Support for upstream ssl proxy hosts

Author: jc21

docker-compose.yml

@@ -11,6 +11,7 @@ services:
       - NODE_ENV=development
       - FORCE_COLOR=1
     volumes:
+      - ./data:/data
       - ./data/letsencrypt:/etc/letsencrypt
       - .:/app
       - ./rootfs/etc/nginx:/etc/nginx

rootfs/etc/nginx/conf.d/default.conf

@@ -8,8 +8,9 @@ server {
 
   include conf.d/include/block-exploits.conf;
 
-  set $server 127.0.0.1;
-  set $port   81;
+  set $forward_scheme http;
+  set $server         127.0.0.1;
+  set $port           81;
 
   ___location /health {
     access_log  off;

rootfs/etc/nginx/conf.d/include/proxy.conf

@@ -3,4 +3,4 @@ proxy_set_header Host $host;
 proxy_set_header X-Forwarded-Scheme $scheme;
 proxy_set_header X-Forwarded-Proto  $scheme;
 proxy_set_header X-Forwarded-For    $remote_addr;
-proxy_pass       http://$server:$port;
+proxy_pass       $forward_scheme://$server:$port;

rootfs/etc/nginx/nginx.conf

@@ -54,6 +54,11 @@ http {
   # Dynamically generated resolvers file
   include /etc/nginx/conf.d/include/resolvers.conf;
 
+  # Default upstream scheme
+  map $host $forward_scheme {
+    default http;
+  }
+
   # Files generated by NPM
   include /etc/nginx/conf.d/*.conf;
   include /data/nginx/proxy_host/*.conf;

src/backend/internal/proxy-host.js

@@ -48,6 +48,11 @@ const internalProxyHost = {
                 // At this point the domains should have been checked
                 data.owner_user_id = access.token.getUserId(1);
 
+                // Ignoring upstream ssl errors only applies when upstream scheme is https
+                if (data.forward_scheme === 'http') {
+                    data.ignore_invalid_upstream_ssl = false;
+                }
+
                 return proxyHostModel
                     .query()
                     .omit(omissions())
@@ -163,7 +168,12 @@ const internalProxyHost = {
                 // Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
                 data = _.assign({}, {
                     domain_names: row.domain_names
-                },data);
+                }, data);
+
+                // Ignoring upstream ssl errors only applies when upstream scheme is https
+                if (typeof data.forward_scheme !== 'undefined' && data.forward_scheme === 'http') {
+                    data.ignore_invalid_upstream_ssl = false;
+                }
 
                 return proxyHostModel
                     .query()

src/backend/migrations/20181213013211_forward_scheme.js

@@ -0,0 +1,37 @@
+'use strict';
+
+const migrate_name = 'forward_scheme';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+    logger.info('[' + migrate_name + '] Migrating Up...');
+
+    return knex.schema.table('proxy_host', function (proxy_host) {
+        proxy_host.string('forward_scheme').notNull().defaultTo('http');
+        proxy_host.integer('ignore_invalid_upstream_ssl').notNull().unsigned().defaultTo(0);
+    })
+        .then(() => {
+            logger.info('[' + migrate_name + '] proxy_host Table altered');
+        });
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex, Promise) {
+    logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+    return Promise.resolve(true);
+};

