Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Merge aca8206c30 into 883a272b0a

Browse source
This commit is contained in:
Will Rouesnel 2024-01-09 01:02:36 -08:00 committed by GitHub
commit a768006959
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
45 changed files with 898 additions and 118 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
backend/doc/api.swagger.json
View file

@ -82,6 +82,7 @@
"ssl_forced": 0, "ssl_forced": 0,
"caching_enabled": 0, "caching_enabled": 0,
"block_exploits": 0, "block_exploits": 0,
"drop_unauthorized": 0,
"advanced_config": "sdfsdfsdf", "advanced_config": "sdfsdfsdf",
"meta": { "meta": {
"letsencrypt_agree": false, "letsencrypt_agree": false,
@ -124,6 +125,7 @@
"ssl_forced": 0, "ssl_forced": 0,
"caching_enabled": 0, "caching_enabled": 0,
"block_exploits": 0, "block_exploits": 0,
"drop_unauthorized": 0,
"advanced_config": "", "advanced_config": "",
"meta": { "meta": {
"letsencrypt_agree": false, "letsencrypt_agree": false,
@ -204,6 +206,7 @@
"ssl_forced": 0, "ssl_forced": 0,
"caching_enabled": 0, "caching_enabled": 0,
"block_exploits": 0, "block_exploits": 0,
"drop_unauthorized": 0,
"advanced_config": "", "advanced_config": "",
"meta": { "meta": {
"letsencrypt_agree": false, "letsencrypt_agree": false,
@ -1117,6 +1120,7 @@
"ssl_forced", "ssl_forced",
"caching_enabled", "caching_enabled",
"block_exploits", "block_exploits",
"drop_unauthorized",
"advanced_config", "advanced_config",
"meta", "meta",
"allow_websocket_upgrade", "allow_websocket_upgrade",
@ -1184,6 +1188,9 @@
"block_exploits": { "block_exploits": {
"type": "integer" "type": "integer"
}, },
"drop_unauthorized": {
"type": "integer"
},
"advanced_config": { "advanced_config": {
"type": "string" "type": "string"
}, },

193
backend/internal/access-list.js
View file

@ -7,9 +7,11 @@ const utils = require('../lib/utils');
const accessListModel = require('../models/access_list'); const accessListModel = require('../models/access_list');
const accessListAuthModel = require('../models/access_list_auth'); const accessListAuthModel = require('../models/access_list_auth');
const accessListClientModel = require('../models/access_list_client'); const accessListClientModel = require('../models/access_list_client');
const accessListClientCAsModel = require('../models/access_list_clientcas');
const proxyHostModel = require('../models/proxy_host'); const proxyHostModel = require('../models/proxy_host');
const internalAuditLog = require('./audit-log'); const internalAuditLog = require('./audit-log');
const internalNginx = require('./nginx'); const internalNginx = require('./nginx');
const config = require('../lib/config');
function omissions () { function omissions () {
return ['is_deleted']; return ['is_deleted'];
@ -66,13 +68,26 @@ const internalAccessList = {
}); });
} }
// Now add the client certificate references
if (typeof data.clientcas !== 'undefined' && data.clientcas) {
data.clientcas.map((certificate_id) => {
promises.push(accessListClientCAsModel
.query()
.insert({
access_list_id: row.id,
certificate_id: certificate_id
})
);
});
}
return Promise.all(promises); return Promise.all(promises);
}) })
.then(() => { .then(() => {
// re-fetch with expansions // re-fetch with expansions
return internalAccessList.get(access, { return internalAccessList.get(access, {
id: data.id, id: data.id,
expand: ['owner', 'items', 'clients', 'proxy_hosts.access_list.[clients,items]'] expand: ['owner', 'items', 'clients', 'clientcas.certificate', 'proxy_hosts.access_list.[clientcas,clients,items]']
}, true /* <- skip masking */); }, true /* <- skip masking */);
}) })
.then((row) => { .then((row) => {
@ -204,7 +219,35 @@ const internalAccessList = {
}); });
} }
}) })
.then(internalNginx.reload) .then(() => {
// Check for client certificates and add/update/remove them
if (typeof data.clientcas !== 'undefined' && data.clientcas) {
let promises = [];
data.clientcas.map(function (certificate_id) {
promises.push(accessListClientCAsModel
.query()
.insert({
access_list_id: data.id,
certificate_id: certificate_id
})
);
});
let query = accessListClientCAsModel
.query()
.delete()
.where('access_list_id', data.id);
return query
.then(() => {
// Add new items
if (promises.length) {
return Promise.all(promises);
}
});
}
})
.then(() => { .then(() => {
// Add to audit log // Add to audit log
return internalAuditLog.add(access, { return internalAuditLog.add(access, {
@ -218,7 +261,7 @@ const internalAccessList = {
// re-fetch with expansions // re-fetch with expansions
return internalAccessList.get(access, { return internalAccessList.get(access, {
id: data.id, id: data.id,
expand: ['owner', 'items', 'clients', 'proxy_hosts.[certificate,access_list.[clients,items]]'] expand: ['owner', 'items', 'clients', 'clientcas.certificate', 'proxy_hosts.[certificate,access_list.[clientcas,clients,items]]']
}, true /* <- skip masking */); }, true /* <- skip masking */);
}) })
.then((row) => { .then((row) => {
@ -231,6 +274,11 @@ const internalAccessList = {
.then(() => { .then(() => {
return internalAccessList.maskItems(row); return internalAccessList.maskItems(row);
}); });
})
.then((row) => {
return internalNginx.reload().then(() => {
return row;
});
}); });
}, },
@ -256,7 +304,7 @@ const internalAccessList = {
.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0') .joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
.where('access_list.is_deleted', 0) .where('access_list.is_deleted', 0)
.andWhere('access_list.id', data.id) .andWhere('access_list.id', data.id)
.allowGraph('[owner,items,clients,proxy_hosts.[certificate,access_list.[clients,items]]]') .allowGraph('[owner,items,clients,clientcas.certificate,proxy_hosts.[certificate,access_list.[clientcas,clients,items]]]')
.first(); .first();
if (access_data.permission_visibility !== 'all') { if (access_data.permission_visibility !== 'all') {
@ -294,7 +342,7 @@ const internalAccessList = {
delete: (access, data) => { delete: (access, data) => {
return access.can('access_lists:delete', data.id) return access.can('access_lists:delete', data.id)
.then(() => { .then(() => {
return internalAccessList.get(access, {id: data.id, expand: ['proxy_hosts', 'items', 'clients']}); return internalAccessList.get(access, {id: data.id, expand: ['proxy_hosts', 'items', 'clients', 'clientcas']});
}) })
.then((row) => { .then((row) => {
if (!row) { if (!row) {
@ -345,6 +393,26 @@ const internalAccessList = {
// do nothing // do nothing
} }
}) })
.then(() => {
// delete the client CA file
let clientca_file = internalAccessList.getClientCAFilename(row);
try {
fs.unlinkSync(clientca_file);
} catch (err) {
// do nothing
}
})
.then(() => {
// delete the client geo file file
let client_file = internalAccessList.getClientFilename(row);
try {
fs.unlinkSync(client_file);
} catch (err) {
// do nothing
}
})
.then(() => { .then(() => {
// 4. audit log // 4. audit log
return internalAuditLog.add(access, { return internalAuditLog.add(access, {
@ -377,7 +445,7 @@ const internalAccessList = {
.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0') .joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
.where('access_list.is_deleted', 0) .where('access_list.is_deleted', 0)
.groupBy('access_list.id') .groupBy('access_list.id')
.allowGraph('[owner,items,clients]') .allowGraph('[owner,items,clients,clientcas.certificate]')
.orderBy('access_list.name', 'ASC'); .orderBy('access_list.name', 'ASC');
if (access_data.permission_visibility !== 'all') { if (access_data.permission_visibility !== 'all') {
@ -434,6 +502,8 @@ const internalAccessList = {
}, },
/** /**
* Mask sensitive items in access list responses
*
* @param {Object} list * @param {Object} list
* @returns {Object} * @returns {Object}
*/ */
@ -453,6 +523,24 @@ const internalAccessList = {
}); });
} }
// Mask certificates in clientcas responses
if (list && typeof list.clientcas !== 'undefined') {
list.clientcas.map(function(val, idx) {
if (typeof val.certificate !== 'undefined') {
list.clientcas[idx].certificate.meta = {};
}
});
}
// Mask certificates in ProxyHost responses (clear the meta field)
if (list && typeof list.proxy_hosts !== 'undefined') {
list.proxy_hosts.map(function(val, idx) {
if (typeof val.certificate !== 'undefined') {
list.proxy_hosts[idx].certificate.meta = {};
}
});
}
return list; return list;
}, },
@ -465,17 +553,37 @@ const internalAccessList = {
return '/data/access/' + list.id; return '/data/access/' + list.id;
}, },
/**
* @param {Object} list
* @param {Integer} list.id
* @returns {String}
*/
getClientCAFilename: (list) => {
return '/data/clientca/' + list.id;
},
/**
* @param {Object} list
* @param {Integer} list.id
* @returns {String}
*/
getClientFilename: (list) => {
return '/data/nginx/client/' + list.id + '.conf';
},
/** /**
* @param {Object} list * @param {Object} list
* @param {Integer} list.id * @param {Integer} list.id
* @param {String} list.name * @param {String} list.name
* @param {Array} list.items * @param {Array} list.items
* @param {Array} list.clientcas
* @returns {Promise} * @returns {Promise}
*/ */
build: (list) => { build: (list) => {
logger.info('Building Access file #' + list.id + ' for: ' + list.name); const renderEngine = utils.getRenderEngine();
return new Promise((resolve, reject) => { const htPasswdBuild = new Promise((resolve, reject) => {
logger.info('Building Access file #' + list.id + ' for: ' + list.name);
let htpasswd_file = internalAccessList.getFilename(list); let htpasswd_file = internalAccessList.getFilename(list);
// 1. remove any existing access file // 1. remove any existing access file
@ -523,6 +631,75 @@ const internalAccessList = {
}); });
} }
}); });
const caCertificateBuild = new Promise((resolve, reject) => {
logger.info('Building Client CA file #' + list.id + ' for: ' + list.name);
let clientca_file = internalAccessList.getClientCAFilename(list);
const certificate_bodies = list.clientcas
.filter((clientca) => {
return typeof clientca.certificate.meta !== 'undefined';
})
.map((clientca) => {
return clientca.certificate.meta.certificate;
});
// Unlink the original file (nginx retains file handle till reload)
try {
fs.unlinkSync(clientca_file);
} catch (err) {
// do nothing
}
// Write the new file in one shot
try {
fs.writeFileSync(clientca_file, certificate_bodies.join('\n'), {encoding: 'utf8'});
logger.success('Built Client CA file #' + list.id + ' for: ' + list.name);
resolve(clientca_file);
} catch (err) {
reject(err);
}
});
const clientBuild = new Promise((resolve, reject) => {
logger.info('Building Access client file #' + list.id + ' for: ' + list.name);
let template = null;
const client_file = internalAccessList.getClientFilename(list);
const data = {
access_list: list
};
try {
template = fs.readFileSync(__dirname + '/../templates/access.conf', {encoding: 'utf8'});
} catch (err) {
reject(new error.ConfigurationError(err.message));
return;
}
return renderEngine
.parseAndRender(template, data)
.then((config_text) => {
fs.writeFileSync(client_file, config_text, {encoding: 'utf8'});
if (config.debug()) {
logger.success('Wrote config:', client_file, config_text);
}
resolve(true);
})
.catch((err) => {
if (config.debug()) {
logger.warn('Could not write ' + client_file + ':', err.message);
}
reject(new error.ConfigurationError(err.message));
});
});
// Execute both promises concurrently
return Promise.all([htPasswdBuild, caCertificateBuild, clientBuild]);
} }
}; };

