mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2025-10-06 12:50:10 +00:00
Compare commits
6 Commits
openidc
...
207dbb2f37
| Author | SHA1 | Date | |
|---|---|---|---|
|
207dbb2f37 | ||
|
|
ae1255df27 | ||
|
|
7307515eed | ||
|
|
1d3d5be588 | ||
|
|
0cf7ed9d82 | ||
|
|
b8b80d3e80 |
@@ -1,7 +1,7 @@
|
||||
<p align="center">
|
||||
<img src="https://nginxproxymanager.com/github.png">
|
||||
<br><br>
|
||||
<img src="https://img.shields.io/badge/version-2.11.3-green.svg?style=for-the-badge">
|
||||
<img src="https://img.shields.io/badge/version-2.11.2-green.svg?style=for-the-badge">
|
||||
<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
|
||||
<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
|
||||
</a>
|
||||
@@ -56,6 +56,7 @@ I won't go in to too much detail here but here are the basics for someone new to
|
||||
2. Create a docker-compose.yml file similar to this:
|
||||
|
||||
```yml
|
||||
version: '3.8'
|
||||
services:
|
||||
app:
|
||||
image: 'docker.io/jc21/nginx-proxy-manager:latest'
|
||||
|
||||
@@ -861,8 +861,9 @@ const internalCertificate = {
|
||||
logger.info(`Requesting Let'sEncrypt certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
|
||||
|
||||
const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate.id;
|
||||
fs.mkdirSync('/etc/letsencrypt/credentials', { recursive: true });
|
||||
fs.writeFileSync(credentialsLocation, certificate.meta.dns_provider_credentials, {mode: 0o600});
|
||||
// Escape single quotes and backslashes
|
||||
const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\');
|
||||
const credentialsCmd = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\'';
|
||||
|
||||
// Whether the plugin has a --<name>-credentials argument
|
||||
const hasConfigArg = certificate.meta.dns_provider !== 'route53';
|
||||
@@ -897,15 +898,17 @@ const internalCertificate = {
|
||||
mainCmd = mainCmd + ' --dns-duckdns-no-txt-restore';
|
||||
}
|
||||
|
||||
logger.info('Command:', mainCmd);
|
||||
logger.info('Command:', `${credentialsCmd} && && ${mainCmd}`);
|
||||
|
||||
try {
|
||||
await utils.exec(credentialsCmd);
|
||||
const result = await utils.exec(mainCmd);
|
||||
logger.info(result);
|
||||
return result;
|
||||
} catch (err) {
|
||||
// Don't fail if file does not exist, so no need for action in the callback
|
||||
fs.unlink(credentialsLocation, () => {});
|
||||
// Don't fail if file does not exist
|
||||
const delete_credentialsCmd = `rm -f '${credentialsLocation}' || true`;
|
||||
await utils.exec(delete_credentialsCmd);
|
||||
throw err;
|
||||
}
|
||||
},
|
||||
|
||||
@@ -1,9 +1,11 @@
|
||||
const _ = require('lodash');
|
||||
const error = require('../lib/error');
|
||||
const utils = require('../lib/utils');
|
||||
const streamModel = require('../models/stream');
|
||||
const internalNginx = require('./nginx');
|
||||
const internalAuditLog = require('./audit-log');
|
||||
const _ = require('lodash');
|
||||
const error = require('../lib/error');
|
||||
const utils = require('../lib/utils');
|
||||
const streamModel = require('../models/stream');
|
||||
const internalNginx = require('./nginx');
|
||||
const internalAuditLog = require('./audit-log');
|
||||
const internalCertificate = require('./certificate');
|
||||
const internalHost = require('./host');
|
||||
|
||||
function omissions () {
|
||||
return ['is_deleted'];
|
||||
@@ -17,6 +19,12 @@ const internalStream = {
|
||||
* @returns {Promise}
|
||||
*/
|
||||
create: (access, data) => {
|
||||
let create_certificate = data.certificate_id === 'new';
|
||||
|
||||
if (create_certificate) {
|
||||
delete data.certificate_id;
|
||||
}
|
||||
|
||||
return access.can('streams:create', data)
|
||||
.then((/*access_data*/) => {
|
||||
// TODO: At this point the existing ports should have been checked
|
||||
@@ -26,16 +34,44 @@ const internalStream = {
|
||||
data.meta = {};
|
||||
}
|
||||
|
||||
// streams aren't routed by domain name so don't store domain names in the DB
|
||||
let data_no_domains = structuredClone(data);
|
||||
delete data_no_domains.domain_names;
|
||||
|
||||
return streamModel
|
||||
.query()
|
||||
.insertAndFetch(data)
|
||||
.insertAndFetch(data_no_domains)
|
||||
.then(utils.omitRow(omissions()));
|
||||
})
|
||||
.then((row) => {
|
||||
if (create_certificate) {
|
||||
return internalCertificate.createQuickCertificate(access, data)
|
||||
.then((cert) => {
|
||||
// update host with cert id
|
||||
return internalStream.update(access, {
|
||||
id: row.id,
|
||||
certificate_id: cert.id
|
||||
});
|
||||
})
|
||||
.then(() => {
|
||||
return row;
|
||||
});
|
||||
} else {
|
||||
return row;
|
||||
}
|
||||
})
|
||||
.then((row) => {
|
||||
// re-fetch with cert
|
||||
return internalStream.get(access, {
|
||||
id: row.id,
|
||||
expand: ['certificate', 'owner']
|
||||
});
|
||||
})
|
||||
.then((row) => {
|
||||
// Configure nginx
|
||||
return internalNginx.configure(streamModel, 'stream', row)
|
||||
.then(() => {
|
||||
return internalStream.get(access, {id: row.id, expand: ['owner']});
|
||||
return row;
|
||||
});
|
||||
})
|
||||
.then((row) => {
|
||||
@@ -59,6 +95,12 @@ const internalStream = {
|
||||
* @return {Promise}
|
||||
*/
|
||||
update: (access, data) => {
|
||||
let create_certificate = data.certificate_id === 'new';
|
||||
|
||||
if (create_certificate) {
|
||||
delete data.certificate_id;
|
||||
}
|
||||
|
||||
return access.can('streams:update', data.id)
|
||||
.then((/*access_data*/) => {
|
||||
// TODO: at this point the existing streams should have been checked
|
||||
@@ -70,16 +112,32 @@ const internalStream = {
|
||||
throw new error.InternalValidationError('Stream could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
|
||||
}
|
||||
|
||||
if (create_certificate) {
|
||||
return internalCertificate.createQuickCertificate(access, {
|
||||
domain_names: data.domain_names || row.domain_names,
|
||||
meta: _.assign({}, row.meta, data.meta)
|
||||
})
|
||||
.then((cert) => {
|
||||
// update host with cert id
|
||||
data.certificate_id = cert.id;
|
||||
})
|
||||
.then(() => {
|
||||
return row;
|
||||
});
|
||||
} else {
|
||||
return row;
|
||||
}
|
||||
})
|
||||
.then((row) => {
|
||||
// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
|
||||
data = _.assign({}, {
|
||||
domain_names: row.domain_names
|
||||
}, data);
|
||||
|
||||
return streamModel
|
||||
.query()
|
||||
.patchAndFetchById(row.id, data)
|
||||
.then(utils.omitRow(omissions()))
|
||||
.then((saved_row) => {
|
||||
return internalNginx.configure(streamModel, 'stream', saved_row)
|
||||
.then(() => {
|
||||
return internalStream.get(access, {id: row.id, expand: ['owner']});
|
||||
});
|
||||
})
|
||||
.then((saved_row) => {
|
||||
// Add to audit log
|
||||
return internalAuditLog.add(access, {
|
||||
@@ -92,6 +150,17 @@ const internalStream = {
|
||||
return saved_row;
|
||||
});
|
||||
});
|
||||
})
|
||||
.then(() => {
|
||||
return internalStream.get(access, {id: data.id, expand: ['owner', 'certificate']})
|
||||
.then((row) => {
|
||||
return internalNginx.configure(streamModel, 'stream', row)
|
||||
.then((new_meta) => {
|
||||
row.meta = new_meta;
|
||||
row = internalHost.cleanRowCertificateMeta(row);
|
||||
return _.omit(row, omissions());
|
||||
});
|
||||
});
|
||||
});
|
||||
},
|
||||
|
||||
@@ -114,7 +183,7 @@ const internalStream = {
|
||||
.query()
|
||||
.where('is_deleted', 0)
|
||||
.andWhere('id', data.id)
|
||||
.allowGraph('[owner]')
|
||||
.allowGraph('[owner,certificate]')
|
||||
.first();
|
||||
|
||||
if (access_data.permission_visibility !== 'all') {
|
||||
@@ -131,6 +200,7 @@ const internalStream = {
|
||||
if (!row) {
|
||||
throw new error.ItemNotFoundError(data.id);
|
||||
}
|
||||
row = internalHost.cleanRowCertificateMeta(row);
|
||||
// Custom omissions
|
||||
if (typeof data.omit !== 'undefined' && data.omit !== null) {
|
||||
row = _.omit(row, data.omit);
|
||||
@@ -196,14 +266,14 @@ const internalStream = {
|
||||
.then(() => {
|
||||
return internalStream.get(access, {
|
||||
id: data.id,
|
||||
expand: ['owner']
|
||||
expand: ['certificate', 'owner']
|
||||
});
|
||||
})
|
||||
.then((row) => {
|
||||
if (!row) {
|
||||
throw new error.ItemNotFoundError(data.id);
|
||||
} else if (row.enabled) {
|
||||
throw new error.ValidationError('Host is already enabled');
