ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-20 16:07:39 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge branch 'add_PROXY' into add_modsecurity_crowdsecurity

Browse Source
This commit is contained in:
baudneo
2022-10-10 17:14:02 -06:00
parent 4b3df04719 2d681b8dcc
commit 4c0d31b07d
22 changed files with 297 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/internal/nginx.js
View File

@@ -157,7 +157,11 @@ const internalNginx = {
for (let i = 0; i < host.locations.length; i++) {
let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
{allow_websocket_upgrade: host.allow_websocket_upgrade}, {enable_proxy_protocol: host.enable_proxy_protocol},
{stream_enable_proxy_protocol: host.stream_enable_proxy_protocol},
{stream_allow_proxy_protocol: host.stream_allow_proxy_protocol},
{stream_load_balancer_ip: host.stream_load_balancer_ip},
{load_balancer_ip: host.load_balancer_ip}, {http2_support: host.http2_support},
{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
{certificate: host.certificate}, host.locations[i]);

80
backend/migrations/20221011000001_stream_proxy_protocol.js Normal file
View File

@@ -0,0 +1,80 @@
const migrate_name = 'stream_proxy_protocol';
const logger = require('../logger').migrate;
/**
* Migrate
*
* @see http://knexjs.org/#Schema
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.up = function (knex/*, Promise*/) {
knex.schema.table('stream', function (stream) {
stream.dropColumn('stream_access_proxy_protocol');
})
.then(() => {
logger.info('[' + migrate_name + '] stream Table altered - ERRANT Column fixed!');
}).catch((err) => {
logger.error('[' + migrate_name + '] stream Table error while removing errant column: ' + err);
});
logger.info('[' + migrate_name + '] Migrating PROXY_HOST Table Up...');
knex.schema.table('proxy_host', function (proxy_host) {
proxy_host.integer('enable_proxy_protocol').notNull().unsigned().defaultTo(0);
})
.then(() => {
logger.info('[' + migrate_name + '] proxy_host Table altered - "enable_proxy_protocol" added');
}).catch((err) => {
logger.error('[' + migrate_name + '] proxy_host Table error migrating up: ' + err);
});
knex.schema.table('proxy_host', function (proxy_host) {
proxy_host.string('load_balancer_ip').notNull().defaultTo('');
})
.then(() => {
logger.info('[' + migrate_name + '] proxy_host Table altered - "load_balancer_ip" added');
}).catch((err) => {
logger.error('[' + migrate_name + '] proxy_host Table error migrating up: ' + err);
});
logger.info('[' + migrate_name + '] Migrating STREAM Table Up...');
knex.schema.table('stream', function (stream) {
stream.integer('stream_allow_proxy_protocol').notNull().unsigned().defaultTo(0);
})
.then(() => {
logger.info('[' + migrate_name + '] stream Table altered - "stream_allow_proxy_protocol" added');
}).catch((err) => {
logger.error('[' + migrate_name + '] stream Table error migrating up: ' + err);
});
knex.schema.table('stream', function (stream) {
stream.integer('stream_enable_proxy_protocol').notNull().unsigned().defaultTo(0);
})
.then(() => {
logger.info('[' + migrate_name + '] stream Table altered - "stream_enable_proxy_protocol" added');
}).catch((err) => {
logger.error('[' + migrate_name + '] stream Table error migrating up: ' + err);
});
knex.schema.table('stream', function (stream) {
stream.string('stream_load_balancer_ip').notNull().defaultTo('');
})
.then(() => {
logger.info('[' + migrate_name + '] stream Table altered - "stream_load_balancer_ip" added');
}).catch((err) => {
logger.error('[' + migrate_name + '] stream Table error migrating up: ' + err);
});
return Promise.resolve(true);
};
/**
* Undo Migrate
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.down = function (knex, Promise) {
logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
return Promise.resolve(true);
};

