hosts) => { let promises = []; hosts.map(function (host) { - promises.push(internalNginx.deleteConfig(host_type, host, throw_errors)); + promises.push(internalNginx.deleteConfig(host_type, host, true)); }); return Promise.all(promises); diff --git a/backend/internal/proxy-host.js b/backend/internal/proxy-host.js index 09b8bca5..02a98da2 100644 --- a/backend/internal/proxy-host.js +++ b/backend/internal/proxy-host.js @@ -1,5 +1,6 @@ const _ = require('lodash'); const error = require('../lib/error'); +const utils = require('../lib/utils'); const proxyHostModel = require('../models/proxy_host'); const internalHost = require('./host'); const internalNginx = require('./nginx'); @@ -49,8 +50,8 @@ const internalProxyHost = { return proxyHostModel .query() - .omit(omissions()) - .insertAndFetch(data); + .insertAndFetch(data) + .then(utils.omitRow(omissions())); }) .then((row) => { if (create_certificate) { @@ -170,6 +171,7 @@ const internalProxyHost = { .query() .where({id: data.id}) .patch(data) + .then(utils.omitRow(omissions())) .then((saved_row) => { // Add to audit log return internalAuditLog.add(access, { @@ -179,7 +181,7 @@ const internalProxyHost = { meta: data }) .then(() => { - return _.omit(saved_row, omissions()); + return saved_row; }); }); }) @@ -223,31 +225,29 @@ const internalProxyHost = { .query() .where('is_deleted', 0) .andWhere('id', data.id) - .allowEager('[owner,access_list,access_list.[clients,items],certificate]') + .allowGraph('[owner,access_list,access_list.[clients,items],certificate]') .first(); if (access_data.permission_visibility !== 'all') { query.andWhere('owner_user_id', access.token.getUserId(1)); } - // Custom omissions - if (typeof data.omit !== 'undefined' && data.omit !== null) { - query.omit(data.omit); - } - if (typeof data.expand !== 'undefined' && data.expand !== null) { - query.eager('[' + data.expand.join(', ') + ']'); + query.withGraphFetched('[' + data.expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRow(omissions())); }) .then((row) => { - if (row) { - row = internalHost.cleanRowCertificateMeta(row); - return _.omit(row, omissions()); - } else { + if (!row) { throw new error.ItemNotFoundError(data.id); } + row = internalHost.cleanRowCertificateMeta(row); + // Custom omissions + if (typeof data.omit !== 'undefined' && data.omit !== null) { + row = _.omit(row, data.omit); + } + return row; }); }, @@ -409,8 +409,7 @@ const internalProxyHost = { .query() .where('is_deleted', 0) .groupBy('id') - .omit(['is_deleted']) - .allowEager('[owner,access_list,certificate]') + .allowGraph('[owner,access_list,certificate]') .orderBy('domain_names', 'ASC'); if (access_data.permission_visibility !== 'all') { @@ -425,10 +424,10 @@ const internalProxyHost = { } if (typeof expand !== 'undefined' && expand !== null) { - query.eager('[' + expand.join(', ') + ']'); + query.withGraphFetched('[' + expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRows(omissions())); }) .then((rows) => { if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) { diff --git a/backend/internal/redirection-host.js b/backend/internal/redirection-host.js index f22c3668..775d94f3 100644 --- a/backend/internal/redirection-host.js +++ b/backend/internal/redirection-host.js @@ -1,5 +1,6 @@ const _ = require('lodash'); const error = require('../lib/error'); +const utils = require('../lib/utils'); const redirectionHostModel = require('../models/redirection_host'); const internalHost = require('./host'); const internalNginx = require('./nginx'); @@ -49,8 +50,8 @@ const internalRedirectionHost = { return redirectionHostModel .query() - .omit(omissions()) - .insertAndFetch(data); + .insertAndFetch(data) + .then(utils.omitRow(omissions())); }) .then((row) => { if (create_certificate) { @@ -65,9 +66,8 @@ const internalRedirectionHost = { .then(() => { return row; }); - } else { - return row; } + return row; }) .then((row) => { // re-fetch with cert @@ -218,31 +218,29 @@ const internalRedirectionHost = { .query() .where('is_deleted', 0) .andWhere('id', data.id) - .allowEager('[owner,certificate]') + .allowGraph('[owner,certificate]') .first(); if (access_data.permission_visibility !