Refactor NGINX configuration and HA authentication

log-viewer/Dockerfile

@@ -8,8 +8,6 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # Install requirements for add-on
 RUN \
     apk add --no-cache \
-        lua-resty-http=0.15-r0 \
-        nginx-mod-http-lua=1.18.0-r13 \
         nginx=1.18.0-r13 \
         nodejs=14.15.4-r0 \
         npm=14.15.4-r0 \

log-viewer/config.json

@@ -6,12 +6,10 @@
   "url": "https://github.com/hassio-addons/addon-log-viewer",
   "init": false,
   "ingress": true,
-  "ingress_port": 1337,
   "panel_icon": "mdi:text-box-outline",
   "homeassistant": "0.92.0b2",
   "arch": ["aarch64", "amd64", "armhf", "armv7", "i386"],
   "homeassistant_api": true,
-  "hassio_api": true,
   "auth_api": true,
   "ports": {
     "80/tcp": null

log-viewer/rootfs/etc/cont-init.d/nginx.sh

@@ -3,34 +3,23 @@
 # Home Assistant Community Add-on: Log Viewer
 # Configures NGINX
 # ==============================================================================
-declare port
-declare certfile
-declare dns_host
-declare ingress_interface
-declare ingress_port
-declare keyfile
 
-port=$(bashio::addon.port 80)
-if bashio::var.has_value "${port}"; then
-    bashio::config.require.ssl
-
-    if bashio::config.true 'ssl'; then
-        certfile=$(bashio::config 'certfile')
-        keyfile=$(bashio::config 'keyfile')
-
-        mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
-        sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf
-        sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf
+# Generate Ingress configuration
+bashio::var.json \
+    interface "$(bashio::addon.ip_address)" \
+    | tempio \
+        -template /etc/nginx/templates/ingress.gtpl \
+        -out /etc/nginx/servers/ingress.conf
 
-    else
-        mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
-    fi
+# Generate direct access configuration, if enabled.
+if bashio::var.has_value "$(bashio::addon.port 80)"; then
+    bashio::config.require.ssl
+    bashio::var.json \
+        certfile "$(bashio::config 'certfile')" \
+        keyfile "$(bashio::config 'keyfile')" \
+        leave_front_door_open "^$(bashio::config 'leave_front_door_open')" \
+        ssl "^$(bashio::config 'ssl')" \
+        | tempio \
+            -template /etc/nginx/templates/direct.gtpl \
+            -out /etc/nginx/servers/direct.conf
 fi
-
-ingress_port=$(bashio::addon.ingress_port)
-ingress_interface=$(bashio::addon.ip_address)
-sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
-sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
-
-dns_host=$(bashio::dns.host)
-sed -i "s/%%dns_host%%/${dns_host}/g" /etc/nginx/includes/resolver.conf

log-viewer/rootfs/etc/nginx/nginx.conf

@@ -18,10 +18,6 @@ error_log /proc/1/fd/1 error;
 
 # Load allowed environment vars
 env SUPERVISOR_TOKEN;
-env DISABLE_HA_AUTHENTICATION;
-
-# Load dynamic modules.
-include /etc/nginx/modules/*.conf;
 
 # Max num of simultaneous connections by a worker process.
 events {
@@ -40,8 +36,6 @@ http {
     default_type            application/octet-stream;
     gzip                    on;
     keepalive_timeout       65;
-    lua_load_resty_core     off;
-    lua_shared_dict         auths 16k;
     sendfile                on;
     server_tokens           off;
     tcp_nodelay             on;
@@ -52,8 +46,6 @@ http {
         ''      close;
     }
 
-    include /etc/nginx/includes/resolver.conf;
     include /etc/nginx/includes/upstream.conf;
-
     include /etc/nginx/servers/*.conf;
 }

log-viewer/rootfs/etc/nginx/servers/.gitkeep

@@ -0,0 +1 @@
+Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)

log-viewer/rootfs/etc/nginx/templates/direct.gtpl

@@ -0,0 +1,36 @@
+server {
+    {{ if not .ssl }}
+    listen 80 default_server;
+    {{ else }}
+    listen 80 default_server ssl http2;
+    {{ end }}
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    {{ if .ssl }}
+    include /etc/nginx/includes/ssl_params.conf;
+
+    ssl_certificate /ssl/{{ .certfile }};
+    ssl_certificate_key /ssl/{{ .keyfile }};
+    {{ end }}
+
+    {{ if not .leave_front_door_open }}
+    location = /authentication {
+        internal;
+        proxy_pass              http://supervisor/auth;
+        proxy_pass_request_body off;
+        proxy_set_header        Content-Length "";
+        proxy_set_header        X-Supervisor-Token "{{ env "SUPERVISOR_TOKEN" }}";
+    }
+    {{ end }}
+
+    location / {
+        {{ if not .leave_front_door_open }}
+        auth_request /authentication;
+        auth_request_set $auth_status $upstream_status;
+        {{ end }}
+
+        proxy_pass http://backend;
+    }
+}

log-viewer/rootfs/etc/nginx/servers/direct.disabled → log-viewer/rootfs/etc/nginx/templates/ingress.gtpl

@@ -1,11 +1,13 @@
 server {
-    listen 80 default_server;
+    listen {{ .interface }}:8099 default_server;
 
     include /etc/nginx/includes/server_params.conf;
     include /etc/nginx/includes/proxy_params.conf;
 
     location / {
-        access_by_lua_file /etc/nginx/lua/ha-auth.lua;
+        allow   172.30.32.2;
+        deny    all;
+
         proxy_pass http://backend;
     }
 }

log-viewer/rootfs/etc/services.d/nginx/run

@@ -8,10 +8,4 @@
 bashio::net.wait_for 4277
 
 bashio::log.info "Starting NGinx..."
-
-# Disable HA Authentication if front door is open
-if bashio::config.true 'leave_front_door_open'; then
-    export DISABLE_HA_AUTHENTICATION=true
-fi
-
 exec nginx