src/backend/schema/endpoints/proxy-hosts.json

@@ -18,6 +18,10 @@
     "domain_names": {
       "$ref": "../definitions.json#/definitions/domain_names"
     },
+    "forward_scheme": {
+      "type": "string",
+      "enum": ["http", "https"]
+    },
     "forward_host": {
       "type": "string",
       "minLength": 1,
@@ -48,6 +52,11 @@
       "example": true,
       "type": "boolean"
     },
+    "ignore_invalid_upstream_ssl": {
+      "description": "Ignore invalid upstream SSL certificates",
+      "example": true,
+      "type": "boolean"
+    },
     "access_list_id": {
       "$ref": "../definitions.json#/definitions/access_list_id"
     },
@@ -71,6 +80,9 @@
     "domain_names": {
       "$ref": "#/definitions/domain_names"
     },
+    "forward_scheme": {
+      "$ref": "#/definitions/forward_scheme"
+    },
     "forward_host": {
       "$ref": "#/definitions/forward_host"
     },
@@ -95,6 +107,9 @@
     "allow_websocket_upgrade": {
       "$ref": "#/definitions/allow_websocket_upgrade"
     },
+    "ignore_invalid_upstream_ssl": {
+      "$ref": "#/definitions/ignore_invalid_upstream_ssl"
+    },
     "access_list_id": {
       "$ref": "#/definitions/access_list_id"
     },
@@ -138,13 +153,17 @@
         "additionalProperties": false,
         "required": [
           "domain_names",
+          "forward_scheme",
           "forward_host",
           "forward_port"
         ],
         "properties": {
           "domain_names": {
             "$ref": "#/definitions/domain_names"
           },
+          "forward_scheme": {
+            "$ref": "#/definitions/forward_scheme"
+          },
           "forward_host": {
             "$ref": "#/definitions/forward_host"
           },
@@ -169,6 +188,9 @@
           "allow_websocket_upgrade": {
             "$ref": "#/definitions/allow_websocket_upgrade"
           },
+          "ignore_invalid_upstream_ssl": {
+            "$ref": "#/definitions/ignore_invalid_upstream_ssl"
+          },
           "access_list_id": {
             "$ref": "#/definitions/access_list_id"
           },
@@ -203,6 +225,9 @@
           "domain_names": {
             "$ref": "#/definitions/domain_names"
           },
+          "forward_scheme": {
+            "$ref": "#/definitions/forward_scheme"
+          },
           "forward_host": {
             "$ref": "#/definitions/forward_host"
           },
@@ -227,6 +252,9 @@
           "allow_websocket_upgrade": {
             "$ref": "#/definitions/allow_websocket_upgrade"
           },
+          "ignore_invalid_upstream_ssl": {
+            "$ref": "#/definitions/ignore_invalid_upstream_ssl"
+          },
           "access_list_id": {
             "$ref": "#/definitions/access_list_id"
           },

src/backend/templates/proxy_host.conf

@@ -1,8 +1,9 @@
 {% include "_header_comment.conf" %}
 
 server {
-  set $server "{{ forward_host }}";
-  set $port   {{ forward_port }};
+  set $forward_scheme {{ forward_scheme }};
+  set $server         "{{ forward_host }}";
+  set $port           {{ forward_port }};
 
 {% include "_listen.conf" %}
 {% include "_certificates.conf" %}

src/frontend/js/app/nginx/dead/form.js

@@ -83,7 +83,7 @@ module.exports = Mn.View.extend({
 
                 data.meta.letsencrypt_agree = data.meta.letsencrypt_agree === '1';
             } else {
-                data.certificate_id = parseInt(data.certificate_id, 0);
+                data.certificate_id = parseInt(data.certificate_id, 10);
             }
 
             let method = App.Api.Nginx.DeadHosts.create;

src/frontend/js/app/nginx/proxy/form.ejs

@@ -20,7 +20,16 @@
                                 <input type="text" name="domain_names" class="form-control" id="input-domains" value="<%- domain_names.join(',') %>" required>
                             </div>
                         </div>
-                        <div class="col-sm-8 col-md-8">
+                        <div class="col-sm-3 col-md-3">
+                            <div class="form-group">
+                                <label class="form-label"><%- i18n('proxy-hosts', 'forward-scheme') %><span class="form-required">*</span></label>
+                                <select name="forward_scheme" class="form-control custom-select" placeholder="http">
+                                    <option value="http" <%- forward_scheme === 'http' ? 'selected' : '' %>>http</option>
+                                    <option value="https" <%- forward_scheme === 'https' ? 'selected' : '' %>>https</option>
+                                </select>
+                            </div>
+                        </div>
+                        <div class="col-sm-5 col-md-5">
                             <div class="form-group">
                                 <label class="form-label"><%- i18n('proxy-hosts', 'forward-host') %><span class="form-required">*</span></label>
                                 <input type="text" name="forward_host" class="form-control text-monospace" placeholder="" value="<%- forward_host %>" autocomplete="off" maxlength="50" required>
@@ -50,7 +59,7 @@
                                 </label>
                             </div>
                         </div>
-                        <div class="col-sm-12 col-md-12">
+                        <div class="col-sm-6 col-md-6">
                             <div class="form-group">
                                 <label class="custom-switch">
                                     <input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>>
@@ -59,6 +68,17 @@
                                 </label>
                             </div>
                         </div>
+
+                        <div class="col-sm-6 col-md-6">
+                            <div class="form-group">
+                                <label class="custom-switch">
+                                    <input type="checkbox" class="custom-switch-input" name="ignore_invalid_upstream_ssl" value="1"<%- ignore_invalid_upstream_ssl ? ' checked' : '' %>>
+                                    <span class="custom-switch-indicator"></span>
+                                    <span class="custom-switch-description"><%- i18n('proxy-hosts', 'ignore-invalid-upstream-ssl') %></span>
+                                </label>
+                            </div>
+                        </div>
+
                         <div class="col-sm-12 col-md-12">
                             <div class="form-group">
                                 <label class="form-label"><%- i18n('proxy-hosts', 'access-list') %></label>