|
||||
throw new error.ValidationError('Stream is already enabled');
|
||||
}
|
||||
|
||||
row.enabled = 1;
|
||||
@@ -249,7 +319,7 @@ const internalStream = {
|
||||
if (!row) {
|
||||
throw new error.ItemNotFoundError(data.id);
|
||||
} else if (!row.enabled) {
|
||||
throw new error.ValidationError('Host is already disabled');
|
||||
throw new error.ValidationError('Stream is already disabled');
|
||||
}
|
||||
|
||||
row.enabled = 0;
|
||||
@@ -297,7 +367,7 @@ const internalStream = {
|
||||
.query()
|
||||
.where('is_deleted', 0)
|
||||
.groupBy('id')
|
||||
.allowGraph('[owner]')
|
||||
.allowGraph('[owner,certificate]')
|
||||
.orderBy('incoming_port', 'ASC');
|
||||
|
||||
if (access_data.permission_visibility !== 'all') {
|
||||
@@ -316,6 +386,13 @@ const internalStream = {
|
||||
}
|
||||
|
||||
return query.then(utils.omitRows(omissions()));
|
||||
})
|
||||
.then((rows) => {
|
||||
if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) {
|
||||
return internalHost.cleanAllRowsCertificateMeta(rows);
|
||||
}
|
||||
|
||||
return rows;
|
||||
});
|
||||
},
|
||||
|
||||
|
||||
@@ -93,7 +93,7 @@ const generateKeys = () => {
|
||||
try {
|
||||
fs.writeFileSync(keysFile, JSON.stringify(keys, null, 2));
|
||||
} catch (err) {
|
||||
logger.error('Could not write JWT key pair to config file: ' + keysFile + ': ' + err.message);
|
||||
logger.error('Could not write JWT key pair to config file: ' + keysFile + ': ' . err.message);
|
||||
process.exit(1);
|
||||
}
|
||||
logger.info('Wrote JWT key pair to config file: ' + keysFile);
|
||||
|
||||
@@ -1,48 +0,0 @@
|
||||
const migrate_name = 'openid_connect';
|
||||
const logger = require('../logger').migrate;
|
||||
|
||||
/**
|
||||
* Migrate
|
||||
*
|
||||
* @see http://knexjs.org/#Schema
|
||||
*
|
||||
* @param {Object} knex
|
||||
* @param {Promise} Promise
|
||||
* @returns {Promise}
|
||||
*/
|
||||
exports.up = function (knex/*, Promise*/) {
|
||||
logger.info('[' + migrate_name + '] Migrating Up...');
|
||||
|
||||
return knex.schema.table('proxy_host', function (proxy_host) {
|
||||
proxy_host.integer('openidc_enabled').notNull().unsigned().defaultTo(0);
|
||||
proxy_host.text('openidc_redirect_uri').notNull().defaultTo('');
|
||||
proxy_host.text('openidc_discovery').notNull().defaultTo('');
|
||||
proxy_host.text('openidc_auth_method').notNull().defaultTo('');
|
||||
proxy_host.text('openidc_client_id').notNull().defaultTo('');
|
||||
proxy_host.text('openidc_client_secret').notNull().defaultTo('');
|
||||
})
|
||||
.then(() => {
|
||||
logger.info('[' + migrate_name + '] proxy_host Table altered');
|
||||
});
|
||||
};
|
||||
|
||||
/**
|
||||
* Undo Migrate
|
||||
*
|
||||
* @param {Object} knex
|
||||
* @param {Promise} Promise
|
||||
* @returns {Promise}
|
||||
*/
|
||||
exports.down = function (knex/*, Promise*/) {
|
||||
return knex.schema.table('proxy_host', function (proxy_host) {
|
||||
proxy_host.dropColumn('openidc_enabled');
|
||||
proxy_host.dropColumn('openidc_redirect_uri');
|
||||
proxy_host.dropColumn('openidc_discovery');
|
||||
proxy_host.dropColumn('openidc_auth_method');
|
||||
proxy_host.dropColumn('openidc_client_id');
|
||||
proxy_host.dropColumn('openidc_client_secret');
|
||||
})
|
||||
.then(() => {
|
||||
logger.info('[' + migrate_name + '] proxy_host Table altered');
|
||||
});
|
||||
};
|
||||
@@ -1,40 +0,0 @@
|
||||
const migrate_name = 'openid_allowed_users';
|
||||
const logger = require('../logger').migrate;
|
||||
|
||||
/**
|
||||
* Migrate
|
||||
*
|
||||
* @see http://knexjs.org/#Schema
|
||||
*
|
||||
* @param {Object} knex
|
||||
* @param {Promise} Promise
|
||||
* @returns {Promise}
|
||||
*/
|
||||
exports.up = function (knex/*, Promise*/) {
|
||||
logger.info('[' + migrate_name + '] Migrating Up...');
|
||||
|
||||
return knex.schema.table('proxy_host', function (proxy_host) {
|
||||
proxy_host.integer('openidc_restrict_users_enabled').notNull().unsigned().defaultTo(0);
|
||||
proxy_host.json('openidc_allowed_users').notNull().defaultTo([]);
|
||||
})
|
||||
.then(() => {
|
||||
logger.info('[' + migrate_name + '] proxy_host Table altered');
|
||||
});
|
||||
};
|
||||
|
||||
/**
|
||||
* Undo Migrate
|
||||
*
|
||||
* @param {Object} knex
|
||||
* @param {Promise} Promise
|
||||
* @returns {Promise}
|
||||
*/
|
||||
exports.down = function (knex/*, Promise*/) {
|
||||
return knex.schema.table('proxy_host', function (proxy_host) {
|
||||
proxy_host.dropColumn('openidc_restrict_users_enabled');
|
||||
proxy_host.dropColumn('openidc_allowed_users');
|
||||
})
|
||||
.then(() => {
|
||||
logger.info('[' + migrate_name + '] proxy_host Table altered');
|
||||
});
|
||||
};
|
||||
38
backend/migrations/20240427161436_stream_ssl.js
Normal file
38
backend/migrations/20240427161436_stream_ssl.js
Normal file
@@ -0,0 +1,38 @@
|
||||
const migrate_name = 'stream_ssl';
|
||||
const logger = require('../logger').migrate;
|
||||
|
||||
/**
|
||||
* Migrate
|
||||
*
|
||||
* @see http://knexjs.org/#Schema
|
||||
*
|
||||
* @param {Object} knex
|
||||
* @returns {Promise}
|
||||
*/
|
||||
exports.up = function (knex) {
|
||||
logger.info('[' + migrate_name + '] Migrating Up...');
|
||||
|
||||
return knex.schema.table('stream', (table) => {
|
||||
table.integer('certificate_id').notNull().unsigned().defaultTo(0);
|
||||
})
|
||||
.then(function () {
|
||||
logger.info('[' + migrate_name + '] stream Table altered');
|
||||
});
|
||||
};
|
||||
|
||||
/**
|
||||
* Undo Migrate
|
||||
*
|
||||
* @param {Object} knex
|
||||
* @returns {Promise}
|
||||
*/
|
||||
exports.down = function (knex) {
|
||||
logger.info('[' + migrate_name + '] Migrating Down...');
|
||||
|
||||
return knex.schema.table('stream', (table) => {
|
||||
table.dropColumn('certificate_id');
|
||||
})
|
||||
.then(function () {
|
||||
logger.info('[' + migrate_name + '] stream Table altered');
|
||||
});
|
||||
};
|
||||
@@ -20,23 +20,12 @@ class ProxyHost extends Model {
|
||||
this.domain_names = [];
|
||||
}
|
||||
|
||||
// Default for openidc_allowed_users
|
||||
if (typeof this.openidc_allowed_users === 'undefined') {
|
||||
this.openidc_allowed_users = [];
|
||||
}
|
||||
|
||||
// Default for meta
|
||||
if (typeof this.meta === 'undefined') {
|
||||
this.meta = {};
|
||||
}
|
||||
|
||||
// Openidc defaults
|
||||
if (typeof this.openidc_auth_method === 'undefined') {
|
||||
this.openidc_auth_method = 'client_secret_post';
|
||||
}
|
||||
|
||||
this.domain_names.sort();
|
||||
this.openidc_allowed_users.sort();
|
||||
}
|
||||
|
||||
$beforeUpdate () {
|
||||
@@ -46,11 +35,6 @@ class ProxyHost extends Model {
|
||||
if (typeof this.domain_names !== 'undefined') {
|
||||
this.domain_names.sort();
|
||||
}
|
||||
|
||||
// Sort openidc_allowed_users
|
||||
if (typeof this.openidc_allowed_users !== 'undefined') {
|
||||
this.openidc_allowed_users.sort();
|
||||
}
|
||||
}
|
||||
|
||||
static get name () {
|
||||
@@ -62,7 +46,7 @@ class ProxyHost extends Model {
|
||||
}
|
||||
|
||||
static get jsonAttributes () {
|
||||
return ['domain_names', 'meta', 'locations', 'openidc_allowed_users'];
|
||||
return ['domain_names', 'meta', 'locations'];
|
||||
}
|
||||
|
||||
static get relationMappings () {
|
||||
|
||||
@@ -1,10 +1,11 @@
|
||||
// Objection Docs:
|
||||
// http://vincit.github.io/objection.js/
|
||||
|
||||
const db = require('../db');
|
||||
const Model = require('objection').Model;
|
||||
const User = require('./user');
|
||||
const now = require('./now_helper');
|
||||
const db = require('../db');
|
||||
const Model = require('objection').Model;
|
||||
const User = require('./user');
|
||||
const now = require('./now_helper');
|
||||
const Certificate = require('./certificate');
|
||||
|
||||
Model.knex(db);
|
||||
|
||||
@@ -47,6 +48,17 @@ class Stream extends Model {
|
||||
modify: function (qb) {
|
||||
qb.where('user.is_deleted', 0);
|
||||
}
|
||||
},
|
||||
certificate: {
|
||||
relation: Model.HasOneRelation,
|
||||
modelClass: Certificate,
|
||||
join: {
|
||||
from: 'stream.certificate_id',
|
||||
to: 'certificate.id'
|
||||
},
|
||||
modify: function (qb) {
|
||||
qb.where('certificate.is_deleted', 0);
|
||||
}
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
@@ -235,43 +235,6 @@
|
||||
"description": "Should we cache assets",