45
backend/internal/certificate.js
View file

@ -552,6 +552,10 @@ const internalCertificate = {
}) })
.then(() => { .then(() => {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
if (certificate.provider === 'clientca') {
// Client CAs have no private key associated, so just succeed.
resolve();
} else {
fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) { fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) {
if (err) { if (err) {
reject(err); reject(err);
@ -559,6 +563,7 @@ const internalCertificate = {
resolve(); resolve();
} }
}); });
}
}); });
}); });
}, },
@ -639,7 +644,7 @@ const internalCertificate = {
upload: (access, data) => { upload: (access, data) => {
return internalCertificate.get(access, {id: data.id}) return internalCertificate.get(access, {id: data.id})
.then((row) => { .then((row) => {
if (row.provider !== 'other') { if (row.provider !== 'other' && row.provider !== 'clientca') {
throw new error.ValidationError('Cannot upload certificates for this type of provider'); throw new error.ValidationError('Cannot upload certificates for this type of provider');
} }
@ -726,6 +731,29 @@ const internalCertificate = {
}); });
}, },
/**
* Parse the X509 subject line as returned by the OpenSSL command when
* invoked with openssl x509 -in <certificate name> -subject -noout
*
* @param {String} line emitted from the openssl command
* @param {String} prefix expected to be removed
* @return {Object} object containing the parsed fields from the subject line
*/
parseX509Output: (line, prefix) => {
// Remove the subject= part
const subject_value = line.slice(prefix.length).trim();
const subject = subject_value.split(/[,/](?=(?:(?:[^"]*"){2})*[^"]*$)/)
.filter( (e) => { return e.length > 0; } )
.map( (e) => { return e.trim().split('=', 2).map( (p) => { return p.trim(); }); })
.reduce((obj, [key, value]) => {
obj[key] = value.replace(/^"/, '').replace(/"$/, '');
return obj;
}, {});
return subject;
},
/** /**
* Uses the openssl command to both validate and get info out of the certificate. * Uses the openssl command to both validate and get info out of the certificate.
* It will save the file to disk first, then run commands on it, then delete the file. * It will save the file to disk first, then run commands on it, then delete the file.
@ -739,28 +767,27 @@ const internalCertificate = {
return utils.exec('openssl x509 -in ' + certificate_file + ' -subject -noout') return utils.exec('openssl x509 -in ' + certificate_file + ' -subject -noout')
.then((result) => { .then((result) => {
// subject=CN = something.example.com // subject=CN = something.example.com
const regex = /(?:subject=)?[^=]+=\s+(\S+)/gim; // subject=C = NoCountry, O = NoOrg, OU = NoOrgUnit, CN = Some Value With Spaces
const match = regex.exec(result); const subjectParams = internalCertificate.parseX509Output(result, 'subject=');
if (typeof match[1] === 'undefined') { if (typeof subjectParams.CN === 'undefined') {
throw new error.ValidationError('Could not determine subject from certificate: ' + result); throw new error.ValidationError('Could not determine subject from certificate: ' + result);
} }
certData['cn'] = match[1]; certData['cn'] = subjectParams.CN;
}) })
.then(() => { .then(() => {
return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout'); return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout');
}) })
.then((result) => { .then((result) => {
// issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 // issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
const regex = /^(?:issuer=)?(.*)$/gim; const issuerParams = internalCertificate.parseX509Output(result, 'issuer=');
const match = regex.exec(result);
if (typeof match[1] === 'undefined') { if (typeof issuerParams.CN === 'undefined') {
throw new error.ValidationError('Could not determine issuer from certificate: ' + result); throw new error.ValidationError('Could not determine issuer from certificate: ' + result);
} }
certData['issuer'] = match[1]; certData['issuer'] = issuerParams.CN;
}) })
.then(() => { .then(() => {
return utils.exec('openssl x509 -in ' + certificate_file + ' -dates -noout'); return utils.exec('openssl x509 -in ' + certificate_file + ' -dates -noout');

8
backend/internal/nginx.js
View file

@ -153,7 +153,7 @@ const internalNginx = {
const locationRendering = async () => { const locationRendering = async () => {
for (let i = 0; i < host.locations.length; i++) { for (let i = 0; i < host.locations.length; i++) {
let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits}, {ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits}, {drop_unauthorized: host.drop_unauthorized},
{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support}, {allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list}, {hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
{certificate: host.certificate}, host.locations[i]); {certificate: host.certificate}, host.locations[i]);
@ -205,6 +205,12 @@ const internalNginx = {
let origLocations; let origLocations;
// Manipulate the data a bit before sending it to the template // Manipulate the data a bit before sending it to the template
if (typeof host.drop_unauthorized === 'undefined') {
// Only proxy-hosts can have drop_unauthorized, but all hosts share
// the templates.
host.drop_unauthorized = 0;
}
if (nice_host_type !== 'default') { if (nice_host_type !== 'default') {
host.use_default_location = true; host.use_default_location = true;
if (typeof host.advanced_config !== 'undefined' && host.advanced_config) { if (typeof host.advanced_config !== 'undefined' && host.advanced_config) {