== 'all') { query.andWhere('owner_user_id', access.token.getUserId(1)); } - // Custom omissions - if (typeof data.omit !== 'undefined' && data.omit !== null) { - query.omit(data.omit); - } - if (typeof data.expand !== 'undefined' && data.expand !== null) { - query.eager('[' + data.expand.join(', ') + ']'); + query.withGraphFetched('[' + data.expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRow(omissions())); }) .then((row) => { - if (row) { - row = internalHost.cleanRowCertificateMeta(row); - return _.omit(row, omissions()); - } else { + if (!row) { throw new error.ItemNotFoundError(data.id); } + row = internalHost.cleanRowCertificateMeta(row); + // Custom omissions + if (typeof data.omit !== 'undefined' && data.omit !== null) { + row = _.omit(row, data.omit); + } + return row; }); }, @@ -404,8 +402,7 @@ const internalRedirectionHost = { .query() .where('is_deleted', 0) .groupBy('id') - .omit(['is_deleted']) - .allowEager('[owner,certificate]') + .allowGraph('[owner,certificate]') .orderBy('domain_names', 'ASC'); if (access_data.permission_visibility !== 'all') { @@ -420,10 +417,10 @@ const internalRedirectionHost = { } if (typeof expand !== 'undefined' && expand !== null) { - query.eager('[' + expand.join(', ') + ']'); + query.withGraphFetched('[' + expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRows(omissions())); }) .then((rows) => { if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) { diff --git a/backend/internal/stream.js b/backend/internal/stream.js index 9c458a10..a159cfdd 100644 --- a/backend/internal/stream.js +++ b/backend/internal/stream.js @@ -1,5 +1,6 @@ const _ = require('lodash'); const error = require('../lib/error'); +const utils = require('../lib/utils'); const streamModel = require('../models/stream'); const internalNginx = require('./nginx'); const internalAuditLog = require('./audit-log'); @@ -27,8 +28,8 @@ const internalStream = { return streamModel .query() - .omit(omissions()) - .insertAndFetch(data); + .insertAndFetch(data) + .then(utils.omitRow(omissions())); }) .then((row) => { // Configure nginx @@ -71,8 +72,8 @@ const internalStream = { return streamModel .query() - .omit(omissions()) .patchAndFetchById(row.id, data) + .then(utils.omitRow(omissions())) .then((saved_row) => { return internalNginx.configure(streamModel, 'stream', saved_row) .then(() => { @@ -88,7 +89,7 @@ const internalStream = { meta: data }) .then(() => { - return _.omit(saved_row, omissions()); + return saved_row; }); }); }); @@ -113,30 +114,28 @@ const internalStream = { .query() .where('is_deleted', 0) .andWhere('id', data.id) - .allowEager('[owner]') + .allowGraph('[owner]') .first(); if (access_data.permission_visibility !== 'all') { query.andWhere('owner_user_id', access.token.getUserId(1)); } - // Custom omissions - if (typeof data.omit !== 'undefined' && data.omit !== null) { - query.omit(data.omit); - } - if (typeof data.expand !== 'undefined' && data.expand !== null) { - query.eager('[' + data.expand.join(', ') + ']'); + query.withGraphFetched('[' + data.expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRow(omissions())); }) .then((row) => { - if (row) { - return _.omit(row, omissions()); - } else { + if (!row) { throw new error.ItemNotFoundError(data.id); } + // Custom omissions + if (typeof data.omit !== 'undefined' && data.omit !== null) { + row = _.omit(row, data.omit); + } + return row; }); }, @@ -298,8 +297,7 @@ const internalStream = { .query() .where('is_deleted', 0) .groupBy('id') - .omit(['is_deleted']) - .allowEager('[owner]') + .allowGraph('[owner]') .orderBy('incoming_port', 'ASC'); if (access_data.permission_visibility !== 'all') { @@ -314,10 +312,10 @@ const internalStream = { } if (typeof expand !== 'undefined' && expand !