|
||||
"example": true,
|
||||
"type": "boolean"
|
||||
},
|
||||
"openidc_enabled": {
|
||||
"description": "Is OpenID Connect authentication enabled",
|
||||
"example": true,
|
||||
"type": "boolean"
|
||||
},
|
||||
"openidc_redirect_uri": {
|
||||
"type": "string"
|
||||
},
|
||||
"openidc_discovery": {
|
||||
"type": "string"
|
||||
},
|
||||
"openidc_auth_method": {
|
||||
"type": "string",
|
||||
"pattern": "^(client_secret_basic|client_secret_post)$"
|
||||
},
|
||||
"openidc_client_id": {
|
||||
"type": "string"
|
||||
},
|
||||
"openidc_client_secret": {
|
||||
"type": "string"
|
||||
},
|
||||
"openidc_restrict_users_enabled": {
|
||||
"description": "Only allow a specific set of OpenID Connect emails to access the resource",
|
||||
"example": true,
|
||||
"type": "boolean"
|
||||
},
|
||||
"openidc_allowed_users": {
|
||||
"type": "array",
|
||||
"minItems": 0,
|
||||
"items": {
|
||||
"type": "string",
|
||||
"description": "Email Address",
|
||||
"example": "john@example.com",
|
||||
"format": "email",
|
||||
"minLength": 1
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -64,30 +64,6 @@
|
||||
"advanced_config": {
|
||||
"type": "string"
|
||||
},
|
||||
"openidc_enabled": {
|
||||
"$ref": "../definitions.json#/definitions/openidc_enabled"
|
||||
},
|
||||
"openidc_redirect_uri": {
|
||||
"$ref": "../definitions.json#/definitions/openidc_redirect_uri"
|
||||
},
|
||||
"openidc_discovery": {
|
||||
"$ref": "../definitions.json#/definitions/openidc_discovery"
|
||||
},
|
||||
"openidc_auth_method": {
|
||||
"$ref": "../definitions.json#/definitions/openidc_auth_method"
|
||||
},
|
||||
"openidc_client_id": {
|
||||
"$ref": "../definitions.json#/definitions/openidc_client_id"
|
||||
},
|
||||
"openidc_client_secret": {
|
||||
"$ref": "../definitions.json#/definitions/openidc_client_secret"
|
||||
},
|
||||
"openidc_restrict_users_enabled": {
|
||||
"$ref": "../definitions.json#/definitions/openidc_restrict_users_enabled"
|
||||
},
|
||||
"openidc_allowed_users": {
|
||||
"$ref": "../definitions.json#/definitions/openidc_allowed_users"
|
||||
},
|
||||
"enabled": {
|
||||
"$ref": "../definitions.json#/definitions/enabled"
|
||||
},
|
||||
@@ -185,30 +161,6 @@
|
||||
"advanced_config": {
|
||||
"$ref": "#/definitions/advanced_config"
|
||||
},
|
||||
"openidc_enabled": {
|
||||
"$ref": "#/definitions/openidc_enabled"
|
||||
},
|
||||
"openidc_redirect_uri": {
|
||||
"$ref": "#/definitions/openidc_redirect_uri"
|
||||
},
|
||||
"openidc_discovery": {
|
||||
"$ref": "#/definitions/openidc_discovery"
|
||||
},
|
||||
"openidc_auth_method": {
|
||||
"$ref": "#/definitions/openidc_auth_method"
|
||||
},
|
||||
"openidc_client_id": {
|
||||
"$ref": "#/definitions/openidc_client_id"
|
||||
},
|
||||
"openidc_client_secret": {
|
||||
"$ref": "#/definitions/openidc_client_secret"
|
||||
},
|
||||
"openidc_restrict_users_enabled": {
|
||||
"$ref": "#/definitions/openidc_restrict_users_enabled"
|
||||
},
|
||||
"openidc_allowed_users": {
|
||||
"$ref": "#/definitions/openidc_allowed_users"
|
||||
},
|
||||
"enabled": {
|
||||
"$ref": "#/definitions/enabled"
|
||||
},
|
||||
@@ -299,30 +251,6 @@
|
||||
"advanced_config": {
|
||||
"$ref": "#/definitions/advanced_config"
|
||||
},
|
||||
"openidc_enabled": {
|
||||
"$ref": "#/definitions/openidc_enabled"
|
||||
},
|
||||
"openidc_redirect_uri": {
|
||||
"$ref": "#/definitions/openidc_redirect_uri"
|
||||
},
|
||||
"openidc_discovery": {
|
||||
"$ref": "#/definitions/openidc_discovery"
|
||||
},
|
||||
"openidc_auth_method": {
|
||||
"$ref": "#/definitions/openidc_auth_method"
|
||||
},
|
||||
"openidc_client_id": {
|
||||
"$ref": "#/definitions/openidc_client_id"
|
||||
},
|
||||
"openidc_client_secret": {
|
||||
"$ref": "#/definitions/openidc_client_secret"
|
||||
},
|
||||
"openidc_restrict_users_enabled": {
|
||||
"$ref": "#/definitions/openidc_restrict_users_enabled"
|
||||
},
|
||||
"openidc_allowed_users": {
|
||||
"$ref": "#/definitions/openidc_allowed_users"
|
||||
},
|
||||
"enabled": {
|
||||
"$ref": "#/definitions/enabled"
|
||||
},
|
||||
@@ -396,30 +324,6 @@
|
||||
"advanced_config": {
|
||||
"$ref": "#/definitions/advanced_config"
|
||||
},
|
||||
"openidc_enabled": {
|
||||
"$ref": "#/definitions/openidc_enabled"
|
||||
},
|
||||
"openidc_redirect_uri": {
|
||||
"$ref": "#/definitions/openidc_redirect_uri"
|
||||
},
|
||||
"openidc_discovery": {
|
||||
"$ref": "#/definitions/openidc_discovery"
|
||||
},
|
||||
"openidc_auth_method": {
|
||||
"$ref": "#/definitions/openidc_auth_method"
|
||||
},
|
||||
"openidc_client_id": {
|
||||
"$ref": "#/definitions/openidc_client_id"
|
||||
},
|
||||
"openidc_client_secret": {
|
||||
"$ref": "#/definitions/openidc_client_secret"
|
||||
},
|
||||
"openidc_restrict_users_enabled": {
|
||||
"$ref": "#/definitions/openidc_restrict_users_enabled"
|
||||
},
|
||||
"openidc_allowed_users": {
|
||||
"$ref": "#/definitions/openidc_allowed_users"
|
||||
},
|
||||
"enabled": {
|
||||
"$ref": "#/definitions/enabled"
|
||||
},
|
||||
|
||||
@@ -46,6 +46,12 @@
|
||||
"udp_forwarding": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"domain_names": {
|
||||
"$ref": "../definitions.json#/definitions/domain_names"
|
||||
},
|
||||
"certificate_id": {
|
||||
"$ref": "../definitions.json#/definitions/certificate_id"
|
||||
},
|
||||
"enabled": {
|
||||
"$ref": "../definitions.json#/definitions/enabled"
|
||||
},
|
||||
@@ -78,6 +84,12 @@
|
||||
"udp_forwarding": {
|
||||
"$ref": "#/definitions/udp_forwarding"
|
||||
},
|
||||
"domain_names": {
|
||||
"$ref": "../definitions.json#/definitions/domain_names"
|
||||
},
|
||||
"certificate_id": {
|
||||
"$ref": "#/definitions/certificate_id"
|
||||
},
|
||||
"enabled": {
|
||||
"$ref": "#/definitions/enabled"
|
||||
},
|
||||
@@ -137,6 +149,12 @@
|
||||
"udp_forwarding": {
|
||||
"$ref": "#/definitions/udp_forwarding"
|
||||
},
|
||||
"domain_names": {
|
||||
"$ref": "../definitions.json#/definitions/domain_names"
|
||||
},
|
||||
"certificate_id": {
|
||||
"$ref": "#/definitions/certificate_id"
|
||||
},
|
||||
"meta": {
|
||||
"$ref": "#/definitions/meta"
|
||||
}
|
||||
@@ -177,6 +195,12 @@
|
||||
"udp_forwarding": {
|
||||
"$ref": "#/definitions/udp_forwarding"
|
||||
},
|
||||
"domain_names": {
|
||||
"$ref": "../definitions.json#/definitions/domain_names"
|
||||
},
|
||||
"certificate_id": {
|
||||
"$ref": "#/definitions/certificate_id"
|
||||
},
|
||||
"meta": {
|
||||
"$ref": "#/definitions/meta"
|
||||
}
|
||||
|
||||
@@ -21,14 +21,11 @@ const setupDefaultUser = () => {
|
||||
.then((row) => {
|
||||
if (!row.count) {
|
||||
// Create a new user and set password
|
||||
let email = process.env.INITIAL_ADMIN_EMAIL || 'admin@example.com';
|
||||
let password = process.env.INITIAL_ADMIN_PASSWORD || 'changeme';
|
||||
|
||||
logger.info('Creating a new user: ' + email + ' with password: ' + password);
|
||||
logger.info('Creating a new user: admin@example.com with password: changeme');
|
||||
|
||||
let data = {
|
||||
is_deleted: 0,
|
||||
email: email,
|
||||
email: 'admin@example.com',
|
||||
name: 'Administrator',
|
||||
nickname: 'Admin',
|
||||
avatar: '',
|
||||
@@ -44,7 +41,7 @@ const setupDefaultUser = () => {
|
||||
.insert({
|
||||
user_id: user.id,
|
||||
type: 'password',
|
||||
secret: password,
|
||||
secret: 'changeme',
|
||||
meta: {},
|
||||
})
|
||||
.then(() => {
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
{% if certificate.provider == "letsencrypt" %}
|
||||
# Let's Encrypt SSL
|
||||
include conf.d/include/letsencrypt-acme-challenge.conf;
|
||||
include conf.d/include/ssl-cache.conf;
|
||||
include conf.d/include/ssl-ciphers.conf;
|
||||
ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
|
||||
|
||||
13
backend/templates/_certificates_stream.conf
Normal file
13
backend/templates/_certificates_stream.conf
Normal file
@@ -0,0 +1,13 @@
|
||||
{% if certificate and certificate_id > 0 %}
|
||||
{% if certificate.provider == "letsencrypt" %}
|
||||
# Let's Encrypt SSL
|
||||
include conf.d/include/ssl-cache-stream.conf;
|
||||
include conf.d/include/ssl-ciphers.conf;
|
||||
ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
|
||||
{%- else %}
|
||||
# Custom SSL
|
||||
ssl_certificate /data/custom_ssl/npm-{{ certificate_id }}/fullchain.pem;
|
||||
ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
|
||||
{%- endif -%}
|
||||
{%- endif -%}
|
||||
@@ -1,47 +0,0 @@
|
||||
{% if openidc_enabled == 1 or openidc_enabled == true -%}
|
||||
access_by_lua_block {
|
||||
local openidc = require("resty.openidc")
|
||||
local opts = {
|
||||
redirect_uri = "{{- openidc_redirect_uri -}}",
|
||||
discovery = "{{- openidc_discovery -}}",
|
||||
token_endpoint_auth_method = "{{- openidc_auth_method -}}",
|
||||
client_id = "{{- openidc_client_id -}}",
|
||||
client_secret = "{{- openidc_client_secret -}}",
|
||||
scope = "openid email profile"
|
||||
}
|
||||
|
||||
local res, err = openidc.authenticate(opts)
|
||||
|
||||
if err then
|
||||
ngx.status = 500
|
||||
ngx.say(err)
|
||||
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
|
||||
end
|
||||
|
||||
{% if openidc_restrict_users_enabled == 1 or openidc_restrict_users_enabled == true -%}
|
||||
local function contains(table, val)
|
||||
for i=1,#table do
|
||||
if table[i] == val then
|
||||
return true
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
local allowed_users = {
|
||||
{% for user in openidc_allowed_users %}
|
||||
"{{ user }}",
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
if not contains(allowed_users, res.id_token.email) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
{% endif -%}
|
||||
|
||||
|
||||
ngx.req.set_header("X-OIDC-SUB", res.id_token.sub)
|
||||
ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email)
|
||||
ngx.req.set_header("X-OIDC-NAME", res.id_token.name)
|
||||
}
|
||||
{% endif %}
|
||||
@@ -33,30 +33,8 @@ proxy_http_version 1.1;
|
||||
|
||||
location / {
|
||||
|
||||
{% if access_list_id > 0 %}
|
||||
{% if access_list.items.length > 0 %}
|
||||
# Authorization
|
||||
auth_basic "Authorization required";
|
||||
auth_basic_user_file /data/access/{{ access_list_id }};
|
||||
|
||||
{{ access_list.passauth }}
|
||||
{% endif %}
|
||||
|
||||
# Access Rules
|
||||
{% for client in access_list.clients %}
|
||||
{{- client.rule -}};
|
||||
{% endfor %}deny all;
|
||||
|
||||
# Access checks must...
|
||||
{% if access_list.satisfy %}
|
||||
{{ access_list.satisfy }};
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% include "_openid_connect.conf" %}
|
||||
{% include "_access.conf" %}
|
||||
{% include "_hsts.conf" %}
|
||||
{% include "_access.conf" %}
|
||||
{% include "_hsts.conf" %}
|
||||
|
||||
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
|
||||
@@ -5,12 +5,10 @@
|
||||
{% if enabled %}
|
||||
{% if tcp_forwarding == 1 or tcp_forwarding == true -%}
|
||||
server {
|
||||
listen {{ incoming_port }};
|
||||
{% if ipv6 -%}
|
||||
listen [::]:{{ incoming_port }};
|
||||
{% else -%}
|
||||
#listen [::]:{{ incoming_port }};
|
||||
{% endif %}
|
||||
listen {{ incoming_port }} {%- if certificate %} ssl {%- endif %};
|
||||
{% unless ipv6 -%} # {%- endunless -%} listen [::]:{{ incoming_port }} {%- if certificate %} ssl {%- endif %};
|
||||
|
||||
{%- include "_certificates_stream.conf" %}
|
||||
|
||||
proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
|
||||
|
||||
@@ -19,14 +17,12 @@ server {
|
||||
include /data/nginx/custom/server_stream_tcp[.]conf;
|
||||
}
|
||||
{% endif %}
|
||||
{% if udp_forwarding == 1 or udp_forwarding == true %}
|
||||
|
||||
{% if udp_forwarding == 1 or udp_forwarding == true -%}
|
||||
server {
|
||||
listen {{ incoming_port }} udp;
|
||||
{% if ipv6 -%}
|
||||
listen [::]:{{ incoming_port }} udp;
|
||||
{% else -%}
|
||||
#listen [::]:{{ incoming_port }} udp;
|
||||
{% endif %}
|
||||
{% unless ipv6 -%} # {%- endunless -%} listen [::]:{{ incoming_port }} udp;
|
||||
|
||||
proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
|
||||
|
||||
# Custom
|
||||
|
||||
@@ -448,11 +448,11 @@ brace-expansion@^1.1.7:
|
||||
concat-map "0.0.1"
|
||||
|
||||
braces@~3.0.2:
|
||||
version "3.0.3"
|
||||
resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.3.tgz#490332f40919452272d55a8480adc0c441358789"
|
||||
integrity sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==
|
||||
version "3.0.2"
|
||||
resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107"
|
||||
integrity sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==
|
||||
dependencies:
|
||||
fill-range "^7.1.1"
|
||||
fill-range "^7.0.1"
|
||||
|
||||
buffer-crc32@^0.2.1, buffer-crc32@^0.2.13:
|
||||
version "0.2.13"
|
||||
@@ -1206,10 +1206,10 @@ file-entry-cache@^6.0.1:
|
||||
dependencies:
|
||||
flat-cache "^3.0.4"
|
||||
|
||||
fill-range@^7.1.1:
|
||||
version "7.1.1"
|
||||
resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.1.1.tgz#44265d3cac07e3ea7dc247516380643754a05292"
|
||||
integrity sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==
|
||||
fill-range@^7.0.1:
|
||||
version "7.0.1"
|
||||
resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.0.1.tgz#1919a6a7c75fe38b2c7c77e5198535da9acdda40"
|
||||
integrity sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==
|
||||
dependencies:
|
||||
to-regex-range "^5.0.1"
|
||||
|
||||
@@ -1402,9 +1402,9 @@ glob-parent@^6.0.2:
|
||||
is-glob "^4.0.3"
|
||||
|
||||
glob-parent@~5.1.0:
|
||||
version "5.1.2"
|
||||
resolved "https://registry.yarnpkg.com/glob-parent/-/glob-parent-5.1.2.tgz#869832c58034fe68a4093c17dc15e8340d8401c4"
|
||||
integrity sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==
|
||||
version "5.1.1"
|
||||
resolved "https://registry.yarnpkg.com/glob-parent/-/glob-parent-5.1.1.tgz#b6c1ef417c4e5663ea498f1c45afac6916bbc229"
|
||||
integrity sha512-FnI+VGOpnlGHWZxthPGR+QhR78fuiK0sNLkHQv+bL9fQi57lNNdquIbna/WrfROrolq8GK5Ek6BiMwqL/voRYQ==
|
||||
dependencies:
|
||||
is-glob "^4.0.1"
|
||||
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
|
||||
log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';
|
||||
|
||||
access_log /data/logs/fallback_access.log proxy;
|
||||
@@ -0,0 +1,2 @@
|
||||
ssl_session_timeout 5m;
|
||||
ssl_session_cache shared:SSL_stream:50m;
|
||||
2
docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf
Normal file
2
docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf
Normal file
@@ -0,0 +1,2 @@
|
||||
ssl_session_timeout 5m;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
@@ -1,6 +1,3 @@
|
||||
ssl_session_timeout 5m;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
|
||||
# intermediate configuration. tweak to your needs.
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
|
||||
|
||||
@@ -14,9 +14,6 @@ error_log /data/logs/fallback_error.log warn;
|
||||
# Includes files with directives to load dynamic modules.
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
# Custom
|
||||
include /data/nginx/custom/root_top[.]conf;
|
||||
|
||||
events {
|
||||
include /data/nginx/custom/events[.]conf;
|
||||
}
|
||||
@@ -46,23 +43,11 @@ http {
|
||||
proxy_cache_path /var/lib/nginx/cache/public levels=1:2 keys_zone=public-cache:30m max_size=192m;
|
||||
proxy_cache_path /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;
|
||||
|
||||
lua_package_path '~/lua/?.lua;;';
|
||||
|
||||
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
||||
lua_ssl_verify_depth 5;
|
||||
|
||||
# cache for discovery metadata documents
|
||||
lua_shared_dict discovery 1m;
|
||||
# cache for JWKs
|
||||
lua_shared_dict jwks 1m;
|
||||
|
||||
log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
|
||||
log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';
|
||||
|
||||
access_log /data/logs/fallback_access.log proxy;
|
||||
|
||||
include /etc/nginx/conf.d/include/log.conf;
|
||||
|
||||
# Dynamically generated resolvers file
|
||||
include /etc/nginx/conf.d/include/resolvers.conf;
|
||||
|
||||
|
||||
@@ -173,7 +173,6 @@ NPM has the ability to include different custom configuration snippets in differ
|
||||
|
||||
You can add your custom configuration snippet files at `/data/nginx/custom` as follow:
|
||||
|
||||
- `/data/nginx/custom/root_top.conf`: Included at the top of nginx.conf
|
||||
- `/data/nginx/custom/root.conf`: Included at the very end of nginx.conf
|
||||
- `/data/nginx/custom/http_top.conf`: Included at the top of the main http block
|
||||
- `/data/nginx/custom/http.conf`: Included at the end of the main http block
|
||||
@@ -200,28 +199,6 @@ value by specifying it as a Docker environment variable. The default if not spec
|
||||
...
