Merge 599ddd1a39 into 79d28f03d0

Merge pull request #4346 from Sander0542/feature/security-schemes-component
API Schema Improvements
2025-10-04 11:50:09 +00:00 · 2025-02-08 23:59:34 +08:00 · 2025-02-07 12:39:49 +10:00 · 2025-02-05 22:20:21 +01:00 · 2025-02-05 22:15:12 +01:00 · 2025-02-05 18:18:50 +01:00
6 changed files with 77 additions and 28 deletions
--- a/backend/models/dead_host.js
+++ b/backend/models/dead_host.js
@@ -12,7 +12,11 @@ Model.knex(db);

 const boolFields = [
 	'is_deleted',
+	'ssl_forced',
+	'http2_support',
 	'enabled',
+	'hsts_enabled',
+	'hsts_subdomains',
 ];

 class DeadHost extends Model {
--- a/backend/models/stream.js
+++ b/backend/models/stream.js
@@ -8,8 +8,8 @@ const now         = require('./now_helper');
 Model.knex(db);

 const boolFields = [
-	'enabled',
 	'is_deleted',
+	'enabled',
 	'tcp_forwarding',
 	'udp_forwarding',
 ];
--- a/backend/schema/components/proxy-host-object.json
+++ b/backend/schema/components/proxy-host-object.json
@@ -22,8 +22,7 @@
 		"enabled",
 		"locations",
 		"hsts_enabled",
-		"hsts_subdomains",
-		"certificate"
+		"hsts_subdomains"
 	],
 	"additionalProperties": false,
 	"properties": {
--- a/backend/schema/swagger.json
+++ b/backend/schema/swagger.json
@@ -9,6 +9,15 @@
 			"url": "http://127.0.0.1:81/api"
 		}
 	],
+	"components": {
+		"securitySchemes": {
+			"bearerAuth": {
+				"type": "http",
+				"scheme": "bearer",
+				"bearerFormat": "JWT"
+			}
+		}
+	},
 	"paths": {
 		"/": {
 			"get": {
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
@@ -3,8 +3,35 @@

 set -e

-log_info 'Setting ownership ...'
+# Lowercase
+SKIP_FILE_OWNERSHIP=$(echo "${SKIP_FILE_OWNERSHIP:-}" | tr '[:upper:]' '[:lower:]')

+if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then
+    log_info 'Skipping data and letsencrypt ownership, use only with caution ...'
+    # root
+    chown -R "$PUID:$PGID" /run/nginx
+    chown -R "$PUID:$PGID" /tmp/nginx
+    chown -R "$PUID:$PGID" /var/cache/nginx
+    chown -R "$PUID:$PGID" /var/lib/logrotate
+    chown -R "$PUID:$PGID" /var/lib/nginx
+    chown -R "$PUID:$PGID" /var/log/nginx
+    
+    # Don't chown entire /etc/nginx folder as this causes crashes on some systems
+    chown -R "$PUID:$PGID" /etc/nginx/nginx
+    chown -R "$PUID:$PGID" /etc/nginx/nginx.conf
+    chown -R "$PUID:$PGID" /etc/nginx/conf.d
+    
+    # Don't chown entire /etc/nginx folder as this causes crashes on some systems
+    chown -R "$PUID:$PGID" /etc/nginx/nginx
+    chown -R "$PUID:$PGID" /etc/nginx/nginx.conf
+    chown -R "$PUID:$PGID" /etc/nginx/conf.d
+    
+    # Prevents errors when installing python certbot plugins when non-root
+    chown "$PUID:$PGID" /opt/certbot /opt/certbot/bin
+    find /opt/certbot/lib/python*/site-packages -not -user "$PUID" -execdir chown "$PUID:$PGID" {} \+
+    
+else
+    log_info 'Setting ownership ...'
      # root
    chown root /tmp/nginx
    
@@ -26,3 +53,4 @@ chown -R "$PUID:$PGID" /etc/nginx/conf.d
    # Prevents errors when installing python certbot plugins when non-root
    chown "$PUID:$PGID" /opt/certbot /opt/certbot/bin
    find /opt/certbot/lib/python*/site-packages -not -user "$PUID" -execdir chown "$PUID:$PGID" {} \+
+fi
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
@@ -10,6 +10,7 @@ log_info 'IPv6 ...'

 # Lowercase
 DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
+SKIP_FILE_OWNERSHIP=$(echo "${SKIP_FILE_OWNERSHIP:-}" | tr '[:upper:]' '[:lower:]')

 process_folder () {
 	FILES=$(find "$1" -type f -name "*.conf")
@@ -31,9 +32,17 @@ process_folder () {
 		echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE
 	done

+
 		# ensure the files are still owned by the npm user
 		chown -R "$PUID:$PGID" "$1"
+ 	fi
 }

+# process files on base image
 process_folder /etc/nginx/conf.d
+# conditionally process files that are probably in a volume or bind
+if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then
+    log_info 'Skipping data and letsencrypt ownership, use only with caution ...'
+else
    process_folder /data/nginx
+fi
Author	SHA1	Message	Date
ian351c	68b4f39bba	Merge `599ddd1a39` into `79d28f03d0`	2025-02-08 23:59:34 +08:00
jc21	79d28f03d0	Merge pull request #4346 from Sander0542/feature/security-schemes-component All checks were successful Close stale issues and PRs / stale (push) Successful in 4s Details API Schema Improvements	2025-02-07 12:39:49 +10:00
Sander Jochems	df48b835c4	Update order to match others	2025-02-05 22:20:21 +01:00
Sander Jochems	8a1557154a	Add certificate fields to boolFields	2025-02-05 22:15:12 +01:00
Sander Jochems	a6af5ec2c7	Remove certificate as required from proxy host	2025-02-05 18:18:50 +01:00
Sander Jochems	14d7c35fd7	Fix whitespaces	2025-02-05 17:31:09 +01:00
Sander Jochems	cfcf78aaee	Set bearer auth security component	2025-02-05 17:29:40 +01:00
ian351c	599ddd1a39	Update 50-ipv6.sh Clean up log_info messages. Otherwise this appears to work...	2024-06-05 22:30:29 -04:00
ian351c	8fbe585470	Chown is ok for files on base image...	2024-06-05 12:36:38 -04:00
ian351c	78b3822c74	Tuning what needs to be chowned	2024-06-05 12:31:49 -04:00
ian351c	6da6d87ffd	Update 50-ipv6.sh Fix boolean logic for IPv6	2024-06-05 12:15:06 -04:00
ian351c	0232ebf3ba	Update 50-ipv6.sh	2024-06-05 11:56:55 -04:00
ian351c	c1e3701944	Update 30-ownership.sh Fix bad boolean logic	2024-06-05 11:45:27 -04:00
ian351c	f4c05cf9cc	Update 30-ownership.sh Make setting file permissions optional with SKIP_FILE_OWNERSHIP environment variable.	2024-06-05 10:50:14 -04:00