Add SSL certificate to TCP streams if certificate in database

2025-04-26 09:02:27 +00:00 · 2024-03-24 17:11:04 +00:00 · 2024-03-24 17:11:04 +00:00 · 3091c21cae
commit 3091c21cae
parent 498109addb
6 changed files with 23 additions and 6 deletions
--- a/backend/templates/_certificates.conf
+++ b/backend/templates/_certificates.conf
@ -2,6 +2,7 @@
 {% if certificate.provider == "letsencrypt" %}
  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-cache.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
--- a/backend/templates/_certificates_stream.conf
+++ b/backend/templates/_certificates_stream.conf
@ -0,0 +1,13 @@
 {% if certificate and certificate_id > 0 -%}
 {% if certificate.provider == "letsencrypt" %}
  # Let's Encrypt SSL
  include conf.d/include/ssl-cache-stream.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
 {% else %}
  # Custom SSL
  ssl_certificate /data/custom_ssl/npm-{{ certificate_id }}/fullchain.pem;
  ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
 {% endif %}
 {% endif %}
--- a/backend/templates/stream.conf
+++ b/backend/templates/stream.conf
@ -5,13 +5,15 @@
 {% if enabled %}
 {% if tcp_forwarding == 1 or tcp_forwarding == true -%}
 server {
-  listen {{ incoming_port }};
+  listen {{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% if ipv6 -%}
-  listen [::]:{{ incoming_port }};
+  listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% else -%}
-  #listen [::]:{{ incoming_port }};
+  #listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% endif %}
 {% include "_certificates_stream.conf" %}
  proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
  # Custom
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf
@ -0,0 +1,2 @@
 ssl_session_timeout 5m;
 ssl_session_cache shared:SSL_stream:50m;
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf
@ -0,0 +1,2 @@
 ssl_session_timeout 5m;
 ssl_session_cache shared:SSL:50m;
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
@ -1,6 +1,3 @@
 ssl_session_timeout 5m;
 ssl_session_cache shared:SSL:50m;
 # intermediate configuration. tweak to your needs.
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
		`@ -0,0 +1,2 @@`
							`ssl_session_timeout 5m;`
							`ssl_session_cache shared:SSL_stream:50m;`
		`@ -0,0 +1,2 @@`
							`ssl_session_timeout 5m;`
							`ssl_session_cache shared:SSL:50m;`