|
||||
```
|
||||
|
||||
## OpenID Connect SSO
|
||||
|
||||
You can secure any of your proxy hosts with OpenID Connect authentication, providing SSO support from an identity provider like Azure AD or KeyCloak. OpenID Connect support is provided through the [`lua-resty-openidc`](https://github.com/zmartzone/lua-resty-openidc) library of [`OpenResty`](https://github.com/openresty/openresty).
|
||||
|
||||
You will need a few things to get started with OpenID Connect:
|
||||
|
||||
- A registered application with your identity provider, they will provide you with a `Client ID` and a `Client Secret`. Public OpenID Connect applications (without a client secret) are not yet supported.
|
||||
|
||||
- A redirect URL to send the users to after they login with the identity provider, this can be any unused URL under the proxy host, like `https://<proxy host url>/private/callback`, the server will take care of capturing that URL and redirecting you to the proxy host root. You will need to add this URL to the list of allowed redirect URLs for the application you registered with your identity provider.
|
||||
|
||||
- The well-known discovery endpoint of the identity provider you want to use, this is an URL usually with the form `https://<provider URL>/.well-known/openid-configuration`.
|
||||
|
||||
After you have all this you can proceed to configure the proxy host with OpenID Connect authentication.
|
||||
|
||||
You can also add some rudimentary access control through a list of allowed emails in case your identity provider doesn't let you do that, if this option is enabled, any email not on that list will be denied access to the proxied host.
|
||||
|
||||
The proxy adds some headers based on the authentication result from the identity provider:
|
||||
|
||||
- `X-OIDC-SUB`: The subject identifier, according to the OpenID Coonect spec: `A locally unique and never reassigned identifier within the Issuer for the End-User`.
|
||||
- `X-OIDC-EMAIL`: The email of the user that logged in, as specified in the `id_token` returned from the identity provider. The same value that will be checked for the email whitelist.
|
||||
- `X-OIDC-NAME`: The user's name claim from the `id_token`, please note that not all id tokens necessarily contain this claim.
|
||||
|
||||
## Customising logrotate settings
|
||||
|
||||
By default, NPM rotates the access- and error logs weekly and keeps 4 and 10 log files respectively.
|
||||
@@ -235,12 +212,3 @@ You can customise the logrotate configuration through a mount (if your custom co
|
||||
```
|
||||
|
||||
For reference, the default configuration can be found [here](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/docker/rootfs/etc/logrotate.d/nginx-proxy-manager).
|
||||
|
||||
## Enabling the geoip2 module
|
||||
|
||||
To enable the geoip2 module, you can create the custom configuration file `/data/nginx/custom/root_top.conf` and include the following snippet:
|
||||
|
||||
```
|
||||
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
|
||||
```
|
||||
|
||||
@@ -11,7 +11,6 @@
|
||||
<li role="presentation" class="nav-item"><a href="#locations" aria-controls="tab4" role="tab" data-toggle="tab" class="nav-link"><i class="fe fe-layers"></i> <%- i18n('all-hosts', 'locations') %></a></li>
|
||||
<li role="presentation" class="nav-item"><a href="#ssl-options" aria-controls="tab2" role="tab" data-toggle="tab" class="nav-link"><i class="fe fe-shield"></i> <%- i18n('str', 'ssl') %></a></li>
|
||||
<li role="presentation" class="nav-item"><a href="#advanced" aria-controls="tab3" role="tab" data-toggle="tab" class="nav-link"><i class="fe fe-settings"></i> <%- i18n('all-hosts', 'advanced') %></a></li>
|
||||
<li role="presentation" class="nav-item"><a href="#openidc" aria-controls="tab3" role="tab" data-toggle="tab" class="nav-link"><i class="fe fe-settings"></i><%- i18n('proxy-hosts', 'oidc') %></a></li>
|
||||
</ul>
|
||||
<div class="tab-content">
|
||||
|
||||
@@ -272,71 +271,6 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- OpenID Connect -->
|
||||
<div role="tabpanel" class="tab-pane" id="openidc">
|
||||
<div class="row">
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="form-group">
|
||||
<label class="custom-switch">
|
||||
<input type="checkbox" class="custom-switch-input" name="openidc_enabled" value="1"<%- openidc_enabled ? ' checked' : '' %>>
|
||||
<span class="custom-switch-indicator"></span>
|
||||
<span class="custom-switch-description"><%- i18n('proxy-hosts', 'oidc-enabled') %></span>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12 openidc">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('proxy-hosts', 'oidc-redirect-uri') %><span class="form-required">*</span></label>
|
||||
<input type="text" name="openidc_redirect_uri" class="form-control text-monospace" placeholder="" value="<%- openidc_redirect_uri %>" autocomplete="off" maxlength="255" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12 openidc">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('proxy-hosts', 'oidc-discovery-endpoint') %><span class="form-required">*</span></label>
|
||||
<input type="text" name="openidc_discovery" class="form-control text-monospace" placeholder="" value="<%- openidc_discovery %>" autocomplete="off" maxlength="255" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12 openidc">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('proxy-hosts', 'oidc-token-auth-method') %><span class="form-required">*</span></label>
|
||||
<select name="openidc_auth_method" class="form-control custom-select" placeholder="client_secret_post">
|
||||
<option value="client_secret_post" <%- openidc_auth_method === 'client_secret_post' ? 'selected' : '' %>>client_secret_post</option>
|
||||
<option value="client_secret_basic" <%- openidc_auth_method === 'client_secret_basic' ? 'selected' : '' %>>client_secret_basic</option>
|
||||
</select>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12 openidc">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('proxy-hosts', 'oidc-client-id') %><span class="form-required">*</span></label>
|
||||
<input type="text" name="openidc_client_id" class="form-control text-monospace" placeholder="" value="<%- openidc_client_id %>" autocomplete="off" maxlength="255" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12 openidc">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('proxy-hosts', 'oidc-client-secret') %><span class="form-required">*</span></label>
|
||||
<input type="text" name="openidc_client_secret" class="form-control text-monospace" placeholder="" value="<%- openidc_client_secret %>" autocomplete="off" maxlength="255" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="openidc">
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="form-group">
|
||||
<label class="custom-switch">
|
||||
<input type="checkbox" class="custom-switch-input" name="openidc_restrict_users_enabled" value="1"<%- openidc_restrict_users_enabled ? ' checked' : '' %>>
|
||||
<span class="custom-switch-indicator"></span>
|
||||
<span class="custom-switch-description"><%- i18n('proxy-hosts', 'oidc-allow-only-emails') %></span>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12 openidc_users">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('proxy-hosts', 'oidc-allowed-emails') %><span class="form-required">*</span></label>
|
||||
<input type="text" name="openidc_allowed_users" class="form-control" id="openidc_allowed_users" value="<%- openidc_allowed_users.join(',') %>" required>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
@@ -21,34 +21,29 @@ module.exports = Mn.View.extend({
|
||||
locationsCollection: new ProxyLocationModel.Collection(),
|
||||
|
||||
ui: {
|
||||
form: 'form',
|
||||
domain_names: 'input[name="domain_names"]',
|
||||
forward_host: 'input[name="forward_host"]',
|
||||
buttons: '.modal-footer button',
|
||||
cancel: 'button.cancel',
|
||||
save: 'button.save',
|
||||
add_location_btn: 'button.add_location',
|
||||
locations_container: '.locations_container',
|
||||
le_error_info: '#le-error-info',
|
||||
certificate_select: 'select[name="certificate_id"]',
|
||||
access_list_select: 'select[name="access_list_id"]',
|
||||
ssl_forced: 'input[name="ssl_forced"]',
|
||||
hsts_enabled: 'input[name="hsts_enabled"]',
|
||||
hsts_subdomains: 'input[name="hsts_subdomains"]',
|
||||
http2_support: 'input[name="http2_support"]',
|
||||
dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
|
||||
dns_challenge_content: '.dns-challenge',
|
||||
dns_provider: 'select[name="meta[dns_provider]"]',
|
||||
credentials_file_content: '.credentials-file-content',
|
||||
dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]',
|
||||
propagation_seconds: 'input[name="meta[propagation_seconds]"]',
|
||||
forward_scheme: 'select[name="forward_scheme"]',
|
||||
letsencrypt: '.letsencrypt',
|
||||
openidc_enabled: 'input[name="openidc_enabled"]',
|
||||
openidc_restrict_users_enabled: 'input[name="openidc_restrict_users_enabled"]',
|
||||
openidc_allowed_users: 'input[name="openidc_allowed_users"]',
|
||||
openidc: '.openidc',
|
||||
openidc_users: '.openidc_users',
|
||||
form: 'form',
|
||||
domain_names: 'input[name="domain_names"]',
|
||||
forward_host: 'input[name="forward_host"]',
|
||||