8
backend/internal/proxy-host.js
View file

@ -74,7 +74,7 @@ const internalProxyHost = {
// re-fetch with cert // re-fetch with cert
return internalProxyHost.get(access, { return internalProxyHost.get(access, {
id: row.id, id: row.id,
expand: ['certificate', 'owner', 'access_list.[clients,items]'] expand: ['certificate', 'owner', 'access_list.[clientcas.certificate,clients,items]']
}); });
}) })
.then((row) => { .then((row) => {
@ -188,7 +188,7 @@ const internalProxyHost = {
.then(() => { .then(() => {
return internalProxyHost.get(access, { return internalProxyHost.get(access, {
id: data.id, id: data.id,
expand: ['owner', 'certificate', 'access_list.[clients,items]'] expand: ['owner', 'certificate', 'access_list.[clientcas.certificate,clients,items]']
}) })
.then((row) => { .then((row) => {
if (!row.enabled) { if (!row.enabled) {
@ -225,7 +225,7 @@ const internalProxyHost = {
.query() .query()
.where('is_deleted', 0) .where('is_deleted', 0)
.andWhere('id', data.id) .andWhere('id', data.id)
.allowGraph('[owner,access_list,access_list.[clients,items],certificate]') .allowGraph('[owner,access_list.[clientcas.certificate,clients,items],certificate]')
.first(); .first();
if (access_data.permission_visibility !== 'all') { if (access_data.permission_visibility !== 'all') {
@ -308,7 +308,7 @@ const internalProxyHost = {
.then(() => { .then(() => {
return internalProxyHost.get(access, { return internalProxyHost.get(access, {
id: data.id, id: data.id,
expand: ['certificate', 'owner', 'access_list'] expand: ['certificate', 'owner', 'access_list.[clientcas.certificate]']
}); });
}) })
.then((row) => { .then((row) => {

50
backend/migrations/20230526062132_add_clientcas_to_accesslists.js Normal file
View file

@ -0,0 +1,50 @@
const migrate_name = 'client_certificates';
const logger = require('../logger').migrate;
/**
* Migrate
*
* @see http://knexjs.org/#Schema
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.up = function (knex/*, Promise*/) {
logger.info('[' + migrate_name + '] Migrating Up...');
return knex.schema.createTable('access_list_clientcas', (table) => {
table.increments().primary();
table.dateTime('created_on').notNull();
table.dateTime('modified_on').notNull();
table.integer('access_list_id').notNull().unsigned();
table.integer('certificate_id').notNull().unsigned();
table.json('meta').notNull();
})
.then(function () {
logger.info('[' + migrate_name + '] access_list_clientcas Table created');
})
.then(() => {
logger.info('[' + migrate_name + '] Migrating Up Complete');
});
};
/**
* Undo Migrate
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.down = function (knex/*, Promise*/) {
logger.info('[' + migrate_name + '] Migrating Down...');
return knex.schema.dropTable('access_list_clientcas')
.then(() => {
logger.info('[' + migrate_name + '] access_list_clientcas Table dropped');
})
.then(() => {
logger.info('[' + migrate_name + '] Migrating Down Complete');
});
};

39
backend/migrations/20230529030411_add_drop_unauthorized_to_proxyhosts.js Normal file
View file

@ -0,0 +1,39 @@
const migrate_name = 'drop_unauthorized';
const logger = require('../logger').migrate;
/**
* Migrate
*
* @see http://knexjs.org/#Schema
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.up = function (knex/*, Promise*/) {
logger.info('[' + migrate_name + '] Migrating Up...');
return knex.schema.table('proxy_host', function(proxy_host) {
proxy_host.integer('drop_unauthorized').notNull().unsigned().defaultTo(0);
}).then(() =>{
logger.info('[' + migrate_name + '] Migrating Up Complete');
});
};
/**
* Undo Migrate
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.down = function (knex/*, Promise*/) {
logger.info('[' + migrate_name + '] Migrating Down...');
return knex.schema.table('proxy_host', function(proxy_host) {
proxy_host.dropColumn('drop_unauthorized');
}).then(() =>{
logger.info('[' + migrate_name + '] Migrating Up Complete');
});
};

9
backend/models/access_list.js
View file

@ -6,6 +6,7 @@ const Model = require('objection').Model;
const User = require('./user'); const User = require('./user');
const AccessListAuth = require('./access_list_auth'); const AccessListAuth = require('./access_list_auth');
const AccessListClient = require('./access_list_client'); const AccessListClient = require('./access_list_client');
const AccessListClientCAs = require('./access_list_clientcas');
const now = require('./now_helper'); const now = require('./now_helper');
Model.knex(db); Model.knex(db);
@ -68,6 +69,14 @@ class AccessList extends Model {
to: 'access_list_client.access_list_id' to: 'access_list_client.access_list_id'
} }
}, },
clientcas: {
relation: Model.HasManyRelation,
modelClass: AccessListClientCAs,
join: {
from: 'access_list.id',
to: 'access_list_clientcas.access_list_id'
}
},
proxy_hosts: { proxy_hosts: {
relation: Model.HasManyRelation, relation: Model.HasManyRelation,
modelClass: ProxyHost, modelClass: ProxyHost,

62
backend/models/access_list_clientcas.js Normal file
View file

@ -0,0 +1,62 @@
// Objection Docs:
// http://vincit.github.io/objection.js/
const db = require('../db');
const Model = require('objection').Model;
const now = require('./now_helper');
Model.knex(db);
class AccessListClientCAs extends Model {
$beforeInsert () {
this.created_on = now();
this.modified_on = now();
// Default for meta
if (typeof this.meta === 'undefined') {
this.meta = {};
}
}
$beforeUpdate () {
this.modified_on = now();
}
static get name () {
return 'AccessListClientCAs';
}
static get tableName () {
return 'access_list_clientcas';
}
static get jsonAttributes () {
return ['meta'];
}
static get relationMappings () {
return {
access_list: {
relation: Model.HasOneRelation,
modelClass: require('./access_list'),
join: {
from: 'access_list_clientcas.access_list_id',
to: 'access_list.id'
},
modify: function (qb) {
qb.where('access_list.is_deleted', 0);
}
},
certificate: {
relation: Model.HasOneRelation,
modelClass: require('./certificate'),
join: {
from: 'access_list_clientcas.certificate_id',
to: 'certificate.id'
}
}
};
}
}
module.exports = AccessListClientCAs;

7
backend/schema/definitions.json
View file

@ -219,7 +219,7 @@
}, },
"ssl_provider": { "ssl_provider": {
"type": "string", "type": "string",
"pattern": "^(letsencrypt|other)$" "pattern": "^(letsencrypt|other|clientca)$"
}, },
"http2_support": { "http2_support": {
"description": "HTTP2 Protocol Support", "description": "HTTP2 Protocol Support",
@ -231,6 +231,11 @@
"example": true, "example": true,
"type": "boolean" "type": "boolean"
}, },
"drop_unauthorized": {
"description": "Close TCP connection with no response when authorization fails",
"example": true,
"type": "boolean"
},
"caching_enabled": { "caching_enabled": {
"description": "Should we cache assets", "description": "Should we cache assets",
"example": true, "example": true,

14
backend/schema/endpoints/access-lists.json
View file

@ -142,6 +142,13 @@
} }
} }
}, },
"clientcas": {
"type": "array",
"minItems": 0,
"items": {
"type": "integer"
}
},
"meta": { "meta": {
"$ref": "#/definitions/meta" "$ref": "#/definitions/meta"
} }
@ -209,6 +216,13 @@
} }
} }
} }
},
"clientcas": {
"type": "array",
"minItems": 0,
"items": {
"type": "integer"
}
} }
} }
}, },

12
backend/schema/endpoints/proxy-hosts.json
View file

@ -50,6 +50,9 @@
"block_exploits": { "block_exploits": {
"$ref": "../definitions.json#/definitions/block_exploits" "$ref": "../definitions.json#/definitions/block_exploits"
}, },
"drop_unauthorized": {
"$ref": "../definitions.json#/definitions/drop_unauthorized"
},
"caching_enabled": { "caching_enabled": {
"$ref": "../definitions.json#/definitions/caching_enabled" "$ref": "../definitions.json#/definitions/caching_enabled"
}, },
@ -149,6 +152,9 @@
"block_exploits": { "block_exploits": {
"$ref": "#/definitions/block_exploits" "$ref": "#/definitions/block_exploits"
}, },
"drop_unauthorized": {
"$ref": "#/definitions/drop_unauthorized"
},
"caching_enabled": { "caching_enabled": {
"$ref": "#/definitions/caching_enabled" "$ref": "#/definitions/caching_enabled"
}, },
@ -239,6 +245,9 @@
"block_exploits": { "block_exploits": {
"$ref": "#/definitions/block_exploits" "$ref": "#/definitions/block_exploits"
}, },
"drop_unauthorized": {
"$ref": "#/definitions/drop_unauthorized"
},
"caching_enabled": { "caching_enabled": {
"$ref": "#/definitions/caching_enabled" "$ref": "#/definitions/caching_enabled"
}, },
@ -312,6 +321,9 @@
"block_exploits": { "block_exploits": {
"$ref": "#/definitions/block_exploits" "$ref": "#/definitions/block_exploits"
}, },
"drop_unauthorized": {
"$ref": "#/definitions/drop_unauthorized"
},
"caching_enabled": { "caching_enabled": {
"$ref": "#/definitions/caching_enabled" "$ref": "#/definitions/caching_enabled"
}, },