== null) { - query.eager('[' + expand.join(', ') + ']'); + query.withGraphFetched('[' + expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRows(omissions())); }); }, diff --git a/backend/internal/user.js b/backend/internal/user.js index 2e2d8abf..a1d90447 100644 --- a/backend/internal/user.js +++ b/backend/internal/user.js @@ -1,5 +1,6 @@ const _ = require('lodash'); const error = require('../lib/error'); +const utils = require('../lib/utils'); const userModel = require('../models/user'); const userPermissionModel = require('../models/user_permission'); const authModel = require('../models/auth'); @@ -35,8 +36,8 @@ const internalUser = { return userModel .query() - .omit(omissions()) - .insertAndFetch(data); + .insertAndFetch(data) + .then(utils.omitRow(omissions())); }) .then((user) => { if (auth) { @@ -140,11 +141,8 @@ const internalUser = { return userModel .query() - .omit(omissions()) .patchAndFetchById(user.id, data) - .then((saved_user) => { - return _.omit(saved_user, omissions()); - }); + .then(utils.omitRow(omissions())); }) .then(() => { return internalUser.get(access, {id: data.id}); @@ -186,26 +184,24 @@ const internalUser = { .query() .where('is_deleted', 0) .andWhere('id', data.id) - .allowEager('[permissions]') + .allowGraph('[permissions]') .first(); - // Custom omissions - if (typeof data.omit !== 'undefined' && data.omit !== null) { - query.omit(data.omit); - } - if (typeof data.expand !== 'undefined' && data.expand !== null) { - query.eager('[' + data.expand.join(', ') + ']'); + query.withGraphFetched('[' + data.expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRow(omissions())); }) .then((row) => { - if (row) { - return _.omit(row, omissions()); - } else { + if (!row) { throw new error.ItemNotFoundError(data.id); } + // Custom omissions + if (typeof data.omit !== 'undefined' && data.omit !== null) { + row = _.omit(row, data.omit); + } + return row; }); }, @@ -322,8 +318,7 @@ const internalUser = { .query() .where('is_deleted', 0) .groupBy('id') - .omit(['is_deleted']) - .allowEager('[permissions]') + .allowGraph('[permissions]') .orderBy('name', 'ASC'); // Query is used for searching @@ -335,10 +330,10 @@ const internalUser = { } if (typeof expand !== 'undefined' && expand !== null) { - query.eager('[' + expand.join(', ') + ']'); + query.withGraphFetched('[' + expand.join(', ') + ']'); } - return query; + return query.then(utils.omitRows(omissions())); }); }, diff --git a/backend/lib/access.js b/backend/lib/access.js index 8b9acae7..be02a448 100644 --- a/backend/lib/access.js +++ b/backend/lib/access.js @@ -55,8 +55,8 @@ module.exports = function (token_string) { .where('id', token_data.attrs.id) .andWhere('is_deleted', 0) .andWhere('is_disabled', 0) - .allowEager('[permissions]') - .eager('[permissions]') + .allowGraph('[permissions]') + .withGraphFetched('[permissions]') .first() .then((user) => { if (user) { diff --git a/backend/lib/utils.js b/backend/lib/utils.js index ead5b170..2a184ee1 100644 --- a/backend/lib/utils.js +++ b/backend/lib/utils.js @@ -1,5 +1,8 @@ -const exec = require('child_process').exec; -const execFile = require('child_process').execFile; +const _ = require('lodash'); +const exec = require('child_process').exec; +const execFile = require('child_process').execFile; +const { Liquid } = require('liquidjs'); +const logger = require('../logger').global; module.exports = { @@ -20,12 +23,14 @@ module.exports = { }, /** - * @param {Array} cmd + * @param {String} cmd + * @param {Array} args * @returns {Promise} */ - execFile: function (cmd) { + execFile: function (cmd, args) { + logger.debug('CMD: ' + cmd + ' ' + (args ? args.join(' ') : '')); return new Promise((resolve, reject) => { - execFile(cmd, function (err, stdout, /*stderr*/) { + execFile(cmd, args, function (err, stdout, /*stderr*/) { if (err && typeof err === 'object') { reject(err); } else { @@ -33,5 +38,64 @@ module.exports = { } }); }); + }, + + /** + * Used in objection query builder + * + * @param {Array} omissions + * @returns {Function} + */ + omitRow: function (omissions) { + /** + * @param {Object} row + * @returns {Object} + */ + return (row) => { + return _.omit(row, omissions); + }; + }, + + /** + * Used in objection query builder + * + * @param {Array} omissions + * @returns {Function} + */ + omitRows: function (omissions) { + /** + * @param {Array} rows + * @returns {Object} + */ + return (rows) => { + rows.forEach((row, idx) => { + rows[idx] = _.omit(row, omissions); + }); + return rows; + }; + }, + + /** + * @returns {Object} Liquid render engine + */ + getRenderEngine: function () { + const renderEngine = new Liquid({ + root: __dirname + '/../templates/' + }); + + /** + * nginxAccessRule expects the object given to have 2 properties: + * + * directive string + * address string + */ + renderEngine.registerFilter('nginxAccessRule', (v) => { + if (typeof v.directive !