buttons: '.modal-footer button',
|
||||
cancel: 'button.cancel',
|
||||
save: 'button.save',
|
||||
add_location_btn: 'button.add_location',
|
||||
locations_container: '.locations_container',
|
||||
le_error_info: '#le-error-info',
|
||||
certificate_select: 'select[name="certificate_id"]',
|
||||
access_list_select: 'select[name="access_list_id"]',
|
||||
ssl_forced: 'input[name="ssl_forced"]',
|
||||
hsts_enabled: 'input[name="hsts_enabled"]',
|
||||
hsts_subdomains: 'input[name="hsts_subdomains"]',
|
||||
http2_support: 'input[name="http2_support"]',
|
||||
dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
|
||||
dns_challenge_content: '.dns-challenge',
|
||||
dns_provider: 'select[name="meta[dns_provider]"]',
|
||||
credentials_file_content: '.credentials-file-content',
|
||||
dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]',
|
||||
propagation_seconds: 'input[name="meta[propagation_seconds]"]',
|
||||
forward_scheme: 'select[name="forward_scheme"]',
|
||||
letsencrypt: '.letsencrypt'
|
||||
},
|
||||
|
||||
regions: {
|
||||
@@ -118,7 +113,7 @@ module.exports = Mn.View.extend({
|
||||
} else {
|
||||
this.ui.dns_provider.prop('required', false);
|
||||
this.ui.dns_provider_credentials.prop('required', false);
|
||||
this.ui.dns_challenge_content.hide();
|
||||
this.ui.dns_challenge_content.hide();
|
||||
}
|
||||
},
|
||||
|
||||
@@ -130,34 +125,13 @@ module.exports = Mn.View.extend({
|
||||
this.ui.credentials_file_content.show();
|
||||
} else {
|
||||
this.ui.dns_provider_credentials.prop('required', false);
|
||||
this.ui.credentials_file_content.hide();
|
||||
}
|
||||
},
|
||||
|
||||
'change @ui.openidc_enabled': function () {
|
||||
let checked = this.ui.openidc_enabled.prop('checked');
|
||||
|
||||
if (checked) {
|
||||
this.ui.openidc.show().find('input').prop('disabled', false);
|
||||
} else {
|
||||
this.ui.openidc.hide().find('input').prop('disabled', true);
|
||||
}
|
||||
|
||||
this.ui.openidc_restrict_users_enabled.trigger('change');
|
||||
},
|
||||
|
||||
'change @ui.openidc_restrict_users_enabled': function () {
|
||||
let checked = this.ui.openidc_restrict_users_enabled.prop('checked');
|
||||
if (checked) {
|
||||
this.ui.openidc_users.show().find('input').prop('disabled', false);
|
||||
} else {
|
||||
this.ui.openidc_users.hide().find('input').prop('disabled', true);
|
||||
this.ui.credentials_file_content.hide();
|
||||
}
|
||||
},
|
||||
|
||||
'click @ui.add_location_btn': function (e) {
|
||||
e.preventDefault();
|
||||
|
||||
|
||||
const model = new ProxyLocationModel.Model();
|
||||
this.locationsCollection.add(model);
|
||||
},
|
||||
@@ -193,25 +167,17 @@ module.exports = Mn.View.extend({
|
||||
data.hsts_enabled = !!data.hsts_enabled;
|
||||
data.hsts_subdomains = !!data.hsts_subdomains;
|
||||
data.ssl_forced = !!data.ssl_forced;
|
||||
data.openidc_enabled = data.openidc_enabled === '1';
|
||||
data.openidc_restrict_users_enabled = data.openidc_restrict_users_enabled === '1';
|
||||
|
||||
if (data.openidc_restrict_users_enabled) {
|
||||
if (typeof data.openidc_allowed_users === 'string' && data.openidc_allowed_users) {
|
||||
data.openidc_allowed_users = data.openidc_allowed_users.split(',');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (typeof data.meta === 'undefined') data.meta = {};
|
||||
data.meta.letsencrypt_agree = data.meta.letsencrypt_agree == 1;
|
||||
data.meta.dns_challenge = data.meta.dns_challenge == 1;
|
||||
|
||||
|
||||
if(!data.meta.dns_challenge){
|
||||
data.meta.dns_provider = undefined;
|
||||
data.meta.dns_provider_credentials = undefined;
|
||||
data.meta.propagation_seconds = undefined;
|
||||
} else {
|
||||
if(data.meta.propagation_seconds === '') data.meta.propagation_seconds = undefined;
|
||||
if(data.meta.propagation_seconds === '') data.meta.propagation_seconds = undefined;
|
||||
}
|
||||
|
||||
if (typeof data.domain_names === 'string' && data.domain_names) {
|
||||
@@ -219,7 +185,7 @@ module.exports = Mn.View.extend({
|
||||
}
|
||||
|
||||
// Check for any domain names containing wildcards, which are not allowed with letsencrypt
|
||||
if (data.certificate_id === 'new') {
|
||||
if (data.certificate_id === 'new') {
|
||||
let domain_err = false;
|
||||
if (!data.meta.dns_challenge) {
|
||||
data.domain_names.map(function (name) {
|
||||
@@ -237,12 +203,6 @@ module.exports = Mn.View.extend({
|
||||
data.certificate_id = parseInt(data.certificate_id, 10);
|
||||
}
|
||||
|
||||
// OpenID Connect won't work with multiple domain names because the redirect URL has to point to a specific one
|
||||
if (data.openidc_enabled && data.domain_names.length > 1) {
|
||||
alert('Cannot use mutliple domain names when OpenID Connect is enabled');
|
||||
return;
|
||||
}
|
||||
|
||||
let method = App.Api.Nginx.ProxyHosts.create;
|
||||
let is_new = true;
|
||||
|
||||
@@ -384,23 +344,6 @@ module.exports = Mn.View.extend({
|
||||
view.ui.certificate_select[0].selectize.setValue(view.model.get('certificate_id'));
|
||||
}
|
||||
});
|
||||
|
||||
// OpenID Connect
|
||||
this.ui.openidc_allowed_users.selectize({
|
||||
delimiter: ',',
|
||||
persist: false,
|
||||
maxOptions: 15,
|
||||
create: function (input) {
|
||||
return {
|
||||
value: input,
|
||||
text: input
|
||||
};
|
||||
}
|
||||
});
|
||||
this.ui.openidc.hide().find('input').prop('disabled', true);
|
||||
this.ui.openidc_users.hide().find('input').prop('disabled', true);
|
||||
this.ui.openidc_enabled.trigger('change');
|
||||
this.ui.openidc_restrict_users_enabled.trigger('change');
|
||||
},
|
||||
|
||||
initialize: function (options) {
|
||||
|
||||
@@ -3,48 +3,187 @@
|
||||
<h5 class="modal-title"><%- i18n('streams', 'form-title', {id: id}) %></h5>
|
||||
<button type="button" class="close cancel" aria-label="Close" data-dismiss="modal"> </button>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<div class="modal-body has-tabs">
|
||||
<div class="alert alert-danger mb-0 rounded-0" id="le-error-info" role="alert"></div>
|
||||
<form>
|
||||
<div class="row">
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('streams', 'incoming-port') %> <span class="form-required">*</span></label>
|
||||
<input name="incoming_port" type="number" class="form-control text-monospace" placeholder="eg: 8080" min="1" max="65535" value="<%- incoming_port %>" required>
|
||||
<ul class="nav nav-tabs" role="tablist">
|
||||
<li role="presentation" class="nav-item"><a href="#details" aria-controls="tab1" role="tab" data-toggle="tab" class="nav-link active"><i class="fe fe-zap"></i> <%- i18n('all-hosts', 'details') %></a></li>
|
||||
<li role="presentation" class="nav-item"><a href="#ssl-options" aria-controls="tab2" role="tab" data-toggle="tab" class="nav-link"><i class="fe fe-shield"></i> <%- i18n('str', 'ssl') %></a></li>
|
||||
</ul>
|
||||
<div class="tab-content">
|
||||
<!-- Details -->
|
||||
<div role="tabpanel" class="tab-pane active" id="details">
|
||||
<div class="row">
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('streams', 'incoming-port') %> <span class="form-required">*</span></label>
|
||||
<input name="incoming_port" type="number" class="form-control text-monospace" placeholder="eg: 8080" min="1" max="65535" value="<%- incoming_port %>" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-8 col-md-8">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('streams', 'forwarding-host') %><span class="form-required">*</span></label>
|
||||
<input type="text" name="forwarding_host" class="form-control text-monospace" placeholder="example.com or 10.0.0.1 or 2001:db8:3333:4444:5555:6666:7777:8888" value="<%- forwarding_host %>" autocomplete="off" maxlength="255" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-4 col-md-4">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('streams', 'forwarding-port') %> <span class="form-required">*</span></label>
|
||||
<input name="forwarding_port" type="number" class="form-control text-monospace" placeholder="eg: 80" min="1" max="65535" value="<%- forwarding_port %>" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-6 col-md-6">
|
||||
<div class="form-group">
|
||||
<label class="custom-switch">
|
||||
<input type="checkbox" class="custom-switch-input" name="tcp_forwarding" value="1"<%- tcp_forwarding ? ' checked' : '' %>>
|
||||
<span class="custom-switch-indicator"></span>
|
||||
<span class="custom-switch-description"><%- i18n('streams', 'tcp-forwarding') %></span>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-6 col-md-6">
|
||||
<div class="form-group">
|
||||
<label class="custom-switch">
|
||||
<input type="checkbox" class="custom-switch-input" name="udp_forwarding" value="1"<%- udp_forwarding ? ' checked' : '' %>>
|
||||
<span class="custom-switch-indicator"></span>
|
||||
<span class="custom-switch-description"><%- i18n('streams', 'udp-forwarding') %></span>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="forward-type-error invalid-feedback"><%- i18n('streams', 'forward-type-error') %></div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-8 col-md-8">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('streams', 'forwarding-host') %><span class="form-required">*</span></label>
|
||||
