Nginx templates

Jamie Curnow · Jamie Curnow · commit 724e89d308a8 · 2018-08-17T09:25:59.000+10:00
diff --git a/src/backend/index.js b/src/backend/index.js
@@ -5,11 +5,11 @@
 const logger = require('./logger').global;
 
 function appStart () {
-    const migrate      = require('./migrate');
-    const setup        = require('./setup');
-    const app          = require('./app');
-    const apiValidator = require('./lib/validator/api');
-    const internalSsl  = require('./internal/ssl');
+    const migrate             = require('./migrate');
+    const setup               = require('./setup');
+    const app                 = require('./app');
+    const apiValidator        = require('./lib/validator/api');
+    const internalCertificate = require('./internal/certificate');
 
     return migrate.latest()
         .then(() => {
@@ -20,7 +20,7 @@ function appStart () {
         })
         .then(() => {
 
-            internalSsl.initTimer();
+            internalCertificate.initTimer();
 
             const server = app.listen(81, () => {
                 logger.info('PID ' + process.pid + ' listening on port 81 ...');
diff --git a/src/backend/internal/certificate.js b/src/backend/internal/certificate.js
@@ -18,7 +18,43 @@ function omissions () {
 
 const internalCertificate = {
 
-    allowed_ssl_files: ['certificate', 'certificate_key', 'intermediate_certificate'],
+    allowed_ssl_files:   ['certificate', 'certificate_key', 'intermediate_certificate'],
+    interval_timeout:    1000 * 60 * 60 * 12, // 12 hours
+    interval:            null,
+    interval_processing: false,
+
+    initTimer: () => {
+        logger.info('Let\'s Encrypt Renewal Timer initialized');
+        internalCertificate.interval = setInterval(internalCertificate.processExpiringHosts, internalCertificate.interval_timeout);
+    },
+
+    /**
+     * Triggered by a timer, this will check for expiring hosts and renew their ssl certs if required
+     */
+    processExpiringHosts: () => {
+        let internalNginx = require('./nginx');
+
+        if (!internalCertificate.interval_processing) {
+            internalCertificate.interval_processing = true;
+            logger.info('Renewing SSL certs close to expiry...');
+
+            return utils.exec(certbot_command + ' renew -q ' + (debug_mode ? '--staging' : ''))
+                .then(result => {
+                    logger.info(result);
+                    internalCertificate.interval_processing = false;
+
+                    return internalNginx.reload()
+                        .then(() => {
+                            logger.info('Renew Complete');
+                            return result;
+                        });
+                })
+                .catch(err => {
+                    logger.error(err);
+                    internalCertificate.interval_processing = false;
+                });
+        }
+    },
 
     /**
      * @param   {Access}  access
@@ -493,7 +529,7 @@ const internalCertificate = {
      * @returns {Promise}
      */
     requestLetsEncryptSsl: certificate => {
-        logger.info('Requesting Let\'sEncrypt certificates for Cert #' + certificate.id  + ': ' + certificate.domain_names.join(', '));
+        logger.info('Requesting Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
 
         return utils.exec(certbot_command + ' certonly --cert-name "npm-' + certificate.id + '" --agree-tos ' +
             '--email "' + certificate.meta.letsencrypt_email + '" ' +
@@ -511,14 +547,24 @@ const internalCertificate = {
      * @returns {Promise}
      */
     renewLetsEncryptSsl: certificate => {
-        logger.info('Renewing Let\'sEncrypt certificates for Cert #' + certificate.id  + ': ' + certificate.domain_names.join(', '));
+        logger.info('Renewing Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
 
         return utils.exec(certbot_command + ' renew -n --force-renewal --disable-hook-validation --cert-name "npm-' + certificate.id + '" ' + (debug_mode ? '--staging' : ''))
             .then(result => {
                 logger.info(result);
                 return result;
             });
     },
+
+    /**
+     * @param   {Object}  certificate
+     * @returns {Boolean}
+     */
+    hasLetsEncryptSslCerts: certificate => {
+        let le_path = '/etc/letsencrypt/live/npm-' + certificate.id;
+
+        return fs.existsSync(le_path + '/fullchain.pem') && fs.existsSync(le_path + '/privkey.pem');
+    }
 };
 
 module.exports = internalCertificate;
diff --git a/src/backend/internal/nginx.js b/src/backend/internal/nginx.js
@@ -1,13 +1,13 @@
 'use strict';
 
