From ddbfdf6f6e1682ede0fdab72afb7e85455d98569 Mon Sep 17 00:00:00 2001 From: Paul Mansfield Date: Thu, 4 Jul 2019 23:32:41 +0100 Subject: [PATCH 1/2] Open up lets Encrypt acme challenge config (#165) Since Lets Encrypt don't publish IP ranges that their acme challenge service will be sourced from, we need to allow free access to this location special to override any IP ACLs added by Advanced Custom Nginx Configuration. Due to the way Nginx config is applied, this only applies to the regex and below, keeping the IP ACLs working for the rest of the website. --- .../etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf b/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf index 750c9b29..22c6ca13 100644 --- a/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf +++ b/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf @@ -2,7 +2,10 @@ # We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel # other regex checks, because in our other config files have regex rule that denies access to files with dotted names. location ^~ /.well-known/acme-challenge/ { + # Since this is for letsencrypt authentication of a domain and they do not give IP ranges of their infrastructure + # we need to open up access by turning off auth and IP ACL for this location. auth_basic off; + allow all; # Set correct content type. According to this: # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 From 31aa9c9644de23a95e036bb3bb32e7e0e0936d6d Mon Sep 17 00:00:00 2001 From: Carl Mercier Date: Thu, 8 Aug 2019 21:19:42 -0400 Subject: [PATCH 2/2] Allow including custom nginx conf files (#178) * Allow including custom nginx conf files Give advanced users more flexibility by allowing them to include custom config files at differents locations in the nginx configuration. `/data/nginx/custom/root.conf`: Included at the very end of nginx.conf `/data/nginx/custom/http.conf`: Included at the end of the main `http` block `/data/nginx/custom/server_proxy.conf`: Included at the end of every proxy `server` block `/data/nginx/custom/server_redirect.conf`: Included at the end of every redirection `server` block `/data/nginx/custom/server_stream.conf`: Included at the end of every stream `server` block `/data/nginx/custom/server_stream_tcp.conf`: Included at the end of every TCP stream `server` block `/data/nginx/custom/server_stream_udp.conf`: Included at the end of every UDP stream `server` block * Don't fail if file doesn't exist * Advanced Nginx settings doc --- doc/ADVANCED_NGINX.md | 17 +++++++++++++++++ rootfs/etc/nginx/nginx.conf | 5 +++++ src/backend/templates/proxy_host.conf | 2 ++ src/backend/templates/redirection_host.conf | 2 ++ src/backend/templates/stream.conf | 8 ++++++++ 5 files changed, 34 insertions(+) create mode 100644 doc/ADVANCED_NGINX.md diff --git a/doc/ADVANCED_NGINX.md b/doc/ADVANCED_NGINX.md new file mode 100644 index 00000000..eabac84c --- /dev/null +++ b/doc/ADVANCED_NGINX.md @@ -0,0 +1,17 @@ +## Advanced Nginx Configuration + +If you are a more advanced user, you might be itching for extra Nginx customizability. + +NPM has the ability to include different custom configuration snippets in different places. + +You can add your custom configuration snippet files at `/data/nginx/custom` as follow: + +`/data/nginx/custom/root.conf`: Included at the very end of nginx.conf +`/data/nginx/custom/http.conf`: Included at the end of the main http block +`/data/nginx/custom/server_proxy.conf`: Included at the end of every proxy server block +`/data/nginx/custom/server_redirect.conf`: Included at the end of every redirection server block +`/data/nginx/custom/server_stream.conf`: Included at the end of every stream server block +`/data/nginx/custom/server_stream_tcp.conf`: Included at the end of every TCP stream server block +`/data/nginx/custom/server_stream_udp.conf`: Included at the end of every UDP stream server block + +Every file is optional. \ No newline at end of file diff --git a/rootfs/etc/nginx/nginx.conf b/rootfs/etc/nginx/nginx.conf index 19332564..ea45b53f 100644 --- a/rootfs/etc/nginx/nginx.conf +++ b/rootfs/etc/nginx/nginx.conf @@ -76,6 +76,9 @@ http { include /data/nginx/redirection_host/*.conf; include /data/nginx/dead_host/*.conf; include /data/nginx/temp/*.conf; + + # Custom + include /data/nginx/custom/http[.]conf; } stream { @@ -83,3 +86,5 @@ stream { include /data/nginx/stream/*.conf; } +# Custom +include /data/nginx/custom/root[.]conf; diff --git a/src/backend/templates/proxy_host.conf b/src/backend/templates/proxy_host.conf index fc58a43b..8d8c97da 100644 --- a/src/backend/templates/proxy_host.conf +++ b/src/backend/templates/proxy_host.conf @@ -41,5 +41,7 @@ server { } {% endif %} + # Custom + include /data/nginx/custom/server_proxy[.]conf; } {% endif %} diff --git a/src/backend/templates/redirection_host.conf b/src/backend/templates/redirection_host.conf index 3e6c2b44..463f3a8e 100644 --- a/src/backend/templates/redirection_host.conf +++ b/src/backend/templates/redirection_host.conf @@ -25,5 +25,7 @@ server { } {% endif %} + # Custom + include /data/nginx/custom/server_redirect[.]conf; } {% endif %} diff --git a/src/backend/templates/stream.conf b/src/backend/templates/stream.conf index 53356cfd..a6dc054f 100644 --- a/src/backend/templates/stream.conf +++ b/src/backend/templates/stream.conf @@ -7,12 +7,20 @@ server { listen {{ incoming_port }}; proxy_pass {{ forward_ip }}:{{ forwarding_port }}; + + # Custom + include /data/nginx/custom/server_stream[.]conf; + include /data/nginx/custom/server_stream_tcp[.]conf; } {% endif %} {% if udp_forwarding == 1 or udp_forwarding == true %} server { listen {{ incoming_port }} udp; proxy_pass {{ forward_ip }}:{{ forwarding_port }}; + + # Custom + include /data/nginx/custom/server_stream[.]conf; + include /data/nginx/custom/server_stream_udp[.]conf; } {% endif %} {% endif %} \ No newline at end of file