53
backend/templates/_access.conf
View file

@ -1,25 +1,44 @@
{% if access_list_id > 0 %} {% if access_list_id > 0 %}
{% if access_list.items.length > 0 %} set $auth_basic "Authorization required";
# Authorization {% if access_list.satisfy_any == 1 %}
auth_basic "Authorization required"; # Satisfy Any - any check can succeed - so look for success
auth_basic_user_file /data/access/{{ access_list_id }}; {% if access_list.clients.size != 0 %}
if ( $access_list_{{ access_list_id }} = 1) {
set $auth_basic off;
}
{% endif %}
if ( $ssl_client_verify = "SUCCESS" ) {
set $auth_basic off;
}
{% else %}
# Satisfy All - all checks must succeed (so handle fails)
{% if access_list.clients.size != 0 %}
# {{ access_list.clients.size }} IP rules
if ( $access_list_{{ access_list_id }} = 0) {
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
}
{% else %}
# Empty IP rules list so no client IP check
{% endif %}
if ( $ssl_client_verify != "SUCCESS" ) {
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
}
{% endif %}
{% if access_list.items.length > 0 %}
# Basic Auth is enabled
# Authorization
auth_basic $auth_basic;
auth_basic_user_file /data/access/{{ access_list_id }};
{% if access_list.pass_auth == 0 %} {% if access_list.pass_auth == 0 %}
proxy_set_header Authorization ""; proxy_set_header Authorization "";
{% endif %} {% endif %}
{% endif %}
# Access Rules: {{ access_list.clients | size }} total
{% for client in access_list.clients %}
{{client | nginxAccessRule}}
{% endfor %}
deny all;
# Access checks must...
{% if access_list.satisfy_any == 1 %}
satisfy any;
{% else %} {% else %}
satisfy all; {% if access_list.satisfy_any == 1 %}
# Satisfy Any without Basic Auth
if ( $auth_basic != "off" ) {
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
}
{% endif %}
{% endif %} {% endif %}
{% endif %} {% endif %}

8
backend/templates/_certificates.conf
View file

@ -11,4 +11,10 @@
ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem; ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if access_list_id > 0 -%}
{% if access_list.clientcas.size > 0 %}
# Client Certificate Authorization ({{access_list.clientcas.size}} CAs)
ssl_client_certificate /data/clientca/{{ access_list_id }};
ssl_verify_client optional;
{% endif %}
{% endif %}

12
backend/templates/access.conf Normal file
View file

@ -0,0 +1,12 @@
# Access List Clients for {{ access_list.id }} - {{ access_list.name }}
geo $realip_remote_addr $access_list_{{ access_list.id }} {
default 0;
{% for client in access_list.clients %}
{% if client.directive == "allow" %}
{{client.address}} 1;
{% endif %}
{% if client.directive == "deny" %}
{{client.address}} 0;
{% endif %}
{% endfor %}
}

70
docker/docker-compose.dev-user.yml Normal file
View file

@ -0,0 +1,70 @@
# WARNING: This is a DEVELOPMENT docker-compose file, it should not be used for production.
# Important: this version is designed to work with user-namespaces, which allows running
# under podman.
version: '3.8'
services:
npm:
image: nginxproxymanager:dev
container_name: npm_core
build:
context: ./
dockerfile: ./dev/Dockerfile
ports:
- 3080:80
- 3081:81
- 3443:443
networks:
- nginx_proxy_manager
environment:
# PUID: 1000
# PGID: 1000
FORCE_COLOR: 1
# specifically for dev:
DEBUG: 'true'
DEVELOPMENT: 'true'
LE_STAGING: 'true'
# db:
DB_MYSQL_HOST: 'db'
DB_MYSQL_PORT: '3306'
DB_MYSQL_USER: 'npm'
DB_MYSQL_PASSWORD: 'npm'
DB_MYSQL_NAME: 'npm'
# DB_SQLITE_FILE: "/data/database.sqlite"
# DISABLE_IPV6: "true"
volumes:
- npm_data:/data
- le_data:/etc/letsencrypt
- ../backend:/app
- ../frontend:/app/frontend
- ../global:/app/global
depends_on:
- db
working_dir: /app
db:
image: jc21/mariadb-aria
container_name: npm_db
ports:
- 33306:3306
networks:
- nginx_proxy_manager
environment:
MYSQL_ROOT_PASSWORD: 'npm'
MYSQL_DATABASE: 'npm'
MYSQL_USER: 'npm'
MYSQL_PASSWORD: 'npm'
volumes:
- db_data:/var/lib/mysql
volumes:
npm_data:
name: npm_core_data
le_data:
name: npm_le_data
db_data:
name: npm_db_data
networks:
nginx_proxy_manager:
name: npm_network

1
docker/rootfs/etc/nginx/nginx.conf
View file

@ -73,6 +73,7 @@ http {
# Files generated by NPM # Files generated by NPM
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
include /data/nginx/client/*.conf;
include /data/nginx/default_host/*.conf; include /data/nginx/default_host/*.conf;
include /data/nginx/proxy_host/*.conf; include /data/nginx/proxy_host/*.conf;
include /data/nginx/redirection_host/*.conf; include /data/nginx/redirection_host/*.conf;

2
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
View file

@ -20,6 +20,8 @@ mkdir -p \
/data/custom_ssl \ /data/custom_ssl \
/data/logs \ /data/logs \
/data/access \ /data/access \
/data/clientca \
/data/nginx/client \
/data/nginx/default_host \ /data/nginx/default_host \
/data/nginx/default_www \ /data/nginx/default_www \
/data/nginx/proxy_host \ /data/nginx/proxy_host \

31
frontend/js/app/api.js
View file

@ -632,6 +632,37 @@ module.exports = {
return getAllObjects('nginx/certificates', expand, query); return getAllObjects('nginx/certificates', expand, query);
}, },
/**
* Retrieve all certificates which have a type suitable for use as
* server certificates. This filters by provider for returned rows.
*
* @param {Array} [expand]
* @param {String} [query]
* @returns {Promise}
*/
getAllServerCertificates: function (expand, query) {
return getAllObjects('nginx/certificates', expand, query)
.then(rows => {
return rows.filter( row => row.provider !== 'clientca' );
})
},
/**
* Retrieve all certificates which have a type suitable for use as
* client authentication certificates. This filters by provider for
* returned rows.
*
* @param {Array} [expand]
* @param {String} [query]
* @returns {Promise}
*/
getAllClientCertificates: function (expand, query) {
return getAllObjects('nginx/certificates', expand, query)
.then(rows => {
return rows.filter( row => row.provider === 'clientca' );
})
},
/** /**
* @param {Object} data * @param {Object} data
*/ */

31
frontend/js/app/nginx/access/form.ejs
View file

@ -8,6 +8,7 @@
<ul class="nav nav-tabs" role="tablist"> <ul class="nav nav-tabs" role="tablist">
<li role="presentation" class="nav-item"><a href="#details" aria-controls="tab1" role="tab" data-toggle="tab" class="nav-link active show" aria-selected="true"><i class="fe fe-zap"></i> <%- i18n('access-lists', 'details') %></a></li> <li role="presentation" class="nav-item"><a href="#details" aria-controls="tab1" role="tab" data-toggle="tab" class="nav-link active show" aria-selected="true"><i class="fe fe-zap"></i> <%- i18n('access-lists', 'details') %></a></li>
<li role="presentation" class="nav-item"><a href="#auth" aria-controls="tab4" role="tab" data-toggle="tab" class="nav-link" aria-selected="false"><i class="fe fe-users"></i> <%- i18n('access-lists', 'authorization') %></a></li> <li role="presentation" class="nav-item"><a href="#auth" aria-controls="tab4" role="tab" data-toggle="tab" class="nav-link" aria-selected="false"><i class="fe fe-users"></i> <%- i18n('access-lists', 'authorization') %></a></li>
<li role="presentation" class="nav-item"><a href="#clientca" aria-controls="tab4" role="tab" data-toggle="tab" class="nav-link" aria-selected="false"><i class="fe fe-lock"></i> <%- i18n('access-lists', 'client-certificates') %></a></li>
<li role="presentation" class="nav-item"><a href="#access" aria-controls="tab2" role="tab" data-toggle="tab" class="nav-link" aria-selected="false"><i class="fe fe-radio"></i> <%- i18n('access-lists', 'access') %></a></li> <li role="presentation" class="nav-item"><a href="#access" aria-controls="tab2" role="tab" data-toggle="tab" class="nav-link" aria-selected="false"><i class="fe fe-radio"></i> <%- i18n('access-lists', 'access') %></a></li>
</ul> </ul>
@ -71,6 +72,34 @@
</div> </div>
</div> </div>
<!-- Client Certificates -->
<div class="tab-pane" id="clientca">
<p>
Client Certificate Authorization via
<a target="_blank" href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate">
Nginx HTTP SSL
</a>
</p>
<div class="row">
<div class="col-sm-10 col-md-10">
<select id="certificate_search" class="form-control custom-select" placeholder="<%- i18n('ssl', 'clientca') %>">
</select>
</div>
<div class="col-sm-2 col-md-2">
<div class="btn-list justify-content-end">
<button type="button" class="btn btn-teal clientca_add"><%- i18n('access-lists', 'clientca-add') %></button>
</div>
</div>
</div>
<label class="form-label">Authorized Client Certificate Authorities</label>
<div class="clientcas">
<!-- clientcas -->
</div>
</div>
<!-- Access --> <!-- Access -->
<div class="tab-pane" id="access"> <div class="tab-pane" id="access">
<p> <p>
@ -92,7 +121,7 @@
</div> </div>
</div> </div>
</div> </div>
<div class="text-muted">Note that the <code>allow</code> and <code>deny</code> directives will be applied in the order they are defined.</div> <div class="text-muted">Note that the most specific directive is what will be applied to the connection. Order does not matter.</div>
<div class="btn-list justify-content-end"> <div class="btn-list justify-content-end">
<button type="button" class="btn btn-teal access_add"><%- i18n('access-lists', 'access-add') %></button> <button type="button" class="btn btn-teal access_add"><%- i18n('access-lists', 'access-add') %></button>
</div> </div>