== 'undefined' && typeof v.address !== 'undefined' && v.directive && v.address) { + return `${v.directive} ${v.address};`; + } + return ''; + }); + + return renderEngine; } }; diff --git a/backend/models/access_list.js b/backend/models/access_list.js index 01974e86..fbf9bda7 100644 --- a/backend/models/access_list.js +++ b/backend/models/access_list.js @@ -50,7 +50,6 @@ class AccessList extends Model { }, modify: function (qb) { qb.where('user.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']); } }, items: { @@ -59,9 +58,6 @@ class AccessList extends Model { join: { from: 'access_list.id', to: 'access_list_auth.access_list_id' - }, - modify: function (qb) { - qb.omit(['id', 'created_on', 'modified_on', 'access_list_id', 'meta']); } }, clients: { @@ -70,9 +66,6 @@ class AccessList extends Model { join: { from: 'access_list.id', to: 'access_list_client.access_list_id' - }, - modify: function (qb) { - qb.omit(['id', 'created_on', 'modified_on', 'access_list_id', 'meta']); } }, proxy_hosts: { @@ -84,19 +77,10 @@ class AccessList extends Model { }, modify: function (qb) { qb.where('proxy_host.is_deleted', 0); - qb.omit(['is_deleted', 'meta']); } } }; } - - get satisfy() { - return this.satisfy_any ? 'satisfy any' : 'satisfy all'; - } - - get passauth() { - return this.pass_auth ? '' : 'proxy_set_header Authorization "";'; - } } module.exports = AccessList; diff --git a/backend/models/access_list_auth.js b/backend/models/access_list_auth.js index 932371f3..3895539c 100644 --- a/backend/models/access_list_auth.js +++ b/backend/models/access_list_auth.js @@ -45,7 +45,6 @@ class AccessListAuth extends Model { }, modify: function (qb) { qb.where('access_list.is_deleted', 0); - qb.omit(['created_on', 'modified_on', 'is_deleted', 'access_list_id']); } } }; diff --git a/backend/models/access_list_client.js b/backend/models/access_list_client.js index e257213a..bffc0023 100644 --- a/backend/models/access_list_client.js +++ b/backend/models/access_list_client.js @@ -45,15 +45,10 @@ class AccessListClient extends Model { }, modify: function (qb) { qb.where('access_list.is_deleted', 0); - qb.omit(['created_on', 'modified_on', 'is_deleted', 'access_list_id']); } } }; } - - get rule() { - return `${this.directive} ${this.address}`; - } } module.exports = AccessListClient; diff --git a/backend/models/audit-log.js b/backend/models/audit-log.js index a3a318c8..45a4b460 100644 --- a/backend/models/audit-log.js +++ b/backend/models/audit-log.js @@ -43,9 +43,6 @@ class AuditLog extends Model { join: { from: 'audit_log.user_id', to: 'user.id' - }, - modify: function (qb) { - qb.omit(['id', 'created_on', 'modified_on', 'roles']); } } }; diff --git a/backend/models/auth.js b/backend/models/auth.js index 5ba5f380..2ee43197 100644 --- a/backend/models/auth.js +++ b/backend/models/auth.js @@ -74,9 +74,6 @@ class Auth extends Model { }, filter: { is_deleted: 0 - }, - modify: function (qb) { - qb.omit(['is_deleted']); } } }; diff --git a/backend/models/certificate.js b/backend/models/certificate.js index 6084a995..4f0f2ef6 100644 --- a/backend/models/certificate.js +++ b/backend/models/certificate.js @@ -63,7 +63,6 @@ class Certificate extends Model { }, modify: function (qb) { qb.where('user.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']); } } }; diff --git a/backend/models/dead_host.js b/backend/models/dead_host.js index 6de42a33..2e31043a 100644 --- a/backend/models/dead_host.js +++ b/backend/models/dead_host.js @@ -59,7 +59,6 @@ class DeadHost extends Model { }, modify: function (qb) { qb.where('user.