From a44abab6639a1dda73849b1d69e339ffabfc9a6e Mon Sep 17 00:00:00 2001 From: Franck Nijhof Date: Mon, 25 Jan 2021 22:28:14 +0100 Subject: [PATCH 1/2] Refactor NGINX configuration and HA authentication --- log-viewer/config.json | 2 - log-viewer/rootfs/etc/cont-init.d/nginx.sh | 45 ++++------ .../rootfs/etc/nginx/includes/resolver.conf | 1 - log-viewer/rootfs/etc/nginx/lua/ha-auth.lua | 83 ------------------- .../rootfs/etc/nginx/modules/ndk_http.conf | 1 - .../etc/nginx/modules/ngx_http_lua.conf | 1 - log-viewer/rootfs/etc/nginx/nginx.conf | 8 -- log-viewer/rootfs/etc/nginx/servers/.gitkeep | 1 + .../etc/nginx/servers/direct-ssl.disabled | 15 ---- .../rootfs/etc/nginx/servers/ingress.conf | 16 ---- .../rootfs/etc/nginx/templates/direct.gtpl | 36 ++++++++ .../ingress.gtpl} | 6 +- log-viewer/rootfs/etc/services.d/nginx/run | 6 -- 13 files changed, 58 insertions(+), 163 deletions(-) delete mode 100644 log-viewer/rootfs/etc/nginx/includes/resolver.conf delete mode 100644 log-viewer/rootfs/etc/nginx/lua/ha-auth.lua delete mode 100644 log-viewer/rootfs/etc/nginx/modules/ndk_http.conf delete mode 100644 log-viewer/rootfs/etc/nginx/modules/ngx_http_lua.conf create mode 100644 log-viewer/rootfs/etc/nginx/servers/.gitkeep delete mode 100644 log-viewer/rootfs/etc/nginx/servers/direct-ssl.disabled delete mode 100644 log-viewer/rootfs/etc/nginx/servers/ingress.conf create mode 100644 log-viewer/rootfs/etc/nginx/templates/direct.gtpl rename log-viewer/rootfs/etc/nginx/{servers/direct.disabled => templates/ingress.gtpl} (63%) diff --git a/log-viewer/config.json b/log-viewer/config.json index 4a9968c..aff7de6 100644 --- a/log-viewer/config.json +++ b/log-viewer/config.json @@ -6,12 +6,10 @@ "url": "https://github.com/hassio-addons/addon-log-viewer", "init": false, "ingress": true, - "ingress_port": 1337, "panel_icon": "mdi:text-box-outline", "homeassistant": "0.92.0b2", "arch": ["aarch64", "amd64", "armhf", "armv7", "i386"], "homeassistant_api": true, - "hassio_api": true, "auth_api": true, "ports": { "80/tcp": null diff --git a/log-viewer/rootfs/etc/cont-init.d/nginx.sh b/log-viewer/rootfs/etc/cont-init.d/nginx.sh index 48d38da..d75b656 100644 --- a/log-viewer/rootfs/etc/cont-init.d/nginx.sh +++ b/log-viewer/rootfs/etc/cont-init.d/nginx.sh @@ -3,34 +3,23 @@ # Home Assistant Community Add-on: Log Viewer # Configures NGINX # ============================================================================== -declare port -declare certfile -declare dns_host -declare ingress_interface -declare ingress_port -declare keyfile -port=$(bashio::addon.port 80) -if bashio::var.has_value "${port}"; then - bashio::config.require.ssl - - if bashio::config.true 'ssl'; then - certfile=$(bashio::config 'certfile') - keyfile=$(bashio::config 'keyfile') - - mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf - sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf - sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf +# Generate Ingress configuration +bashio::var.json \ + interface "$(bashio::addon.ip_address)" \ + | tempio \ + -template /etc/nginx/templates/ingress.gtpl \ + -out /etc/nginx/servers/ingress.conf - else - mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf - fi +# Generate direct access configuration, if enabled. +if bashio::var.has_value "$(bashio::addon.port 80)"; then + bashio::config.require.ssl + bashio::var.json \ + certfile "$(bashio::config 'certfile')" \ + keyfile "$(bashio::config 'keyfile')" \ + leave_front_door_open "^$(bashio::config 'leave_front_door_open')" \ + ssl "^$(bashio::config 'ssl')" \ + | tempio \ + -template /etc/nginx/templates/direct.gtpl \ + -out /etc/nginx/servers/direct.conf fi - -ingress_port=$(bashio::addon.ingress_port) -ingress_interface=$(bashio::addon.ip_address) -sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf -sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf - -dns_host=$(bashio::dns.host) -sed -i "s/%%dns_host%%/${dns_host}/g" /etc/nginx/includes/resolver.conf diff --git a/log-viewer/rootfs/etc/nginx/includes/resolver.conf b/log-viewer/rootfs/etc/nginx/includes/resolver.conf deleted file mode 100644 index d864899..0000000 --- a/log-viewer/rootfs/etc/nginx/includes/resolver.conf +++ /dev/null @@ -1 +0,0 @@ -resolver %%dns_host%%; diff --git a/log-viewer/rootfs/etc/nginx/lua/ha-auth.lua b/log-viewer/rootfs/etc/nginx/lua/ha-auth.lua deleted file mode 100644 index a2c633c..0000000 --- a/log-viewer/rootfs/etc/nginx/lua/ha-auth.lua +++ /dev/null @@ -1,83 +0,0 @@ -local http = require "resty.http" -local auths = ngx.shared.auths - -function authenticate() - - --- Test Authentication header is set and with a value - local header = ngx.req.get_headers()['Authorization'] - if header == nil or header:find(" ") == nil then - return false - end - - local divider = header:find(' ') - if header:sub(0, divider-1) ~= 'Basic' then - return false - end - - local auth = ngx.decode_base64(header:sub(divider+1)) - if auth == nil or auth:find(':') == nil then - return false - end - - divider = auth:find(':') - local username = auth:sub(0, divider-1) - local password = auth:sub(divider+1) - - --- Check if authentication is cached - if auths:get(username) == password then - ngx.log(ngx.DEBUG, "Authenticated user against Home Assistant (cache).") - return true - end - - --- HTTP request against the Supervisor API - local httpc = http.new() - local res, err = httpc:request_uri("http://supervisor.local.hass.io/auth", { - method = "POST", - body = ngx.encode_args({["username"]=username, ["password"]=password}), - headers = { - ["Content-Type"] = "application/x-www-form-urlencoded", - ["X-Supervisor-Token"] = os.getenv("SUPERVISOR_TOKEN"), - }, - keepalive_timeout = 60, - keepalive_pool = 10 - }) - - --- Error during API request - if err then - ngx.log(ngx.WARN, "Error during Home Assistant user authentication.", err) - return false - end - - --- No result? Something went wrong... - if not res then - ngx.log(ngx.WARN, "Error during Home Assistant user authentication.") - return false - end - - --- Valid response, the username/password is valid - if res.status == 200 then - ngx.log(ngx.INFO, "Authenticated user against Home Assistant.") - auths:set(username, password, 60) - return true - end - - --- Whatever the response is, it is invalid - ngx.log(ngx.WARN, "Authentication against Home Assistant failed!") - return false -end - --- Only authenticate if its not disabled -if not os.getenv('DISABLE_HA_AUTHENTICATION') then - - --- Try to authenticate against HA - local authenticated = authenticate() - - --- If authentication failed, throw a basic auth - if not authenticated then - ngx.header.content_type = 'text/plain' - ngx.header.www_authenticate = 'Basic realm="Home Assistant"' - ngx.status = ngx.HTTP_UNAUTHORIZED - ngx.say('401 Access Denied') - ngx.exit(ngx.HTTP_UNAUTHORIZED) - end -end diff --git a/log-viewer/rootfs/etc/nginx/modules/ndk_http.conf b/log-viewer/rootfs/etc/nginx/modules/ndk_http.conf deleted file mode 100644 index 2663122..0000000 --- a/log-viewer/rootfs/etc/nginx/modules/ndk_http.conf +++ /dev/null @@ -1 +0,0 @@ -load_module "/usr/lib/nginx/modules/ndk_http_module.so"; diff --git a/log-viewer/rootfs/etc/nginx/modules/ngx_http_lua.conf b/log-viewer/rootfs/etc/nginx/modules/ngx_http_lua.conf deleted file mode 100644 index f885ed9..0000000 --- a/log-viewer/rootfs/etc/nginx/modules/ngx_http_lua.conf +++ /dev/null @@ -1 +0,0 @@ -load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so"; diff --git a/log-viewer/rootfs/etc/nginx/nginx.conf b/log-viewer/rootfs/etc/nginx/nginx.conf index 3b54416..5b96109 100644 --- a/log-viewer/rootfs/etc/nginx/nginx.conf +++ b/log-viewer/rootfs/etc/nginx/nginx.conf @@ -18,10 +18,6 @@ error_log /proc/1/fd/1 error; # Load allowed environment vars env SUPERVISOR_TOKEN; -env DISABLE_HA_AUTHENTICATION; - -# Load dynamic modules. -include /etc/nginx/modules/*.conf; # Max num of simultaneous connections by a worker process. events { @@ -40,8 +36,6 @@ http { default_type application/octet-stream; gzip on; keepalive_timeout 65; - lua_load_resty_core off; - lua_shared_dict auths 16k; sendfile on; server_tokens off; tcp_nodelay on; @@ -52,8 +46,6 @@ http { '' close; } - include /etc/nginx/includes/resolver.conf; include /etc/nginx/includes/upstream.conf; - include /etc/nginx/servers/*.conf; } diff --git a/log-viewer/rootfs/etc/nginx/servers/.gitkeep b/log-viewer/rootfs/etc/nginx/servers/.gitkeep new file mode 100644 index 0000000..85ad51b --- /dev/null +++ b/log-viewer/rootfs/etc/nginx/servers/.gitkeep @@ -0,0 +1 @@ +Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley) diff --git a/log-viewer/rootfs/etc/nginx/servers/direct-ssl.disabled b/log-viewer/rootfs/etc/nginx/servers/direct-ssl.disabled deleted file mode 100644 index 017cdb6..0000000 --- a/log-viewer/rootfs/etc/nginx/servers/direct-ssl.disabled +++ /dev/null @@ -1,15 +0,0 @@ -server { - listen 80 default_server ssl http2; - - include /etc/nginx/includes/server_params.conf; - include /etc/nginx/includes/ssl_params.conf; - include /etc/nginx/includes/proxy_params.conf; - - ssl_certificate /ssl/%%certfile%%; - ssl_certificate_key /ssl/%%keyfile%%; - - location / { - access_by_lua_file /etc/nginx/lua/ha-auth.lua; - proxy_pass http://backend; - } -} diff --git a/log-viewer/rootfs/etc/nginx/servers/ingress.conf b/log-viewer/rootfs/etc/nginx/servers/ingress.conf deleted file mode 100644 index 8912beb..0000000 --- a/log-viewer/rootfs/etc/nginx/servers/ingress.conf +++ /dev/null @@ -1,16 +0,0 @@ -server { - listen %%interface%%:%%port%% default_server; - - include /etc/nginx/includes/server_params.conf; - include /etc/nginx/includes/proxy_params.conf; - - location / { - allow 172.30.32.2; - deny all; - - proxy_pass http://backend; - sub_filter_once off; - sub_filter 'href="/css/' 'href="css/'; - sub_filter 'src="/js/' 'src="js/'; - } -} diff --git a/log-viewer/rootfs/etc/nginx/templates/direct.gtpl b/log-viewer/rootfs/etc/nginx/templates/direct.gtpl new file mode 100644 index 0000000..c41071e --- /dev/null +++ b/log-viewer/rootfs/etc/nginx/templates/direct.gtpl @@ -0,0 +1,36 @@ +server { + {{ if not .ssl }} + listen 80 default_server; + {{ else }} + listen 80 default_server ssl http2; + {{ end }} + + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/proxy_params.conf; + + {{ if .ssl }} + include /etc/nginx/includes/ssl_params.conf; + + ssl_certificate /ssl/{{ .certfile }}; + ssl_certificate_key /ssl/{{ .keyfile }}; + {{ end }} + + {{ if not .leave_front_door_open }} + location = /authentication { + internal; + proxy_pass http://supervisor/auth; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Supervisor-Token "{{ env "SUPERVISOR_TOKEN" }}"; + } + {{ end }} + + location / { + {{ if not .leave_front_door_open }} + auth_request /authentication; + auth_request_set $auth_status $upstream_status; + {{ end }} + + proxy_pass http://backend; + } +} diff --git a/log-viewer/rootfs/etc/nginx/servers/direct.disabled b/log-viewer/rootfs/etc/nginx/templates/ingress.gtpl similarity index 63% rename from log-viewer/rootfs/etc/nginx/servers/direct.disabled rename to log-viewer/rootfs/etc/nginx/templates/ingress.gtpl index 0065acb..c0a8bbd 100644 --- a/log-viewer/rootfs/etc/nginx/servers/direct.disabled +++ b/log-viewer/rootfs/etc/nginx/templates/ingress.gtpl @@ -1,11 +1,13 @@ server { - listen 80 default_server; + listen {{ .interface }}:8099 default_server; include /etc/nginx/includes/server_params.conf; include /etc/nginx/includes/proxy_params.conf; location / { - access_by_lua_file /etc/nginx/lua/ha-auth.lua; + allow 172.30.32.2; + deny all; + proxy_pass http://backend; } } diff --git a/log-viewer/rootfs/etc/services.d/nginx/run b/log-viewer/rootfs/etc/services.d/nginx/run index 99d60e7..4b346d2 100644 --- a/log-viewer/rootfs/etc/services.d/nginx/run +++ b/log-viewer/rootfs/etc/services.d/nginx/run @@ -8,10 +8,4 @@ bashio::net.wait_for 4277 bashio::log.info "Starting NGinx..." - -# Disable HA Authentication if front door is open -if bashio::config.true 'leave_front_door_open'; then - export DISABLE_HA_AUTHENTICATION=true -fi - exec nginx From 5a1a1639862c1b0cee4cedf979a50c04c4a02a95 Mon Sep 17 00:00:00 2001 From: Franck Nijhof Date: Mon, 25 Jan 2021 22:29:23 +0100 Subject: [PATCH 2/2] Remove Lua packages --- log-viewer/Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/log-viewer/Dockerfile b/log-viewer/Dockerfile index 3e41ed7..4ddd08c 100644 --- a/log-viewer/Dockerfile +++ b/log-viewer/Dockerfile @@ -8,8 +8,6 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Install requirements for add-on RUN \ apk add --no-cache \ - lua-resty-http=0.15-r0 \ - nginx-mod-http-lua=1.18.0-r13 \ nginx=1.18.0-r13 \ nodejs=14.15.4-r0 \ npm=14.15.4-r0 \