107
frontend/js/app/nginx/access/form.js
View file

@ -4,8 +4,13 @@ const AccessListModel = require('../../../models/access-list');
const template = require('./form.ejs'); const template = require('./form.ejs');
const ItemView = require('./form/item'); const ItemView = require('./form/item');
const ClientView = require('./form/client'); const ClientView = require('./form/client');
const ClientCAView = require('./form/clientca');
require('jquery-serializejson'); require('jquery-serializejson');
require('selectize');
const Helpers = require("../../../lib/helpers");
const certListItemTemplate = require("../certificates-list-item.ejs");
const ItemsView = Mn.CollectionView.extend({ const ItemsView = Mn.CollectionView.extend({
childView: ItemView childView: ItemView
@ -15,6 +20,10 @@ const ClientsView = Mn.CollectionView.extend({
childView: ClientView childView: ClientView
}); });
const ClientCAsView = Mn.CollectionView.extend({
childView: ClientCAView
});
module.exports = Mn.View.extend({ module.exports = Mn.View.extend({
template: template, template: template,
className: 'modal-dialog', className: 'modal-dialog',
@ -22,32 +31,41 @@ module.exports = Mn.View.extend({
ui: { ui: {
items_region: '.items', items_region: '.items',
clients_region: '.clients', clients_region: '.clients',
clientcas_region: '.clientcas',
certificate_select: 'select[id="certificate_search"]',
form: 'form', form: 'form',
buttons: '.modal-footer button', buttons: '.modal-footer button',
cancel: 'button.cancel', cancel: 'button.cancel',
save: 'button.save', save: 'button.save',
access_add: 'button.access_add', access_add: 'button.access_add',
auth_add: 'button.auth_add' auth_add: 'button.auth_add',
clientca_add: 'button.clientca_add',
clientca_del: 'button.clientca_del'
}, },
regions: { regions: {
items_region: '@ui.items_region', items_region: '@ui.items_region',
clients_region: '@ui.clients_region' clients_region: '@ui.clients_region',
clientcas_region: '@ui.clientcas_region'
}, },
events: { events: {
'click @ui.save': function (e) { 'click @ui.save': function (e) {
e.preventDefault(); e.preventDefault();
console.log(this.ui.form); // FIXME
if (!this.ui.form[0].checkValidity()) { if (!this.ui.form[0].checkValidity()) {
$('<input type="submit">').hide().appendTo(this.ui.form).click().remove(); $('<input type="submit">').hide().appendTo(this.ui.form).click().remove();
return; return;
} }
let view = this; let view = this;
let form_data = this.ui.form.serializeJSON();
let items_data = []; let items_data = [];
let clients_data = []; let clients_data = [];
let clientcas_data = [];
let form_data = this.ui.form.serializeJSON();
form_data.username.map(function (val, idx) { form_data.username.map(function (val, idx) {
if (val.trim().length) { if (val.trim().length) {
@ -67,7 +85,13 @@ module.exports = Mn.View.extend({
} }
}); });
if (!items_data.length && !clients_data.length) { if (form_data.certificate_id !== undefined) {
form_data.certificate_id.map(function (val, idx) {
clientcas_data.push(parseInt(val, 10))
});
}
if (!items_data.length && !clients_data.length && !clientcas_data.length) {
alert('You must specify at least 1 Authorization or Access rule'); alert('You must specify at least 1 Authorization or Access rule');
return; return;
} }
@ -77,11 +101,10 @@ module.exports = Mn.View.extend({
satisfy_any: !!form_data.satisfy_any, satisfy_any: !!form_data.satisfy_any,
pass_auth: !!form_data.pass_auth, pass_auth: !!form_data.pass_auth,
items: items_data, items: items_data,
clients: clients_data clients: clients_data,
clientcas: clientcas_data
}; };
console.log(data);
let method = App.Api.Nginx.AccessLists.create; let method = App.Api.Nginx.AccessLists.create;
let is_new = true; let is_new = true;
@ -125,16 +148,55 @@ module.exports = Mn.View.extend({
this.showChildView('items_region', new ItemsView({ this.showChildView('items_region', new ItemsView({
collection: new Backbone.Collection(items) collection: new Backbone.Collection(items)
})); }));
},
'click @ui.clientca_add': function (e) {
e.preventDefault();
App.Api.Nginx.Certificates.getAllClientCertificates().then((certificates) => {
let value = this.ui.certificate_select[0].value;
if (value === undefined || value === '') {
return;
}
let certificate_id = parseInt(this.ui.certificate_select[0].value, 10);
let cert = certificates.filter((cert) => { return cert.id === certificate_id })[0];
let clientcas = this.model.get('clientcas');
clientcas.push({
certificate: cert
});
this.ui.certificate_select[0].selectize.clear();
this.showChildView('clientcas_region', new ClientCAsView({
collection: new Backbone.Collection(clientcas)
}));
})
},
'click @ui.clientca_del': function (e) {
e.preventDefault();
let certificate_id = parseInt(e.currentTarget.dataset.value, 10);
let clientcas = this.model.get('clientcas');
this.model.set('clientcas', clientcas.filter((e) => { return e.certificate.id !== certificate_id }));
clientcas = this.model.get('clientcas');
this.showChildView('clientcas_region', new ClientCAsView({
collection: new Backbone.Collection(clientcas)
}));
} }
}, },
onRender: function () { onRender: function () {
let items = this.model.get('items'); let items = this.model.get('items');
let clients = this.model.get('clients'); let clients = this.model.get('clients');
let clientcas = this.model.get('clientcas');
// Ensure at least one field is shown initally // Ensure at least one field is shown initally
if (!items.length) items.push({}); if (!items.length) items.push({});
if (!clients.length) clients.push({}); if (!clients.length) clients.push({});
if (!clientcas.length) clients.push({});
this.showChildView('items_region', new ItemsView({ this.showChildView('items_region', new ItemsView({
collection: new Backbone.Collection(items) collection: new Backbone.Collection(items)
@ -143,6 +205,37 @@ module.exports = Mn.View.extend({
this.showChildView('clients_region', new ClientsView({ this.showChildView('clients_region', new ClientsView({
collection: new Backbone.Collection(clients) collection: new Backbone.Collection(clients)
})); }));
this.showChildView('clientcas_region', new ClientCAsView({
collection: new Backbone.Collection(clientcas)
}));
this.ui.certificate_select.selectize({
valueField: 'id',
labelField: 'nice_name',
searchField: ['nice_name', 'domain_names'],
create: false,
preload: true,
allowEmptyOption: true,
render: {
option: function (item) {
item.i18n = App.i18n;
item.formatDbDate = Helpers.formatDbDate;
return certListItemTemplate(item);
}
},
load: function (query, callback) {
App.Api.Nginx.Certificates.getAllClientCertificates()
.then(rows => {
callback(rows);
})
.catch(err => {
console.error(err);
callback();
});
},
onLoad: function () {}
});
}, },
initialize: function (options) { initialize: function (options) {

18
frontend/js/app/nginx/access/form/clientca.ejs Normal file
View file

@ -0,0 +1,18 @@
<input id="cacert-<%=certificate.id%>" class="form-selectgroup-input" name="certificate_id[]" value="<%= certificate.id %>" type="checkbox" checked hidden/>
<div class="col-auto">
<i class="fe fe-shield text-green"></i>
</div>
<div class="col flex-fill">
<div class="text-truncate">
<strong><%= certificate.nice_name %></strong>
<div class="text-muted">Expires: <%- formatDbDate(certificate.expires_on, 'Do MMMM YYYY, h:mm a') %></div>
</div>
</div>
<div class="col-auto align-self-center <% if (certificate.is_deleted == 1) { %>text-danger<% } %>">
<% if (certificate.is_deleted == 1) { %><i>Deleted</i><% } %>
</div>
<div class="col-auto align-self-center">
<button class="btn btn-sm btn-outline-danger btn-icon clientca_del" data-value="<%=certificate.id%>">
<i class="fe fe-trash-2"></i>
</button>
</div>

