mb/bdmgrdts
1
Fork 0
Code Pull requests Releases Activity

add tls to nginx redirections

Browse source
This commit is contained in:
JOLIMAITRE Matthieu 2024-02-04 15:01:51 +01:00
parent 6c0038b421
commit 30d22895d4
2 changed files with 92 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
instance/src/lib.ts
View file

@ -114,7 +114,7 @@ export class Runner {
const sites = new Set<string>(); const sites = new Set<string>();
for (const redir of this.config.redirections) { for (const redir of this.config.redirections) {
if (redir.kind !== "http") continue; if (redir.kind !== "http") continue;
await this.nginx.add_proxy(redir.domain, redir.port, paths.sites); await this.nginx.add_proxy(redir.domain, redir.port, paths.sites, redir.tls);
sites.add(redir.domain); sites.add(redir.domain);
} }
for await (const domains of this.nginx.read_all_in_dir(paths.sites)) { for await (const domains of this.nginx.read_all_in_dir(paths.sites)) {

99
instance/src/lib/nginx.ts
View file

@ -10,15 +10,52 @@ export class NginxController {
this.enabled_conf_dir = enabled_conf_dir; this.enabled_conf_dir = enabled_conf_dir;
} }
public async add_proxy(domain: string, port: number, conf_dir: string) { /*
server {
server_name barnulf.net;
location / {
proxy_pass http://barnulf.net:8051;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/barnulf.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/barnulf.net/privkey.pem; # managed by Certbot
}
*/
public async add_proxy(domain: string, port: number, conf_dir: string, tls: boolean) {
const conf_file_path = await this.set_http_config(domain, port, conf_dir);
await this.reload();
if (tls) {
await this.gen_cert(domain);
await this.set_https_config(domain, port, conf_dir);
await this.reload();
}
return conf_file_path;
}
private async set_https_config(domain: string, port: number, conf_dir: string) {
const conf_file_content = ` const conf_file_content = `
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name ${domain}; server_name ${domain};
location / { return 301 https://$host$request_uri;
proxy_pass http://${this.proxy_target_domain}:${port}; }
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ${domain};
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://${this.proxy_target_domain}:${port};
}
} }
`; `;
const conf_file_path = path.join(conf_dir, domain + ".conf"); const conf_file_path = path.join(conf_dir, domain + ".conf");
@ -26,10 +63,39 @@ server {
await Deno.writeTextFile(conf_file_path, conf_file_content); await Deno.writeTextFile(conf_file_path, conf_file_content);
if (await exists(enabled_conf_file_path)) await Deno.remove(enabled_conf_file_path); if (await exists(enabled_conf_file_path)) await Deno.remove(enabled_conf_file_path);
await run("ln", "-s", await Deno.realPath(conf_file_path), enabled_conf_file_path); await run("ln", "-s", await Deno.realPath(conf_file_path), enabled_conf_file_path);
await this.reload();
return conf_file_path; return conf_file_path;
} }
private async set_http_config(domain: string, port: number, conf_dir: string) {
const conf_file_content = `
server {
listen 80;
listen [::]:80;
server_name ${domain};
location / {
proxy_pass http://${this.proxy_target_domain}:${port};
}
}
`;
const conf_file_path = path.join(conf_dir, domain + ".conf");
const enabled_conf_file_path = path.join(this.enabled_conf_dir, domain + ".conf");
await Deno.writeTextFile(conf_file_path, conf_file_content);
if (await exists(enabled_conf_file_path)) await Deno.remove(enabled_conf_file_path);
await run("ln", "-s", await Deno.realPath(conf_file_path), enabled_conf_file_path);
return conf_file_path;
}
private async gen_cert(domain: string) {
await run(
"certbot",
"--nginx",
...["-d", domain],
"--non-interactive",
"--agree-tos",
...["--email", "matthieu@imagevo.fr"],
);
}
public async remove_proxy(domain: string, conf_dir: string) { public async remove_proxy(domain: string, conf_dir: string) {
const conf_file_path = path.join(conf_dir, domain + ".conf"); const conf_file_path = path.join(conf_dir, domain + ".conf");
const enabled_conf_file_path = path.join(this.enabled_conf_dir, domain + ".conf"); const enabled_conf_file_path = path.join(this.enabled_conf_dir, domain + ".conf");
@ -50,3 +116,20 @@ server {
await run("systemctl", "restart", "nginx"); await run("systemctl", "restart", "nginx");
} }
} }
/*
server {
if ($host = barnulf.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name barnulf.net;
return 404; # managed by Certbot
}
*/