29
backend/schema/endpoints/proxy-hosts.json
View File

@@ -58,6 +58,17 @@
"example": true,
"type": "boolean"
},
"enable_proxy_protocol": {
"description": "Enable PROXY Protocol support (Pass through)",
"example": true,
"type": "boolean"
},
"load_balancer_ip": {
"description": "Authorized TCP Load Balancer IP / CIDR for setting 'set_real_ip_from'",
"type": "string",
"minLength": 0,
"maxLength": 255
},
"access_list_id": {
"$ref": "../definitions.json#/definitions/access_list_id"
},
@@ -155,6 +166,12 @@
"allow_websocket_upgrade": {
"$ref": "#/definitions/allow_websocket_upgrade"
},
"enable_proxy_protocol": {
"$ref": "#/definitions/enable_proxy_protocol"
},
"load_balancer_ip": {
"$ref": "#/definitions/load_balancer_ip"
},
"access_list_id": {
"$ref": "#/definitions/access_list_id"
},
@@ -245,6 +262,12 @@
"allow_websocket_upgrade": {
"$ref": "#/definitions/allow_websocket_upgrade"
},
"enable_proxy_protocol": {
"$ref": "#/definitions/enable_proxy_protocol"
},
"load_balancer_ip": {
"$ref": "#/definitions/load_balancer_ip"
},
"access_list_id": {
"$ref": "#/definitions/access_list_id"
},
@@ -318,6 +341,12 @@
"allow_websocket_upgrade": {
"$ref": "#/definitions/allow_websocket_upgrade"
},
"enable_proxy_protocol": {
"$ref": "#/definitions/enable_proxy_protocol"
},
"load_balancer_ip": {
"$ref": "#/definitions/load_balancer_ip"
},
"access_list_id": {
"$ref": "#/definitions/access_list_id"
},

50
backend/schema/endpoints/streams.json
View File

@@ -46,6 +46,21 @@
"udp_forwarding": {
"type": "boolean"
},
"stream_enable_proxy_protocol": {
"description": "Enable PROXY Protocol creation and override",
"example": true,
"type": "boolean"
},
"stream_allow_proxy_protocol": {
"description": "Enable PROXY Protocol pass through",
"example": true,
"type": "boolean"
},
"stream_load_balancer_ip": {
"type": "string",
"minLength": 0,
"maxLength": 255
},
"enabled": {
"$ref": "../definitions.json#/definitions/enabled"
},
@@ -78,6 +93,15 @@
"udp_forwarding": {
"$ref": "#/definitions/udp_forwarding"
},
"stream_allow_proxy_protocol": {
"$ref": "#/definitions/stream_allow_proxy_protocol"
},
"stream_enable_proxy_protocol": {
"$ref": "#/definitions/stream_enable_proxy_protocol"
},
"stream_load_balancer_ip": {
"$ref": "#/definitions/stream_load_balancer_ip"
},
"enabled": {
"$ref": "#/definitions/enabled"
},
@@ -88,7 +112,7 @@
"links": [
{
"title": "List",
"description": "Returns a list of Steams",
"description": "Returns a list of Streams",
"href": "/nginx/streams",
"access": "private",
"method": "GET",
@@ -137,6 +161,15 @@
"udp_forwarding": {
"$ref": "#/definitions/udp_forwarding"
},
"stream_allow_proxy_protocol": {
"$ref": "#/definitions/stream_allow_proxy_protocol"
},
"stream_enable_proxy_protocol": {
"$ref": "#/definitions/stream_enable_proxy_protocol"
},
"stream_load_balancer_ip": {
"$ref": "#/definitions/stream_load_balancer_ip"
},
"meta": {
"$ref": "#/definitions/meta"
}
@@ -177,6 +210,15 @@
"udp_forwarding": {
"$ref": "#/definitions/udp_forwarding"
},
"stream_allow_proxy_protocol": {
"$ref": "#/definitions/stream_allow_proxy_protocol"
},
"stream_enable_proxy_protocol": {
"$ref": "#/definitions/stream_enable_proxy_protocol"
},
"stream_load_balancer_ip": {
"$ref": "#/definitions/stream_load_balancer_ip"
},
"meta": {
"$ref": "#/definitions/meta"
}
@@ -190,7 +232,7 @@
},
{
"title": "Delete",
"description": "Deletes a existing Stream",
"description": "Deletes an existing Stream",
"href": "/nginx/streams/{definitions.identity.example}",
"access": "private",
"method": "DELETE",
@@ -204,7 +246,7 @@
},
{
"title": "Enable",
"description": "Enables a existing Stream",
"description": "Enables an existing Stream",
"href": "/nginx/streams/{definitions.identity.example}/enable",
"access": "private",
"method": "POST",
@@ -218,7 +260,7 @@
},
{
"title": "Disable",
"description": "Disables a existing Stream",
"description": "Disables an existing Stream",
"href": "/nginx/streams/{definitions.identity.example}/disable",
"access": "private",
"method": "POST",