7
frontend/js/app/nginx/access/form/clientca.js Normal file
View file

@ -0,0 +1,7 @@
const Mn = require('backbone.marionette');
const template = require('./clientca.ejs');
module.exports = Mn.View.extend({
template: template,
className: 'row'
});

3
frontend/js/app/nginx/access/list/item.ejs
View file

@ -14,6 +14,9 @@
<td> <td>
<%- i18n('access-lists', 'item-count', {count: items.length || 0}) %> <%- i18n('access-lists', 'item-count', {count: items.length || 0}) %>
</td> </td>
<td>
<%- i18n('access-lists', 'clientca-count', {count: clientcas.length || 0}) %>
</td>
<td> <td>
<%- i18n('access-lists', 'client-count', {count: clients.length || 0}) %> <%- i18n('access-lists', 'client-count', {count: clients.length || 0}) %>
</td> </td>

1
frontend/js/app/nginx/access/list/main.ejs
View file

@ -2,6 +2,7 @@
<th width="30">&nbsp;</th> <th width="30">&nbsp;</th>
<th><%- i18n('str', 'name') %></th> <th><%- i18n('str', 'name') %></th>
<th><%- i18n('access-lists', 'authorization') %></th> <th><%- i18n('access-lists', 'authorization') %></th>
<th><%- i18n('access-lists', 'client-certificates') %></th>
<th><%- i18n('access-lists', 'access') %></th> <th><%- i18n('access-lists', 'access') %></th>
<th><%- i18n('access-lists', 'satisfy') %></th> <th><%- i18n('access-lists', 'satisfy') %></th>
<th><%- i18n('proxy-hosts', 'title') %></th> <th><%- i18n('proxy-hosts', 'title') %></th>

4
frontend/js/app/nginx/access/main.js
View file

@ -73,7 +73,7 @@ module.exports = Mn.View.extend({
e.preventDefault(); e.preventDefault();
let query = this.ui.query.val(); let query = this.ui.query.val();
this.fetch(['owner', 'items', 'clients'], query) this.fetch(['owner', 'items', 'clients', 'clientcas.certificate'], query)
.then(response => this.showData(response)) .then(response => this.showData(response))
.catch(err => { .catch(err => {
this.showError(err); this.showError(err);
@ -88,7 +88,7 @@ module.exports = Mn.View.extend({
onRender: function () { onRender: function () {
let view = this; let view = this;
view.fetch(['owner', 'items', 'clients']) view.fetch(['owner', 'items', 'clients', 'clientcas.certificate'])
.then(response => { .then(response => {
if (!view.isDestroyed()) { if (!view.isDestroyed()) {
if (response && response.length) { if (response && response.length) {

18
frontend/js/app/nginx/certificates/form.ejs
View file

@ -173,7 +173,23 @@
</div> </div>
</div> </div>
</div> </div>
<% } else if (provider === 'clientca') { %>
<!-- Client Certificate Authority -->
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="form-label"><%- i18n('str', 'name') %> <span class="form-required">*</span></label>
<input name="nice_name" type="text" class="form-control" placeholder="" value="<%- nice_name %>" required>
</div>
</div>
<div class="col-sm-12 col-md-12 other-ssl">
<div class="form-group">
<div class="form-label"><%- i18n('certificates', 'clientca-certificate') %><span class="form-required">*</span></div>
<div class="custom-file">
<input type="file" class="custom-file-input" name="meta[clientca_certificate]" id="clientca_certificate">
<label id="clientca_certificate_label" class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
</div>
</div>
</div>
<% } %> <% } %>
</div> </div>
</form> </form>

25
frontend/js/app/nginx/certificates/form.js
View file

@ -45,7 +45,9 @@ module.exports = Mn.View.extend({
propagation_seconds: 'input[name="meta[propagation_seconds]"]', propagation_seconds: 'input[name="meta[propagation_seconds]"]',
other_certificate_key_label: '#other_certificate_key_label', other_certificate_key_label: '#other_certificate_key_label',
other_intermediate_certificate: '#other_intermediate_certificate', other_intermediate_certificate: '#other_intermediate_certificate',
other_intermediate_certificate_label: '#other_intermediate_certificate_label' other_intermediate_certificate_label: '#other_intermediate_certificate_label',
clientca_certificate: '#clientca_certificate',
clientca_certificate_label: '#clientca_certificate_label'
}, },
events: { events: {
@ -156,6 +158,18 @@ module.exports = Mn.View.extend({
} }
ssl_files.push({name: 'intermediate_certificate', file: this.ui.other_intermediate_certificate[0].files[0]}); ssl_files.push({name: 'intermediate_certificate', file: this.ui.other_intermediate_certificate[0].files[0]});
} }
} else if (data.provider === 'clientca' && !this.model.hasSslFiles()) {
// check files are attached
if (!this.ui.clientca_certificate[0].files.length || !this.ui.clientca_certificate[0].files[0].size) {
alert('Certificate file is not attached');
return;
} else {
if (this.ui.clientca_certificate[0].files[0].size > this.max_file_size) {
alert('Certificate file is too large (> 100kb)');
return;
}
ssl_files.push({name: 'certificate', file: this.ui.clientca_certificate[0].files[0]});
}
} }
this.ui.loader_content.show(); this.ui.loader_content.show();
@ -163,14 +177,14 @@ module.exports = Mn.View.extend({
// compile file data // compile file data
let form_data = new FormData(); let form_data = new FormData();
if (data.provider === 'other' && ssl_files.length) { if ((data.provider === 'other' || data.provider === 'clientca') && ssl_files.length) {
ssl_files.map(function (file) { ssl_files.map(function (file) {
form_data.append(file.name, file.file); form_data.append(file.name, file.file);
}); });
} }
new Promise(resolve => { new Promise(resolve => {
if (data.provider === 'other') { if (data.provider === 'other' || data.provider === 'clientca') {
resolve(App.Api.Nginx.Certificates.validate(form_data)); resolve(App.Api.Nginx.Certificates.validate(form_data));
} else { } else {
resolve(); resolve();
@ -183,7 +197,7 @@ module.exports = Mn.View.extend({
this.model.set(result); this.model.set(result);
// Now upload the certs if we need to // Now upload the certs if we need to
if (data.provider === 'other') { if (data.provider === 'other' || data.provider === 'clientca') {
return App.Api.Nginx.Certificates.upload(this.model.get('id'), form_data) return App.Api.Nginx.Certificates.upload(this.model.get('id'), form_data)
.then(result => { .then(result => {
this.model.set('meta', _.assign({}, this.model.get('meta'), result)); this.model.set('meta', _.assign({}, this.model.get('meta'), result));
@ -234,6 +248,9 @@ module.exports = Mn.View.extend({
}, },
'change @ui.other_intermediate_certificate': function(e){ 'change @ui.other_intermediate_certificate': function(e){
this.setFileName("other_intermediate_certificate_label", e) this.setFileName("other_intermediate_certificate_label", e)
},
'change @ui.clientca_certificate': function(e){
this.setFileName("clientca_certificate_label", e)
} }
}, },
setFileName(ui, e){ setFileName(ui, e){

1
frontend/js/app/nginx/certificates/main.ejs
View file

@ -20,6 +20,7 @@
<div class="dropdown-menu"> <div class="dropdown-menu">
<a class="dropdown-item add-item" data-cert="letsencrypt" href="#"><%- i18n('ssl', 'letsencrypt') %></a> <a class="dropdown-item add-item" data-cert="letsencrypt" href="#"><%- i18n('ssl', 'letsencrypt') %></a>
<a class="dropdown-item add-item" data-cert="other" href="#"><%- i18n('ssl', 'other') %></a> <a class="dropdown-item add-item" data-cert="other" href="#"><%- i18n('ssl', 'other') %></a>
<a class="dropdown-item add-item" data-cert="clientca" href="#"><%- i18n('ssl', 'clientca') %></a>
</div> </div>
</div> </div>
<% } %> <% } %>

2
frontend/js/app/nginx/dead/form.js
View file

@ -263,7 +263,7 @@ module.exports = Mn.View.extend({
} }
}, },
load: function (query, callback) { load: function (query, callback) {
App.Api.Nginx.Certificates.getAll() App.Api.Nginx.Certificates.getAllServerCertificates()
.then(rows => { .then(rows => {
callback(rows); callback(rows);
}) })