<input type="text" name="forwarding_host" class="form-control text-monospace" placeholder="example.com or 10.0.0.1 or 2001:db8:3333:4444:5555:6666:7777:8888" value="<%- forwarding_host %>" autocomplete="off" maxlength="255" required>
|
||||
|
||||
<!-- SSL -->
|
||||
<div role="tabpanel" class="tab-pane" id="ssl-options">
|
||||
<div class="row">
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('streams', 'ssl-certificate') %></label>
|
||||
<select name="certificate_id" class="form-control custom-select" placeholder="<%- i18n('all-hosts', 'none') %>">
|
||||
<option selected value="0" data-data="{"id":0}" <%- certificate_id ? '' : 'selected' %>><%- i18n('all-hosts', 'none') %></option>
|
||||
<option selected value="new" data-data="{"id":"new"}"><%- i18n('all-hosts', 'new-cert') %></option>
|
||||
</select>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- DNS challenge -->
|
||||
<div class="col-sm-12 col-md-12 letsencrypt">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('all-hosts', 'domain-names') %> <span class="form-required">*</span></label>
|
||||
<input type="text" name="domain_names" class="form-control" id="input-domains" value="<%- domain_names.join(',') %>">
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label class="custom-switch">
|
||||
<input
|
||||
type="checkbox"
|
||||
class="custom-switch-input"
|
||||
name="meta[dns_challenge]"
|
||||
value="1"
|
||||
checked
|
||||
disabled
|
||||
>
|
||||
<span class="custom-switch-indicator"></span>
|
||||
<span class="custom-switch-description"><%= i18n('ssl', 'dns-challenge') %></span>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12 letsencrypt">
|
||||
<fieldset class="form-fieldset dns-challenge">
|
||||
<div class="text-red mb-4"><i class="fe fe-alert-triangle"></i> <%= i18n('ssl', 'certbot-warning') %></div>
|
||||
|
||||
<!-- Certbot DNS plugin selection -->
|
||||
<div class="row">
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('ssl', 'dns-provider') %> <span class="form-required">*</span></label>
|
||||
<select
|
||||
name="meta[dns_provider]"
|
||||
id="dns_provider"
|
||||
class="form-control custom-select"
|
||||
>
|
||||
<option
|
||||
value=""
|
||||
disabled
|
||||
hidden
|
||||
<%- getDnsProvider() === null ? 'selected' : '' %>
|
||||
>Please Choose...</option>
|
||||
<% _.each(dns_plugins, function(plugin_info, plugin_name){ %>
|
||||
<option
|
||||
value="<%- plugin_name %>"
|
||||
<%- getDnsProvider() === plugin_name ? 'selected' : '' %>
|
||||
><%- plugin_info.name %></option>
|
||||
<% }); %>
|
||||
</select>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Certbot credentials file content -->
|
||||
<div class="row credentials-file-content">
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('ssl', 'credentials-file-content') %> <span class="form-required">*</span></label>
|
||||
<textarea
|
||||
name="meta[dns_provider_credentials]"
|
||||
class="form-control text-monospace"
|
||||
id="dns_provider_credentials"
|
||||
><%- getDnsProviderCredentials() %></textarea>
|
||||
<div class="text-secondary small">
|
||||
<i class="fe fe-info"></i>
|
||||
<%= i18n('ssl', 'credentials-file-content-info') %>
|
||||
</div>
|
||||
<div class="text-red small">
|
||||
<i class="fe fe-alert-triangle"></i>
|
||||
<%= i18n('ssl', 'stored-as-plaintext-info') %>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- DNS propagation delay -->
|
||||
<div class="row">
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="form-group mb-0">
|
||||
<label class="form-label"><%- i18n('ssl', 'propagation-seconds') %></label>
|
||||
<input
|
||||
type="number"
|
||||
min="0"
|
||||
name="meta[propagation_seconds]"
|
||||
class="form-control"
|
||||
id="propagation_seconds"
|
||||
value="<%- getPropagationSeconds() %>"
|
||||
>
|
||||
<div class="text-secondary small">
|
||||
<i class="fe fe-info"></i>
|
||||
<%= i18n('ssl', 'propagation-seconds-info') %>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</fieldset>
|
||||
</div>
|
||||
|
||||
<!-- Lets encrypt -->
|
||||
<div class="col-sm-12 col-md-12 letsencrypt">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
|
||||
<input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12 letsencrypt">
|
||||
<div class="form-group">
|
||||
<label class="custom-switch">
|
||||
<input type="checkbox" class="custom-switch-input" name="meta[letsencrypt_agree]" value="1" required disabled>
|
||||
<span class="custom-switch-indicator"></span>
|
||||
<span class="custom-switch-description"><%= i18n('ssl', 'letsencrypt-agree', {url: 'https://letsencrypt.org/repository/'}) %> <span class="form-required">*</span></span>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-4 col-md-4">
|
||||
<div class="form-group">
|
||||
<label class="form-label"><%- i18n('streams', 'forwarding-port') %> <span class="form-required">*</span></label>
|
||||
<input name="forwarding_port" type="number" class="form-control text-monospace" placeholder="eg: 80" min="1" max="65535" value="<%- forwarding_port %>" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-6 col-md-6">
|
||||
<div class="form-group">
|
||||
<label class="custom-switch">
|
||||
<input type="checkbox" class="custom-switch-input" name="tcp_forwarding" value="1"<%- tcp_forwarding ? ' checked' : '' %>>
|
||||
<span class="custom-switch-indicator"></span>
|
||||
<span class="custom-switch-description"><%- i18n('streams', 'tcp-forwarding') %></span>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-6 col-md-6">
|
||||
<div class="form-group">
|
||||
<label class="custom-switch">
|
||||
<input type="checkbox" class="custom-switch-input" name="udp_forwarding" value="1"<%- udp_forwarding ? ' checked' : '' %>>
|
||||
<span class="custom-switch-indicator"></span>
|
||||
<span class="custom-switch-description"><%- i18n('streams', 'udp-forwarding') %></span>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-sm-12 col-md-12">
|
||||
<div class="forward-type-error invalid-feedback"><%- i18n('streams', 'forward-type-error') %></div>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
@@ -1,24 +1,38 @@
|
||||
const Mn = require('backbone.marionette');
|
||||
const App = require('../../main');
|
||||
const StreamModel = require('../../../models/stream');
|
||||
const template = require('./form.ejs');
|
||||
const Mn = require('backbone.marionette');
|
||||
const App = require('../../main');
|
||||
const StreamModel = require('../../../models/stream');
|
||||
const template = require('./form.ejs');
|
||||
const dns_providers = require('../../../../../global/certbot-dns-plugins');
|
||||
|
||||
require('jquery-serializejson');
|
||||
require('jquery-mask-plugin');
|
||||
require('selectize');
|
||||
const Helpers = require("../../../lib/helpers");
|
||||
const certListItemTemplate = require("../certificates-list-item.ejs");
|
||||
const i18n = require("../../i18n");
|
||||
|
||||
module.exports = Mn.View.extend({
|
||||
template: template,
|
||||
className: 'modal-dialog',
|
||||
|
||||
ui: {
|
||||
form: 'form',
|
||||
forwarding_host: 'input[name="forwarding_host"]',
|
||||
type_error: '.forward-type-error',
|
||||
buttons: '.modal-footer button',
|
||||
switches: '.custom-switch-input',
|
||||
cancel: 'button.cancel',
|
||||
save: 'button.save'
|
||||
form: 'form',
|
||||
forwarding_host: 'input[name="forwarding_host"]',
|
||||
type_error: '.forward-type-error',
|
||||
buttons: '.modal-footer button',
|
||||
switches: '.custom-switch-input',
|
||||
cancel: 'button.cancel',
|
||||
save: 'button.save',
|
||||
le_error_info: '#le-error-info',
|
||||
certificate_select: 'select[name="certificate_id"]',
|
||||
domain_names: 'input[name="domain_names"]',
|
||||
dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
|
||||
dns_challenge_content: '.dns-challenge',
|
||||
dns_provider: 'select[name="meta[dns_provider]"]',
|
||||
credentials_file_content: '.credentials-file-content',
|
||||
dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]',
|
||||
propagation_seconds: 'input[name="meta[propagation_seconds]"]',
|
||||
letsencrypt: '.letsencrypt'
|
||||
},
|
||||
|
||||
events: {
|
||||
@@ -48,6 +62,35 @@ module.exports = Mn.View.extend({
|
||||
data.tcp_forwarding = !!data.tcp_forwarding;
|
||||
data.udp_forwarding = !!data.udp_forwarding;
|
||||
|
||||
if (typeof data.meta === 'undefined') data.meta = {};
|
||||
data.meta.letsencrypt_agree = data.meta.letsencrypt_agree == 1;
|
||||
data.meta.dns_challenge = true;
|
||||
|
||||
if (data.meta.propagation_seconds === '') data.meta.propagation_seconds = undefined;
|
||||
|
||||
if (typeof data.domain_names === 'string' && data.domain_names) {
|
||||
data.domain_names = data.domain_names.split(',');
|
||||
}
|
||||
|
||||
// Check for any domain names containing wildcards, which are not allowed with letsencrypt
|
||||
if (data.certificate_id === 'new') {
|
||||
let domain_err = false;
|
||||
if (!data.meta.dns_challenge) {
|
||||
data.domain_names.map(function (name) {
|
||||
if (name.match(/\*/im)) {
|
||||
domain_err = true;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
if (domain_err) {
|
||||
alert(i18n('ssl', 'no-wildcard-without-dns'));
|
||||
return;
|
||||
}
|
||||
} else {
|
||||
data.certificate_id = parseInt(data.certificate_id, 10);
|
||||
}
|
||||
|
||||
let method = App.Api.Nginx.Streams.create;
