Support for dynamic ip ranges from urls

- Adds ipranges command to fetch ip ranges from Cloudfront and Cloudflare
- Write the ipranges file on docker start
- Support disabling ipv4 as well as ipv6 now
- Prevent disabling both

docker/rootfs/bin/common.sh

@@ -31,6 +31,10 @@ log_info () {
 	echo -e "${BLUE}❯ ${CYAN}$1${RESET}"
 }
 
+log_warn () {
+	echo -e "${BLUE}❯ ${YELLOW}WARNING: $1${RESET}"
+}
+
 log_error () {
 	echo -e "${RED}❯ $1${RESET}"
 }
@@ -52,7 +56,8 @@ get_group_id () {
 
 # param $1: value
 is_true () {
-	if [ "$1" == 'true' ] || [ "$1" == 'on' ] || [ "$1" == '1' ] || [ "$1" == 'yes' ]; then
+	VAL=$(echo "${1:-}" | tr '[:upper:]' '[:lower:]')
+	if [ "$VAL" == 'true' ] || [ "$VAL" == 'on' ] || [ "$VAL" == '1' ] || [ "$VAL" == 'yes' ]; then
 		echo '1'
 	else
 		echo '0'

docker/rootfs/etc/nginx/conf.d/include/ip_ranges.conf

@@ -1,2 +0,0 @@
-# This should be left blank is it is populated programatically
-# by the application backend.

docker/rootfs/etc/nginx/nginx.conf

@@ -60,7 +60,7 @@ http {
 	set_real_ip_from 172.16.0.0/12; # Includes Docker subnet
 	set_real_ip_from 192.168.0.0/16;
 	# NPM generated CDN ip ranges:
-	include conf.d/include/ip_ranges.conf;
+	include conf.d/include/ipranges.conf;
 	# always put the following 2 lines after ip subnets:
 	real_ip_header X-Real-IP;
 	real_ip_recursive on;

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh

@@ -17,6 +17,6 @@ fi
 . /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
 . /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
 . /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
-. /etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
+. /etc/s6-overlay/s6-rc.d/prepare/50-ipv46.sh
 . /etc/s6-overlay/s6-rc.d/prepare/60-fail2ban.sh
 . /etc/s6-overlay/s6-rc.d/prepare/90-banner.sh

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh

@@ -5,11 +5,9 @@ set -e
 
 log_info 'Dynamic resolvers ...'
 
-DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
-
 # Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]`
 # thanks @tfmm
-if [ "$(is_true "$DISABLE_IPV6")" = '1' ]; then
+if [ "$(is_true "$NPM_DISABLE_IPV6")" = '1' ]; then
 	echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
 else
 	echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
@@ -17,3 +15,20 @@ fi
 
 # Fire off acme.sh wrapper script to "install" itself if required
 acme.sh -h > /dev/null 2>&1
+
+# Generate IP Ranges from online CDN services
+# continue on error, as this could be due to network errors
+# and can be attempted again with a docker restart
+rm -rf /etc/nginx/conf.d/include/ipranges.conf
+set +e
+RC=0
+if [ "$(is_true "$DEVELOPMENT")" = '1' ]; then
+	echo '# ignored in development mode' > /etc/nginx/conf.d/include/ipranges.conf
+else
+	/app/bin/ipranges > /etc/nginx/conf.d/include/ipranges.conf
+	RC=$?
+fi
+if [ "$RC" != '0' ]; then
+	log_warn 'Generation of IP Ranges file has an error. Check output of /etc/nginx/conf.d/include/ipranges.conf for more information.'
+fi
+set -e

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv46.sh

@@ -0,0 +1,58 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+# This command reads the `NPM_DISABLE_IPV4` and `NPM_DISABLE_IPV6`` env vars and will either enable
+# or disable ipv6 in all nginx configs based on this setting.
+
+set -e
+
+log_info 'IPv4/IPv6 ...'
+
+DIS_4=$(is_true "$NPM_DISABLE_IPV4")
+DIS_6=$(is_true "$NPM_DISABLE_IPV6")
+
+# Ensure someone didn't misconfigure the settings
+if [ "$DIS_4" = "1" ] && [ "$DIS_6" = "1" ]; then
+	log_fatal 'NPM_DISABLE_IPV4 and NPM_DISABLE_IPV6 cannot both be set!'
+fi
+
+process_folder () {
+	FILES=$(find "$1" -type f -name "*.conf")
+	SED_REGEX=
+
+	# IPV4 ...
+	if [ "$DIS_4" = "1" ]; then
+		echo "Disabling IPV4 in hosts in: $1"
+		SED_REGEX='s/^([^#]*)listen ([0-9]+)/\1#listen \2/g'
+	else
+		echo "Enabling IPV4 in hosts in: $1"
+		SED_REGEX='s/^(\s*)#listen ([0-9]+)/\1listen \2/g'
+	fi
+
+	for FILE in $FILES
+	do
+		echo "  - ${FILE}"
+		sed -E -i "$SED_REGEX" "$FILE" || true
+	done
+
+	# IPV6 ...
+	if [ "$DIS_6" = "1" ]; then
+		echo "Disabling IPV6 in hosts in: $1"
+		SED_REGEX='s/^([^#]*)listen \[::\]/\1#listen [::]/g'
+	else
+		echo "Enabling IPV6 in hosts in: $1"
+		SED_REGEX='s/^(\s*)#listen \[::\]/\1listen [::]/g'
+	fi
+
+	for FILE in $FILES
+	do
+		echo "  - ${FILE}"
+		sed -E -i "$SED_REGEX" "$FILE" || true
+	done
+
+	# ensure the files are still owned by the npm user
+	chown -R "$PUID:$PGID" "$1"
+}
+
+process_folder /etc/nginx/conf.d
+process_folder /data/nginx

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh

@@ -1,39 +0,0 @@
-#!/command/with-contenv bash
-# shellcheck shell=bash
-
-# This command reads the `DISABLE_IPV6` env var and will either enable
-# or disable ipv6 in all nginx configs based on this setting.
-
-set -e
-
-log_info 'IPv6 ...'
-
-# Lowercase
-DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
-
-process_folder () {
-	FILES=$(find "$1" -type f -name "*.conf")
-	SED_REGEX=
-
-	if [ "$DISABLE_IPV6" == "true" ] || [ "$DISABLE_IPV6" == "on" ] || [ "$DISABLE_IPV6" == "1" ] || [ "$DISABLE_IPV6" == "yes" ]; then
-		# IPV6 is disabled
-		echo "Disabling IPV6 in hosts in: $1"
-		SED_REGEX='s/^([^#]*)listen \[::\]/\1#listen [::]/g'
-	else
-		# IPV6 is enabled
-		echo "Enabling IPV6 in hosts in: $1"
-		SED_REGEX='s/^(\s*)#listen \[::\]/\1listen [::]/g'
-	fi
-
-	for FILE in $FILES
-	do
-		echo "  - ${FILE}"
-		sed -E -i "$SED_REGEX" "$FILE" || true
-	done
-
-	# ensure the files are still owned by the npm user
-	chown -R "$PUID:$PGID" "$1"
-}
-
-process_folder /etc/nginx/conf.d
-process_folder /data/nginx