2
frontend/js/app/nginx/proxy/access-list-item.ejs
View file

@ -3,7 +3,7 @@
<div class="title"> <div class="title">
<i class="fe fe-lock text-teal"></i> <%- name %> <i class="fe fe-lock text-teal"></i> <%- name %>
</div> </div>
<span class="description"><%- i18n('access-lists', 'item-count', {count: items.length || 0}) %>, <%- i18n('access-lists', 'client-count', {count: clients.length || 0}) %> &ndash; Created: <%- formatDbDate(created_on, 'Do MMMM YYYY, h:mm a') %></span> <span class="description"><%- i18n('access-lists', 'item-count', {count: items.length || 0}) %>, <%- i18n('access-lists', 'client-count', {count: clients.length || 0}) %>, <%- i18n('access-lists', 'clientca-count', {count: clientcas.length || 0}) %> &ndash; Created: <%- formatDbDate(created_on, 'Do MMMM YYYY, h:mm a') %></span>
<% } else { %> <% } else { %>
<div class="title"> <div class="title">
<i class="fe fe-unlock text-yellow"></i> <%- i18n('access-lists', 'public') %> <i class="fe fe-unlock text-yellow"></i> <%- i18n('access-lists', 'public') %>

12
frontend/js/app/nginx/proxy/form.ejs
View file

@ -72,7 +72,7 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-12 col-md-12"> <div class="col-sm-6 col-md-6">
<div class="form-group"> <div class="form-group">
<label class="custom-switch"> <label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>> <input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>>
@ -81,7 +81,15 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="drop_unauthorized" value="1"<%- drop_unauthorized ? ' checked' : '' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'drop-unauthorized') %></span>
</label>
</div>
</div>
<div class="col-sm-12 col-md-12"> <div class="col-sm-12 col-md-12">
<div class="form-group"> <div class="form-group">
<label class="form-label"><%- i18n('proxy-hosts', 'access-list') %></label> <label class="form-label"><%- i18n('proxy-hosts', 'access-list') %></label>

5
frontend/js/app/nginx/proxy/form.js
View file

@ -161,6 +161,7 @@ module.exports = Mn.View.extend({
// Manipulate // Manipulate
data.forward_port = parseInt(data.forward_port, 10); data.forward_port = parseInt(data.forward_port, 10);
data.block_exploits = !!data.block_exploits; data.block_exploits = !!data.block_exploits;
data.drop_unauthorized = !!data.drop_unauthorized;
data.caching_enabled = !!data.caching_enabled; data.caching_enabled = !!data.caching_enabled;
data.allow_websocket_upgrade = !!data.allow_websocket_upgrade; data.allow_websocket_upgrade = !!data.allow_websocket_upgrade;
data.http2_support = !!data.http2_support; data.http2_support = !!data.http2_support;
@ -297,7 +298,7 @@ module.exports = Mn.View.extend({
} }
}, },
load: function (query, callback) { load: function (query, callback) {
App.Api.Nginx.AccessLists.getAll(['items', 'clients']) App.Api.Nginx.AccessLists.getAll(['items', 'clients', 'clientcas'])
.then(rows => { .then(rows => {
callback(rows); callback(rows);
}) })
@ -331,7 +332,7 @@ module.exports = Mn.View.extend({
} }
}, },
load: function (query, callback) { load: function (query, callback) {
App.Api.Nginx.Certificates.getAll() App.Api.Nginx.Certificates.getAllServerCertificates()
.then(rows => { .then(rows => {
callback(rows); callback(rows);
}) })

2
frontend/js/app/nginx/redirection/form.js
View file

@ -265,7 +265,7 @@ module.exports = Mn.View.extend({
} }
}, },
load: function (query, callback) { load: function (query, callback) {
App.Api.Nginx.Certificates.getAll() App.Api.Nginx.Certificates.getAllServerCertificates()
.then(rows => { .then(rows => {
callback(rows); callback(rows);
}) })

11
frontend/js/i18n/messages.json
View file

@ -75,6 +75,7 @@
"domain-names": "Domain Names", "domain-names": "Domain Names",
"cert-provider": "Certificate Provider", "cert-provider": "Certificate Provider",
"block-exploits": "Block Common Exploits", "block-exploits": "Block Common Exploits",
"drop-unauthorized": "Drop Unauthorized (444)",
"caching-enabled": "Cache Assets", "caching-enabled": "Cache Assets",
"ssl-certificate": "SSL Certificate", "ssl-certificate": "SSL Certificate",
"none": "None", "none": "None",
@ -99,6 +100,7 @@
"ssl": { "ssl": {
"letsencrypt": "Let's Encrypt", "letsencrypt": "Let's Encrypt",
"other": "Custom", "other": "Custom",
"clientca": "Client Certificate Authority",
"none": "HTTP only", "none": "HTTP only",
"letsencrypt-email": "Email Address for Let's Encrypt", "letsencrypt-email": "Email Address for Let's Encrypt",
"letsencrypt-agree": "I Agree to the <a href=\"{url}\" target=\"_blank\">Let's Encrypt Terms of Service</a>", "letsencrypt-agree": "I Agree to the <a href=\"{url}\" target=\"_blank\">Let's Encrypt Terms of Service</a>",
@ -185,7 +187,7 @@
"title": "SSL Certificates", "title": "SSL Certificates",
"empty": "There are no SSL Certificates", "empty": "There are no SSL Certificates",
"add": "Add SSL Certificate", "add": "Add SSL Certificate",
"form-title": "Add {provider, select, letsencrypt{Let's Encrypt} other{Custom}} Certificate", "form-title": "Add {provider, select, letsencrypt{Let's Encrypt Certificate} other{Custom Certificate} clientca{Client Certificate Authority}}",
"delete": "Delete SSL Certificate", "delete": "Delete SSL Certificate",
"delete-confirm": "Are you sure you want to delete this SSL Certificate? Any hosts using it will need to be updated later.", "delete-confirm": "Are you sure you want to delete this SSL Certificate? Any hosts using it will need to be updated later.",
"help-title": "SSL Certificates", "help-title": "SSL Certificates",
@ -193,6 +195,7 @@
"other-certificate": "Certificate", "other-certificate": "Certificate",
"other-certificate-key": "Certificate Key", "other-certificate-key": "Certificate Key",
"other-intermediate-certificate": "Intermediate Certificate", "other-intermediate-certificate": "Intermediate Certificate",
"clientca-certificate": "Certificate",
"force-renew": "Renew Now", "force-renew": "Renew Now",
"test-reachability": "Test Server Reachability", "test-reachability": "Test Server Reachability",
"reachability-title": "Test Server Reachability", "reachability-title": "Test Server Reachability",
@ -221,6 +224,7 @@
"help-content": "Access Lists provide a blacklist or whitelist of specific client IP addresses along with authentication for the Proxy Hosts via Basic HTTP Authentication.\nYou can configure multiple client rules, usernames and passwords for a single Access List and then apply that to a Proxy Host.\nThis is most useful for forwarded web services that do not have authentication mechanisms built in or that you want to protect from access by unknown clients.", "help-content": "Access Lists provide a blacklist or whitelist of specific client IP addresses along with authentication for the Proxy Hosts via Basic HTTP Authentication.\nYou can configure multiple client rules, usernames and passwords for a single Access List and then apply that to a Proxy Host.\nThis is most useful for forwarded web services that do not have authentication mechanisms built in or that you want to protect from access by unknown clients.",
"item-count": "{count} {count, select, 1{User} other{Users}}", "item-count": "{count} {count, select, 1{User} other{Users}}",
"client-count": "{count} {count, select, 1{Rule} other{Rules}}", "client-count": "{count} {count, select, 1{Rule} other{Rules}}",
"clientca-count": "{count} {count, select, 1{Authority} other{Authorities}}",
"proxy-host-count": "{count} {count, select, 1{Proxy Host} other{Proxy Hosts}}", "proxy-host-count": "{count} {count, select, 1{Proxy Host} other{Proxy Hosts}}",
"delete-has-hosts": "This Access List is associated with {count} Proxy Hosts. They will become publicly available upon deletion.", "delete-has-hosts": "This Access List is associated with {count} Proxy Hosts. They will become publicly available upon deletion.",
"details": "Details", "details": "Details",
@ -231,7 +235,10 @@
"pass-auth": "Pass Auth to Host", "pass-auth": "Pass Auth to Host",
"access-add": "Add", "access-add": "Add",
"auth-add": "Add", "auth-add": "Add",
"search": "Search Access…" "search": "Search Access…",
"client-certificates": "Client Certificates",
"clientca-add": "Add",
"clientca-del": "Del"
}, },
"users": { "users": {
"title": "Users", "title": "Users",

1
frontend/js/models/access-list.js
View file

@ -11,6 +11,7 @@ const model = Backbone.Model.extend({
name: '', name: '',
items: [], items: [],
clients: [], clients: [],
clientcas: [],
// The following are expansions: // The following are expansions:
owner: null owner: null
}; };