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']); } }, certificate: { @@ -71,7 +70,6 @@ class DeadHost extends Model { }, modify: function (qb) { qb.where('certificate.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted']); } } }; diff --git a/backend/models/now_helper.js b/backend/models/now_helper.js index def16d08..11c31a88 100644 --- a/backend/models/now_helper.js +++ b/backend/models/now_helper.js @@ -6,8 +6,8 @@ Model.knex(db); module.exports = function () { if (config.database.knex && config.database.knex.client === 'sqlite3') { - return Model.raw('datetime(\'now\',\'localtime\')'); - } else { - return Model.raw('NOW()'); + // eslint-disable-next-line + return Model.raw("datetime('now','localtime')"); } + return Model.raw('NOW()'); }; diff --git a/backend/models/proxy_host.js b/backend/models/proxy_host.js index a7583088..d84181cf 100644 --- a/backend/models/proxy_host.js +++ b/backend/models/proxy_host.js @@ -60,7 +60,6 @@ class ProxyHost extends Model { }, modify: function (qb) { qb.where('user.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']); } }, access_list: { @@ -72,7 +71,6 @@ class ProxyHost extends Model { }, modify: function (qb) { qb.where('access_list.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted']); } }, certificate: { @@ -84,7 +82,6 @@ class ProxyHost extends Model { }, modify: function (qb) { qb.where('certificate.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted']); } } }; diff --git a/backend/models/redirection_host.js b/backend/models/redirection_host.js index dd149b76..c90a6de6 100644 --- a/backend/models/redirection_host.js +++ b/backend/models/redirection_host.js @@ -1,3 +1,4 @@ + // Objection Docs: // http://vincit.github.io/objection.js/ @@ -59,7 +60,6 @@ class RedirectionHost extends Model { }, modify: function (qb) { qb.where('user.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']); } }, certificate: { @@ -71,7 +71,6 @@ class RedirectionHost extends Model { }, modify: function (qb) { qb.where('certificate.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted']); } } }; diff --git a/backend/models/stream.js b/backend/models/stream.js index ed65de0f..7d84d2c3 100644 --- a/backend/models/stream.js +++ b/backend/models/stream.js @@ -46,7 +46,6 @@ class Stream extends Model { }, modify: function (qb) { qb.where('user.is_deleted', 0); - qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']); } } }; diff --git a/backend/models/token.js b/backend/models/token.js index 4e1b1826..37d53144 100644 --- a/backend/models/token.js +++ b/backend/models/token.js @@ -83,8 +83,6 @@ module.exports = function () { // Hack: some tokens out in the wild have a scope of 'all' instead of 'user'. // For 30 days at least, we need to replace 'all' with user. if ((typeof token_data.scope !== 'undefined' && _.indexOf(token_data.scope, 'all') !== -1)) { - //console.log('Warning! Replacing "all" scope with "user"'); - token_data.scope = ['user']; } diff --git a/backend/models/user.js b/backend/models/user.js index c76f7dbf..93489fef 100644 --- a/backend/models/user.js +++ b/backend/models/user.js @@ -43,9 +43,6 @@ class User extends Model { join: { from: 'user.id', to: 'user_permission.user_id' - }, - modify: function (qb) { - qb.omit(['id', 'created_on', 'modified_on', 'user_id']); } } }; diff --git a/backend/package.json b/backend/package.json index 00079d2a..6e8fc0cc 100644 --- a/backend/package.json +++ b/backend/package.json @@ -16,14 +16,14 @@ "express-fileupload": "1.4.0", "gravatar": "1.8.2", "jsonwebtoken": "9.0.0", - "knex": "2.4.1", + "knex": "10.6.1", "liquidjs": "9.43.0", "lodash": "4.17.21", "moment": "2.29.4", "mysql": "2.18.1", "node-rsa": "1.1.1", "nodemon": "2.0.21", - "objection": "2.2.18", + "objection": "3.0.1", "path": "0.12.7", "signale": "1.4.0", "sqlite3": "5.1.6", diff --git a/backend/templates/_access.conf b/backend/templates/_access.conf new file mode 100644 index 00000000..447006c0 --- /dev/null +++ b/backend/templates/_access.conf @@ -0,0 +1,25 @@ +{% if access_list_id > 0 %} + {% if access_list.items.length > 0 %} + # Authorization + auth_basic "Authorization required"; + auth_basic_user_file /data/access/{{ access_list_id }}; + + {% if access_list.pass_auth == 0 %} + proxy_set_header Authorization ""; + {% endif %} + + {% endif %} + + # Access Rules: {{ access_list.clients | size }} total + {% for client in access_list.clients %} + {{client | nginxAccessRule}} + {% endfor %} + deny all; + + # Access checks must... + {% if access_list.satisfy_any == 1 %} + satisfy any; + {% else %} + satisfy all; + {% endif %} +{% endif %} diff --git a/backend/templates/_location.conf b/backend/templates/_location.conf index 2fa1acce..302bb50d 100644 --- a/backend/templates/_location.conf +++ b/backend/templates/_location.conf @@ -8,12 +8,6 @@ proxy_http_version 1.1; proxy_pass {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }}; - {% if access_list_id > 0 %} - {% if access_list.items.length > 0 %} - {{ access_list.passauth }} - {% endif %} - {% endif %} - {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index fc09135d..ecaf15a7 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -11,6 +11,7 @@ server { {% include "_hsts.conf" %} {% include "_forced_tls.conf" %} {% include "_brotli.conf" %} +{% include "_access.conf" %} include conf.d/include/acme-challenge.conf; include conf.d/include/block-exploits.conf; @@ -37,27 +38,6 @@ server { } {% endif %} - {% if access_list_id > 0 %} - {% if access_list.items.length > 0 %} - # Authorization - auth_basic "Authorization required"; - auth_basic_user_file /data/etc/access/{{ access_list_id }}; - - {{ access_list.passauth }} - {% endif %} - - # Access Rules - {% for client in access_list.clients %} - {{- client.rule -}}; - {% endfor %}deny all; - - # Access checks must... - {% if access_list.satisfy %} - {{ access_list.satisfy }}; - {% endif %} - - {% endif %} - {{ locations }} # Custom diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/dependencies.d/prepare b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/dependencies.d/prepare new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/type b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/type new file mode 100644 index 00000000..5883cff0 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/type @@ -0,0 +1 @@ +longrun diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/dependencies.d/prepare b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/dependencies.d/prepare new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/type b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/type new file mode 100644 index 00000000..5883cff0 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/type @@ -0,0 +1 @@ +longrun diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/prepare b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/prepare new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run new file mode 100755 index 00000000..70ca0cb7 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run @@ -0,0 +1,7 @@ +#!/command/with-contenv bash +# shellcheck shell=bash + +set -e + +echo "❯ Starting nginx ..." +exec nginx diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/type b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/type new file mode 100644 index 00000000..5883cff0 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/type @@ -0,0 +1 @@ +longrun diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/dependencies.d/base b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/dependencies.d/base new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/script.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/script.sh new file mode 100755 index 00000000..5723ea7a --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/script.sh @@ -0,0 +1,93 @@ +#!