|
||||
let is_new = true;
|
||||
|
||||
@@ -70,10 +113,108 @@ module.exports = Mn.View.extend({
|
||||
});
|
||||
})
|
||||
.catch(err => {
|
||||
alert(err.message);
|
||||
let more_info = '';
|
||||
if (err.code === 500 && err.debug) {
|
||||
try {
|
||||
more_info = JSON.parse(err.debug).debug.stack.join("\n");
|
||||
} catch (e) {
|
||||
}
|
||||
}
|
||||
this.ui.le_error_info[0].innerHTML = `${err.message}${more_info !== '' ? `<pre class="mt-3">${more_info}</pre>` : ''}`;
|
||||
this.ui.le_error_info.show();
|
||||
this.ui.le_error_info[0].scrollIntoView();
|
||||
this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
|
||||
this.ui.save.removeClass('btn-loading');
|
||||
});
|
||||
}
|
||||
},
|
||||
|
||||
'change @ui.certificate_select': function () {
|
||||
let id = this.ui.certificate_select.val();
|
||||
if (id === 'new') {
|
||||
this.ui.letsencrypt.show().find('input').prop('disabled', false);
|
||||
this.ui.domain_names.prop('required', 'required');
|
||||
|
||||
this.ui.dns_challenge_switch
|
||||
.prop('disabled', true)
|
||||
.parents('.form-group')
|
||||
.css('opacity', 0.5);
|
||||
|
||||
this.ui.dns_provider.prop('required', 'required');
|
||||
const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
|
||||
if (selected_provider != '' && dns_providers[selected_provider].credentials !== false) {
|
||||
this.ui.dns_provider_credentials.prop('required', 'required');
|
||||
}
|
||||
this.ui.dns_challenge_content.show();
|
||||
} else {
|
||||
this.ui.letsencrypt.hide().find('input').prop('disabled', true);
|
||||
}
|
||||
},
|
||||
|
||||
'change @ui.dns_provider': function () {
|
||||
const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
|
||||
if (selected_provider != '' && dns_providers[selected_provider].credentials !== false) {
|
||||
this.ui.dns_provider_credentials.prop('required', 'required');
|
||||
this.ui.dns_provider_credentials[0].value = dns_providers[selected_provider].credentials;
|
||||
this.ui.credentials_file_content.show();
|
||||
} else {
|
||||
this.ui.dns_provider_credentials.prop('required', false);
|
||||
this.ui.credentials_file_content.hide();
|
||||
}
|
||||
},
|
||||
},
|
||||
|
||||
templateContext: {
|
||||
getLetsencryptEmail: function () {
|
||||
return App.Cache.User.get('email');
|
||||
},
|
||||
getDnsProvider: function () {
|
||||
return typeof this.meta.dns_provider !== 'undefined' && this.meta.dns_provider != '' ? this.meta.dns_provider : null;
|
||||
},
|
||||
getDnsProviderCredentials: function () {
|
||||
return typeof this.meta.dns_provider_credentials !== 'undefined' ? this.meta.dns_provider_credentials : '';
|
||||
},
|
||||
getPropagationSeconds: function () {
|
||||
return typeof this.meta.propagation_seconds !== 'undefined' ? this.meta.propagation_seconds : '';
|
||||
},
|
||||
dns_plugins: dns_providers,
|
||||
},
|
||||
|
||||
onRender: function () {
|
||||
let view = this;
|
||||
|
||||
// Certificates
|
||||
this.ui.le_error_info.hide();
|
||||
this.ui.dns_challenge_content.hide();
|
||||
this.ui.credentials_file_content.hide();
|
||||
this.ui.letsencrypt.hide();
|
||||
this.ui.certificate_select.selectize({
|
||||
valueField: 'id',
|
||||
labelField: 'nice_name',
|
||||
searchField: ['nice_name', 'domain_names'],
|
||||
create: false,
|
||||
preload: true,
|
||||
allowEmptyOption: true,
|
||||
render: {
|
||||
option: function (item) {
|
||||
item.i18n = App.i18n;
|
||||
item.formatDbDate = Helpers.formatDbDate;
|
||||
return certListItemTemplate(item);
|
||||
}
|
||||
},
|
||||
load: function (query, callback) {
|
||||
App.Api.Nginx.Certificates.getAll()
|
||||
.then(rows => {
|
||||
callback(rows);
|
||||
})
|
||||
.catch(err => {
|
||||
console.error(err);
|
||||
callback();
|
||||
});
|
||||
},
|
||||
onLoad: function () {
|
||||
view.ui.certificate_select[0].selectize.setValue(view.model.get('certificate_id'));
|
||||
}
|
||||
});
|
||||
},
|
||||
|
||||
initialize: function (options) {
|
||||
|
||||
@@ -16,7 +16,10 @@
|
||||
</td>
|
||||
<td>
|
||||
<div>
|
||||
<% if (tcp_forwarding) { %>
|
||||
<% if (certificate) { %>
|
||||
<span class="tag"><%- i18n('streams', 'tcp+ssl') %></span>
|
||||
<% }
|
||||
else if (tcp_forwarding) { %>
|
||||
<span class="tag"><%- i18n('streams', 'tcp') %></span>
|
||||
<% }
|
||||
if (udp_forwarding) { %>
|
||||
@@ -24,6 +27,9 @@
|
||||
<% } %>
|
||||
</div>
|
||||
</td>
|
||||
<td>
|
||||
<div><%- certificate && certificate_id ? i18n('ssl', certificate.provider) : i18n('all-hosts', 'none') %></div>
|
||||
</td>
|
||||
<td>
|
||||
<%
|
||||
var o = isOnline();
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
<th><%- i18n('streams', 'incoming-port') %></th>
|
||||
<th><%- i18n('str', 'destination') %></th>
|
||||
<th><%- i18n('streams', 'protocol') %></th>
|
||||
<th><%- i18n('str', 'ssl') %></th>
|
||||
<th><%- i18n('str', 'status') %></th>
|
||||
<% if (canManage) { %>
|
||||
<th> </th>
|
||||
|
||||
@@ -88,7 +88,7 @@ module.exports = Mn.View.extend({
|
||||
onRender: function () {
|
||||
let view = this;
|
||||
|
||||
view.fetch(['owner'])
|
||||
view.fetch(['owner', 'certificate'])
|
||||
.then(response => {
|
||||
if (!view.isDestroyed()) {
|
||||
if (response && response.length) {
|
||||
|
||||
@@ -132,16 +132,6 @@
|
||||
"access-list": "Access List",
|
||||
"allow-websocket-upgrade": "Websockets Support",
|
||||
"ignore-invalid-upstream-ssl": "Ignore Invalid SSL",
|
||||
"custom-forward-host-help": "Use 1.1.1.1/path for sub-folder forwarding",
|
||||
"oidc": "OpenID Connect",
|
||||
"oidc-enabled": "Use OpenID Connect authentication",
|
||||
"oidc-redirect-uri": "Redirect URI",
|
||||
"oidc-discovery-endpoint": "Well-known discovery endpoint",
|
||||
"oidc-token-auth-method": "Token endpoint auth method",
|
||||
"oidc-client-id": "Client ID",
|
||||
"oidc-client-secret": "Client secret",
|
||||
"oidc-allow-only-emails": "Allow only these user emails",
|
||||
"oidc-allowed-emails": "Allowed email addresses",
|
||||
"custom-forward-host-help": "Add a path for sub-folder forwarding.\nExample: 203.0.113.25/path/",
|
||||
"search": "Search Host…"
|
||||
},
|
||||
@@ -189,7 +179,9 @@
|
||||
"delete-confirm": "Are you sure you want to delete this Stream?",
|
||||
"help-title": "What is a Stream?",
|
||||
"help-content": "A relatively new feature for Nginx, a Stream will serve to forward TCP/UDP traffic directly to another computer on the network.\nIf you're running game servers, FTP or SSH servers this can come in handy.",
|
||||
"search": "Search Incoming Port…"
|
||||
"search": "Search Incoming Port…",
|
||||
"ssl-certificate": "SSL Certificate for TCP Forwarding",
|
||||
"tcp+ssl": "TCP+SSL"
|
||||
},
|
||||
"certificates": {
|
||||
"title": "SSL Certificates",
|
||||
|
||||
@@ -22,14 +22,6 @@ const model = Backbone.Model.extend({
|
||||
block_exploits: false,
|
||||
http2_support: false,
|
||||
advanced_config: '',
|
||||
openidc_enabled: false,
|
||||
openidc_redirect_uri: '',
|
||||
openidc_discovery: '',
|
||||
openidc_auth_method: 'client_secret_post',
|
||||
openidc_client_id: '',
|
||||
openidc_client_secret: '',
|
||||
openidc_restrict_users_enabled: false,
|
||||
openidc_allowed_users: [],
|
||||
enabled: true,
|
||||
meta: {},
|
||||
// The following are expansions:
|
||||
|
||||
@@ -15,8 +15,11 @@ const model = Backbone.Model.extend({
|
||||
udp_forwarding: false,
|
||||
enabled: true,
|
||||
meta: {},
|
||||
certificate_id: 0,
|
||||
domain_names: [],
|
||||
// The following are expansions:
|
||||
owner: null
|
||||
owner: null,
|
||||
certificate: null
|
||||
};
|
||||
}
|
||||
});
|
||||
|
||||
@@ -36,7 +36,7 @@
|
||||
"package_name": "certbot-dns-cloudflare",
|
||||
"version": "=={{certbot-version}}",
|
||||
"dependencies": "cloudflare==2.19.* acme=={{certbot-version}}",
|
||||
"credentials": "# Cloudflare API token\ndns_cloudflare_api_token=0123456789abcdef0123456789abcdef01234567",
|
||||
"credentials": "# Cloudflare API token\ndns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567",
|
||||
"full_plugin_name": "dns-cloudflare"
|
||||
},
|
||||
"cloudns": {
|
||||
@@ -239,14 +239,6 @@
|
||||
"credentials": "dns_hetzner_api_token = 0123456789abcdef0123456789abcdef",
|
||||
"full_plugin_name": "dns-hetzner"
|
||||
},
|
||||
"hover": {
|
||||
"name": "Hover",
|
||||
"package_name": "certbot-dns-hover",
|
||||
"version": "~=1.2.1",
|
||||
"dependencies": "",
|
||||
"credentials": "dns_hover_hoverurl = https://www.hover.com\ndns_hover_username = hover-admin-username\ndns_hover_password = hover-admin-password\ndns_hover_totpsecret = 2fa-totp-secret",
|
||||
"full_plugin_name": "dns-hover"
|
||||
},
|
||||
"infomaniak": {
|
||||
"name": "Infomaniak",
|
||||
"package_name": "certbot-dns-infomaniak",
|
||||
@@ -462,13 +454,5 @@
|
||||
"dependencies": "",
|
||||
"credentials": "dns_websupport_identifier = <api_key>\ndns_websupport_secret_key = <secret>",
|
||||
"full_plugin_name": "dns-websupport"
|
||||
},
|
||||
"wedos":{
|
||||
"name": "Wedos",
|
||||
"package_name": "certbot-dns-wedos",
|
||||
"version": "~=2.2",
|
||||
"dependencies": "",
|
||||
"credentials": "dns_wedos_user = <wedos_registration>\ndns_wedos_auth = <wapi_sha256_password>",
|
||||
"full_plugin_name": "dns-wedos"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user