-const _           = require('lodash');
-const fs          = require('fs');
-const Liquid      = require('liquidjs');
-const logger      = require('../logger').nginx;
-const utils       = require('../lib/utils');
-const error       = require('../lib/error');
-const internalSsl = require('./ssl');
-const debug_mode  = process.env.NODE_ENV !== 'production';
+const _                   = require('lodash');
+const fs                  = require('fs');
+const Liquid              = require('liquidjs');
+const logger              = require('../logger').nginx;
+const utils               = require('../lib/utils');
+const error               = require('../lib/error');
+const internalCertificate = require('./certificate');
+const debug_mode          = process.env.NODE_ENV !== 'production';
 
 const internalNginx = {
 
@@ -32,11 +32,6 @@ const internalNginx = {
                 // We're deleting this config regardless.
                 return internalNginx.deleteConfig(host_type, host); // Don't throw errors, as the file may not exist at all
             })
-            .then(() => {
-                if (host.ssl && !internalSsl.hasValidSslCerts(host_type, host)) {
-                    return internalSsl.configureSsl(host_type, host);
-                }
-            })
             .then(() => {
                 return internalNginx.generateConfig(host_type, host);
             })
@@ -56,7 +51,6 @@ const internalNginx = {
                             });
                     })
                     .catch(err => {
-
                         if (debug_mode) {
                             logger.error('Nginx test failed:', err.message);
                         }
diff --git a/src/backend/internal/ssl.js b/src/backend/internal/ssl.js
diff --git a/src/backend/templates/_assets.conf b/src/backend/templates/_assets.conf
@@ -0,0 +1,4 @@
+{% if caching_enabled == 1 or caching_enabled == true -%}
+  # Asset Caching
+  include conf.d/include/assets.conf;
+{%- endif %}
diff --git a/src/backend/templates/_certificates.conf b/src/backend/templates/_certificates.conf
@@ -0,0 +1,12 @@
+{%- if certificate and certificate_id > 0 -%}
+{%- if certificate.provider == "letsencrypt" %}
+  # Let's Encrypt SSL
+  include conf.d/include/letsencrypt-acme-challenge.conf;
+  include conf.d/include/ssl-ciphers.conf;
+  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate.id }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate.id }}/privkey.pem;
+{%- endif -%}
+
+  # TODO: Custom SSL paths
+
+{%- endif %}
diff --git a/src/backend/templates/_exploits.conf b/src/backend/templates/_exploits.conf
@@ -0,0 +1,4 @@
+{% if block_exploits == 1 or block_exploits == true -%}
+  # Block Exploits
+  include conf.d/include/block-exploits.conf;
+{%- endif -%}
diff --git a/src/backend/templates/_forced_ssl.conf b/src/backend/templates/_forced_ssl.conf
@@ -0,0 +1,6 @@
+{%- if certificate and certificate_id > 0 -%}
+{%- if ssl_forced == 1 or ssl_forced == true -%}
+    # Force SSL
+    include conf.d/include/force-ssl.conf;
+{%- endif -%}
+{%- endif %}
diff --git a/src/backend/templates/_header_comment.conf b/src/backend/templates/_header_comment.conf
@@ -0,0 +1,3 @@
+# ------------------------------------------------------------
+# {{ domain_names | join: ", " }}
+# ------------------------------------------------------------
diff --git a/src/backend/templates/_listen.conf b/src/backend/templates/_listen.conf
@@ -0,0 +1,5 @@
+  listen 80;
+{%- if certificate -%}
+  listen 443 ssl;
+{%- endif %}
+  server_name {{ domain_names | join: " " }};
diff --git a/src/backend/templates/dead_host.conf b/src/backend/templates/dead_host.conf
@@ -1,21 +1,10 @@
-# {{ domain_names | join: ", " }}
+{% include "_header_comment.conf" %}
+
 server {
-  listen 80;
-  {%- if ssl_enabled == 1 or ssl_enabled == true -%}
-  listen 443 ssl;
-  {%- endif %}
-  server_name {{ domain_names | join: " " }};
-  access_log /data/logs/proxy_host-{{ id }}.log proxy;
+  {% include "_listen.conf" %}
+  {% include "_certificates.conf" %}
 
-  {%- if ssl_enabled == 1 or ssl_enabled == true -%}
-  {%- if ssl_provider == "letsencrypt" %}
-  # Let's Encrypt SSL
-  include conf.d/include/letsencrypt-acme-challenge.conf;
-  include conf.d/include/ssl-ciphers.conf;
-  ssl_certificate /etc/letsencrypt/live/proxy_host-{{ id }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/proxy_host-{{ id }}/privkey.pem;
-  {%- endif -%}
-  {%- endif %}
+  access_log /data/logs/dead_host-{{ id }}.log proxy;
 
   # TODO: Advanced config options
 
diff --git a/src/backend/templates/letsencrypt.conf b/src/backend/templates/letsencrypt.conf
diff --git a/src/backend/templates/proxy_host.conf b/src/backend/templates/proxy_host.conf
diff --git a/src/backend/templates/redirection_host.conf b/src/backend/templates/redirection_host.conf
diff --git a/src/backend/templates/stream.conf b/src/backend/templates/stream.conf

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# ------------------------------------------------------------`
	`2`	`+# {{ domain_names \| join: ", " }}`
	`3`	`+# ------------------------------------------------------------`