/command/with-contenv bash +# shellcheck shell=bash + +set -e + +DATA_PATH=/data + +# Ensure /data is mounted +if [ ! -d "$DATA_PATH" ]; then + echo '--------------------------------------' + echo "ERROR: $DATA_PATH is not mounted! Check your docker configuration." + echo '--------------------------------------' + /run/s6/basedir/bin/halt + exit 1 +fi + +echo "❯ Checking folder structure ..." + +# Create required folders +mkdir -p /tmp/nginx/body \ + /run/nginx \ + /var/log/nginx \ + /data/nginx \ + /data/custom_ssl \ + /data/logs \ + /data/access \ + /data/nginx/default_host \ + /data/nginx/default_www \ + /data/nginx/proxy_host \ + /data/nginx/redirection_host \ + /data/nginx/stream \ + /data/nginx/dead_host \ + /data/nginx/temp \ + /var/lib/nginx/cache/public \ + /var/lib/nginx/cache/private \ + /var/cache/nginx/proxy_temp \ + /data/letsencrypt-acme-challenge + +touch /var/log/nginx/error.log && chmod 777 /var/log/nginx/error.log && chmod -R 777 /var/cache/nginx +chown root /tmp/nginx + +# Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]` +# thanks @tfmm +if [ "$DISABLE_IPV6" == "true" ] || [ "$DISABLE_IPV6" == "on" ] || [ "$DISABLE_IPV6" == "1" ] || [ "$DISABLE_IPV6" == "yes" ]; +then + echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf +else + echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf +fi + +echo "Changing ownership of /data/logs to $(id -u):$(id -g)" +chown -R "$(id -u):$(id -g)" /data/logs + +# Handle IPV6 settings +/bin/handle-ipv6-setting /etc/nginx/conf.d +/bin/handle-ipv6-setting /data/nginx + +# ref: https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/01-envfile + +# in s6, environmental variables are written as text files for s6 to monitor +# search through full-path filenames for files ending in "__FILE" +echo "❯ Secrets-init ..." +for FILENAME in $(find /var/run/s6/container_environment/ | grep "__FILE$"); do + echo "[secret-init] Evaluating ${FILENAME##*/} ..." + + # set SECRETFILE to the contents of the full-path textfile + SECRETFILE=$(cat "${FILENAME}") + # if SECRETFILE exists / is not null + if [[ -f "${SECRETFILE}" ]]; then + # strip the appended "__FILE" from environmental variable name ... + STRIPFILE=$(echo "${FILENAME}" | sed "s/__FILE//g") + # echo "[secret-init] Set STRIPFILE to ${STRIPFILE}" # DEBUG - rm for prod! + + # ... and set value to contents of secretfile + # since s6 uses text files, this is effectively "export ..." + printf $(cat "${SECRETFILE}") > "${STRIPFILE}" + # echo "[secret-init] Set ${STRIPFILE##*/} to $(cat ${STRIPFILE})" # DEBUG - rm for prod!" + echo "[secret-init] Success! ${STRIPFILE##*/} set from ${FILENAME##*/}" + + else + echo "[secret-init] cannot find secret in ${FILENAME}" + fi +done + +echo +echo "------------------------------------- + _ _ ____ __ __ +| \ | | _ \| \/ | +| \| | |_) | |\/| | +| |\ | __/| | | | +|_| \_|_| |_| |_| +------------------------------------- +" diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/type b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/type new file mode 100644 index 00000000..bdd22a18 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/type @@ -0,0 +1 @@ +oneshot diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/up b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/up new file mode 100644 index 00000000..b58eed6b --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/up @@ -0,0 +1,2 @@ +# shellcheck shell=bash +/etc/s6-overlay/s6-rc.d/prepare/script.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/backend b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/backend new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/frontend b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/frontend new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/prepare b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/prepare new file mode 100644 index 00000000..e69de29b diff --git a/global/.version b/global/.version index d0998d33..cfd472b1 100644 --- a/global/.version +++ b/global/.version @@ -1 +1 @@ -2.9.20 +2.9.21 diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index d5decd83..d5a8770b 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -400,9 +400,9 @@ dns_powerdns_api_key = AbCbASsd!@34`, regru: { display_name: 'reg.ru', package_name: 'certbot-regru', - credentials: `certbot_regru:dns_username=username -certbot_regru:dns_password=password`, - full_plugin_name: 'certbot-regru:dns', + credentials: `dns_username=username +dns_password=password`, + full_plugin_name: 'dns', }, //####################################################// rfc2136: {