1
frontend/js/models/proxy-host.js
View file

@ -20,6 +20,7 @@ const model = Backbone.Model.extend({
caching_enabled: false, caching_enabled: false,
allow_websocket_upgrade: false, allow_websocket_upgrade: false,
block_exploits: false, block_exploits: false,
drop_unauthorized: false,
http2_support: false, http2_support: false,
advanced_config: '', advanced_config: '',
enabled: true, enabled: true,

11
scripts/.common.sh
View file

@ -10,6 +10,17 @@ YELLOW='\E[1;33m'
export BLUE CYAN GREEN RED RESET YELLOW export BLUE CYAN GREEN RED RESET YELLOW
# Identify docker-like command
# Ensure docker exists
if command -v docker 1>/dev/null 2>&1; then
export docker=docker
elif command -v podman 1>/dev/null 2>&1; then
export docker=podman
else
echo -e "${RED} docker or podman command is not available${RESET}"
exit 1
fi
# Docker Compose # Docker Compose
COMPOSE_PROJECT_NAME="npmdev" COMPOSE_PROJECT_NAME="npmdev"
COMPOSE_FILE="docker/docker-compose.dev.yml" COMPOSE_FILE="docker/docker-compose.dev.yml"

8
scripts/buildx
View file

@ -14,10 +14,10 @@ if [ "$BUILD_COMMIT" == "" ]; then
fi fi
# Buildx Builder # Buildx Builder
docker buildx create --name "${BUILDX_NAME:-npm}" || echo $docker buildx create --name "${BUILDX_NAME:-npm}" || echo
docker buildx use "${BUILDX_NAME:-npm}" $docker buildx use "${BUILDX_NAME:-npm}"
docker buildx build \ $docker buildx build \
--build-arg BUILD_VERSION="${BUILD_VERSION:-dev}" \ --build-arg BUILD_VERSION="${BUILD_VERSION:-dev}" \
--build-arg BUILD_COMMIT="${BUILD_COMMIT:-notset}" \ --build-arg BUILD_COMMIT="${BUILD_COMMIT:-notset}" \
--build-arg BUILD_DATE="$(date '+%Y-%m-%d %T %Z')" \ --build-arg BUILD_DATE="$(date '+%Y-%m-%d %T %Z')" \
@ -31,6 +31,6 @@ docker buildx build \
. .
rc=$? rc=$?
docker buildx rm "${BUILDX_NAME:-npm}" $docker buildx rm "${BUILDX_NAME:-npm}"
echo -e "${BLUE} ${GREEN}Multiarch build Complete${RESET}" echo -e "${BLUE} ${GREEN}Multiarch build Complete${RESET}"
exit $rc exit $rc

19
scripts/ci/frontend-build
View file

@ -6,12 +6,17 @@ DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
DOCKER_IMAGE=jc21/nginx-full:certbot-node DOCKER_IMAGE=jc21/nginx-full:certbot-node
# Ensure docker exists # Ensure docker exists
if hash docker 2>/dev/null; then if command -v docker 1>/dev/null 2>&1; then
docker pull "${DOCKER_IMAGE}" docker=docker
cd "${DIR}/../.." elif command -v podman 1>/dev/null 2>&1; then
echo -e "${BLUE} ${CYAN}Building Frontend ...${RESET}" docker=podman
docker run --rm -e CI=true -v "$(pwd)/frontend:/app/frontend" -v "$(pwd)/global:/app/global" -w /app/frontend "$DOCKER_IMAGE" sh -c "yarn install && yarn build && yarn build && chown -R $(id -u):$(id -g) /app/frontend"
echo -e "${BLUE} ${GREEN}Building Frontend Complete${RESET}"
else else
echo -e "${RED} docker command is not available${RESET}" echo -e "${RED} docker or podman command is not available${RESET}"
exit 1
fi fi
$docker pull "${DOCKER_IMAGE}"
cd "${DIR}/../.."
echo -e "${BLUE} ${CYAN}Building Frontend ...${RESET}"
$docker run --rm -e CI=true -v "$(pwd)/frontend:/app/frontend" -v "$(pwd)/global:/app/global" -w /app/frontend "$DOCKER_IMAGE" sh -c "yarn install && yarn build && yarn build && chown -R $(id -u):$(id -g) /app/frontend"
echo -e "${BLUE} ${GREEN}Building Frontend Complete${RESET}"

17
scripts/ci/test-and-build
View file

@ -1,10 +1,21 @@
#!/bin/bash -e #!/bin/bash -e
DOCKER_IMAGE=jc21/nginx-full:certbot-node DOCKER_IMAGE=jc21/nginx-full:certbot-node
docker pull "${DOCKER_IMAGE}"
# Ensure docker exists
if command -v docker 1>/dev/null 2>&1; then
docker=docker
elif command -v podman 1>/dev/null 2>&1; then
docker=podman
else
echo -e "${RED} docker or podman command is not available${RESET}"
exit 1
fi
$docker pull "${DOCKER_IMAGE}"
# Test # Test
docker run --rm \ $docker run --rm \
-v "$(pwd)/backend:/app" \ -v "$(pwd)/backend:/app" \
-v "$(pwd)/global:/app/global" \ -v "$(pwd)/global:/app/global" \
-w /app \ -w /app \
@ -12,7 +23,7 @@ docker run --rm \
sh -c 'yarn install && yarn eslint . && rm -rf node_modules' sh -c 'yarn install && yarn eslint . && rm -rf node_modules'
# Build # Build
docker build --pull --no-cache --squash --compress \ $docker build --pull --no-cache --squash --compress \
-t "${IMAGE}:ci-${BUILD_NUMBER}" \ -t "${IMAGE}:ci-${BUILD_NUMBER}" \
-f docker/Dockerfile \ -f docker/Dockerfile \
--build-arg TARGETPLATFORM=linux/amd64 \ --build-arg TARGETPLATFORM=linux/amd64 \

2
scripts/docs-build
View file

@ -7,7 +7,7 @@ DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
if hash docker 2>/dev/null; then if hash docker 2>/dev/null; then
cd "${DIR}/.." cd "${DIR}/.."
echo -e "${BLUE} ${CYAN}Building Docs ...${RESET}" echo -e "${BLUE} ${CYAN}Building Docs ...${RESET}"
docker run --rm -e CI=true -v "$(pwd)/docs:/app/docs" -w /app/docs node:alpine sh -c "yarn install && yarn build && chown -R $(id -u):$(id -g) /app/docs" $docker run --rm -e CI=true -v "$(pwd)/docs:/app/docs" -w /app/docs node:alpine sh -c "yarn install && yarn build && chown -R $(id -u):$(id -g) /app/docs"
echo -e "${BLUE} ${GREEN}Building Docs Complete${RESET}" echo -e "${BLUE} ${GREEN}Building Docs Complete${RESET}"
else else
echo -e "${RED} docker command is not available${RESET}" echo -e "${RED} docker command is not available${RESET}"

4
scripts/start-dev
View file

@ -18,10 +18,10 @@ if hash docker-compose 2>/dev/null; then
if [ "$1" == "-f" ]; then if [ "$1" == "-f" ]; then
echo -e "${BLUE} ${YELLOW}Following Backend Container:${RESET}" echo -e "${BLUE} ${YELLOW}Following Backend Container:${RESET}"
docker logs -f npm_core $docker logs -f npm_core
else else
echo -e "${YELLOW}Hint:${RESET} You can follow the output of some of the containers with:" echo -e "${YELLOW}Hint:${RESET} You can follow the output of some of the containers with:"
echo " docker logs -f npm_core" echo " $docker logs -f npm_core"
fi fi
else else
echo -e "${RED} docker-compose command is not available${RESET}" echo -e "${RED} docker-compose command is not available${RESET}"

2
scripts/wait-healthy
View file

@ -19,7 +19,7 @@ echo -e "${BLUE} ${CYAN}Waiting for healthy: ${YELLOW}${SERVICE}${RESET}"
until [ "${HEALTHY}" = "healthy" ]; do until [ "${HEALTHY}" = "healthy" ]; do
echo -n "." echo -n "."
sleep 1 sleep 1
HEALTHY="$(docker inspect -f '{{.State.Health.Status}}' $SERVICE)" HEALTHY="$($docker inspect -f '{{.State.Health.Status}}' $SERVICE)"
((LOOPCOUNT++)) ((LOOPCOUNT++))
if [ "$LOOPCOUNT" == "$LIMIT" ]; then if [ "$LOOPCOUNT" == "$LIMIT" ]; then

1
test/cypress/integration/api/Hosts.spec.js
View file

@ -27,6 +27,7 @@ describe('Hosts endpoints', () => {
advanced_config: '', advanced_config: '',
locations: [], locations: [],
block_exploits: false, block_exploits: false,
drop_unauthorized: false,
caching_enabled: false, caching_enabled: false,
allow_websocket_upgrade: false, allow_websocket_upgrade: false,
http2_support: false, http2_support: false,