18
backend/templates/_listen.conf
View File

@@ -1,15 +1,25 @@
{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
listen 88 proxy_protocol;
{% if ipv6 -%}
listen [::]:88 proxy_protocol;
{% endif %}
{% else -%}
listen 80;
{% if ipv6 -%}
listen [::]:80;
{% else -%}
#listen [::]:80;
{% endif %}
{% endif %}
{% if certificate -%}
{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
listen 444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
{% if ipv6 -%}
listen [::]:444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
{% endif %}
{% else -%}
listen 443 ssl{% if http2_support %} http2{% endif %};
{% if ipv6 -%}
listen [::]:443 ssl{% if http2_support %} http2{% endif %};
{% else -%}
#listen [::]:443;
{% endif %}
{% endif %}
{% endif %}
server_name {{ domain_names | join: " " }};

6
backend/templates/_proxy_protocol.conf Normal file
View File

@@ -0,0 +1,6 @@
{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
{% if load_balancer_ip != '' %}
set_real_ip_from {{ load_balancer_ip }};
real_ip_header proxy_protocol;
{% endif %}
{% endif %}

5
backend/templates/_stream_proxy_protocol.conf Normal file
View File

@@ -0,0 +1,5 @@
{%if stream_allow_proxy_protocol == 1 or stream_allow_proxy_protocol == true %}
{% if stream_load_balancer_ip != '' %}
set_real_ip_from {{ stream_load_balancer_ip }};
{% endif %}
{% endif %}

1
backend/templates/dead_host.conf
View File

@@ -6,6 +6,7 @@ server {
{% include "_certificates.conf" %}
{% include "_hsts.conf" %}
{% include "_forced_ssl.conf" %}
{% include "_proxy_protocol.conf" %}
access_log /data/logs/dead-host-{{ id }}_access.log standard;
error_log /data/logs/dead-host-{{ id }}_error.log warn;

12
backend/templates/default.conf
View File

@@ -2,19 +2,25 @@
# Default Site
# ------------------------------------------------------------
{% if value == "congratulations" %}
# Skipping output, congratulations page configration is baked in.
# Skipping output, congratulations page configuration is baked in.
{%- else %}
server {
{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
listen 88 proxy_protocol;
{% if ipv6 -%}
listen [::]:88 proxy_protocol;
{% endif %}
{% else -%}
listen 80 default;
{% if ipv6 -%}
listen [::]:80 default;
{% else -%}
#listen [::]:80 default;
{% endif %}
{% endif %}
server_name default-host.localhost;
access_log /data/logs/default-host_access.log combined;
error_log /data/logs/default-host_error.log warn;
{% include "_exploits.conf" %}
{% include "_proxy_protocol.conf"}
include conf.d/include/letsencrypt-acme-challenge.conf;

1
backend/templates/proxy_host.conf
View File

@@ -12,6 +12,7 @@ server {
{% include "_exploits.conf" %}
{% include "_hsts.conf" %}
{% include "_forced_ssl.conf" %}
{% include "_proxy_protocol.conf" %}
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
proxy_set_header Upgrade $http_upgrade;

1
backend/templates/redirection_host.conf
View File

@@ -8,6 +8,7 @@ server {
{% include "_exploits.conf" %}
{% include "_hsts.conf" %}
{% include "_forced_ssl.conf" %}
{% include "_proxy_protocol.conf" %}
access_log /data/logs/redirection-host-{{ id }}_access.log standard;
error_log /data/logs/redirection-host-{{ id }}_error.log warn;

9
backend/templates/stream.conf
View File

@@ -5,13 +5,16 @@
{% if enabled %}
{% if tcp_forwarding == 1 or tcp_forwarding == true -%}
server {
listen {{ incoming_port }};
listen {{ incoming_port }}{% if stream_allow_proxy_protocol == 1 or stream_allow_proxy_protocol == true%} proxy_protocol{% endif %};
{% if ipv6 -%}
listen [::]:{{ incoming_port }};
listen [::]:{{ incoming_port }}{% if stream_allow_proxy_protocol == 1 or stream_allow_proxy_protocol == true%} proxy_protocol{% endif %};
{% else -%}
#listen [::]:{{ incoming_port }};
{% endif %}
{%if stream_enable_proxy_protocol == 1 or stream_enable_proxy_protocol == true%}
proxy_protocol on;
{% endif %}
{% include '_stream_proxy_protocol.conf' %}
proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
# Custom