From ad5936c530db6748bd292ee3954e980926091a34 Mon Sep 17 00:00:00 2001 From: nwagenmakers <61746683+nwagenmakers@users.noreply.github.com> Date: Sat, 1 Feb 2025 13:10:53 +0100 Subject: [PATCH 01/11] Update certbot-dns-plugins.json (mijn-host) Updated credentials hint/text in mijn-host plugin entry --- global/certbot-dns-plugins.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/global/certbot-dns-plugins.json b/global/certbot-dns-plugins.json index bb0682a01..01d3bd51a 100644 --- a/global/certbot-dns-plugins.json +++ b/global/certbot-dns-plugins.json @@ -364,7 +364,7 @@ "package_name": "certbot-dns-mijn-host", "version": "~=0.0.4", "dependencies": "", - "credentials": "dns-mijn-host-credentials = /etc/letsencrypt/mijnhost-credentials.ini", + "credentials": "dns_mijn_host_api_key=0123456789abcdef0123456789abcdef", "full_plugin_name": "dns-mijn-host" }, "namecheap": { @@ -535,4 +535,4 @@ "credentials": "edgedns_client_secret = as3d1asd5d1a32sdfsdfs2d1asd5=\nedgedns_host = sdflskjdf-dfsdfsdf-sdfsdfsdf.luna.akamaiapis.net\nedgedns_access_token = kjdsi3-34rfsdfsdf-234234fsdfsdf\nedgedns_client_token = dkfjdf-342fsdfsd-23fsdfsdfsdf", "full_plugin_name": "edgedns" } -} \ No newline at end of file +} From 57cd2a19198e7f7589529f477c4ed5dbfe1d26b5 Mon Sep 17 00:00:00 2001 From: Sander Jochems Date: Mon, 3 Feb 2025 21:47:41 +0100 Subject: [PATCH 02/11] Fix type for token.expires --- backend/schema/components/token-object.json | 7 +++---- backend/schema/paths/tokens/get.json | 2 +- backend/schema/paths/tokens/post.json | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/backend/schema/components/token-object.json b/backend/schema/components/token-object.json index a7044bce9..6ec4e4348 100644 --- a/backend/schema/components/token-object.json +++ b/backend/schema/components/token-object.json @@ -5,10 +5,9 @@ "additionalProperties": false, "properties": { "expires": { - "description": "Token Expiry Unix Time", - "example": 1566540249, - "minimum": 1, - "type": "number" + "description": "Token Expiry ISO Time String", + "example": "2025-02-04T20:40:46.340Z", + "type": "string" }, "token": { "description": "JWT Token", diff --git a/backend/schema/paths/tokens/get.json b/backend/schema/paths/tokens/get.json index 859bc61a4..ef842eafe 100644 --- a/backend/schema/paths/tokens/get.json +++ b/backend/schema/paths/tokens/get.json @@ -15,7 +15,7 @@ "examples": { "default": { "value": { - "expires": 1566540510, + "expires": "2025-02-04T20:40:46.340Z", "token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4" } } diff --git a/backend/schema/paths/tokens/post.json b/backend/schema/paths/tokens/post.json index dece6b656..99703ff0d 100644 --- a/backend/schema/paths/tokens/post.json +++ b/backend/schema/paths/tokens/post.json @@ -38,7 +38,7 @@ "default": { "value": { "result": { - "expires": 1566540510, + "expires": "2025-02-04T20:40:46.340Z", "token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4" } } From 3091c21caef3fc68fefb105b26ef7cb11e5ef1a9 Mon Sep 17 00:00:00 2001 From: jbowring Date: Sun, 24 Mar 2024 17:11:04 +0000 Subject: [PATCH 03/11] Add SSL certificate to TCP streams if certificate in database --- backend/templates/_certificates.conf | 1 + backend/templates/_certificates_stream.conf | 13 +++++++++++++ backend/templates/stream.conf | 8 +++++--- .../etc/nginx/conf.d/include/ssl-cache-stream.conf | 2 ++ .../rootfs/etc/nginx/conf.d/include/ssl-cache.conf | 2 ++ .../etc/nginx/conf.d/include/ssl-ciphers.conf | 3 --- 6 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 backend/templates/_certificates_stream.conf create mode 100644 docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf create mode 100644 docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf diff --git a/backend/templates/_certificates.conf b/backend/templates/_certificates.conf index 06ca7bb87..efcca5cd5 100644 --- a/backend/templates/_certificates.conf +++ b/backend/templates/_certificates.conf @@ -2,6 +2,7 @@ {% if certificate.provider == "letsencrypt" %} # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; + include conf.d/include/ssl-cache.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem; diff --git a/backend/templates/_certificates_stream.conf b/backend/templates/_certificates_stream.conf new file mode 100644 index 000000000..b213cf666 --- /dev/null +++ b/backend/templates/_certificates_stream.conf @@ -0,0 +1,13 @@ +{% if certificate and certificate_id > 0 -%} +{% if certificate.provider == "letsencrypt" %} + # Let's Encrypt SSL + include conf.d/include/ssl-cache-stream.conf; + include conf.d/include/ssl-ciphers.conf; + ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem; +{% else %} + # Custom SSL + ssl_certificate /data/custom_ssl/npm-{{ certificate_id }}/fullchain.pem; + ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem; +{% endif %} +{% endif %} diff --git a/backend/templates/stream.conf b/backend/templates/stream.conf index 76159a646..8345699c4 100644 --- a/backend/templates/stream.conf +++ b/backend/templates/stream.conf @@ -5,13 +5,15 @@ {% if enabled %} {% if tcp_forwarding == 1 or tcp_forwarding == true -%} server { - listen {{ incoming_port }}; + listen {{ incoming_port }}{% if certificate %} ssl{% endif %}; {% if ipv6 -%} - listen [::]:{{ incoming_port }}; + listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %}; {% else -%} - #listen [::]:{{ incoming_port }}; + #listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %}; {% endif %} +{% include "_certificates_stream.conf" %} + proxy_pass {{ forwarding_host }}:{{ forwarding_port }}; # Custom diff --git a/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf new file mode 100644 index 000000000..433555dfa --- /dev/null +++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf @@ -0,0 +1,2 @@ +ssl_session_timeout 5m; +ssl_session_cache shared:SSL_stream:50m; diff --git a/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf new file mode 100644 index 000000000..aa7ba2cb7 --- /dev/null +++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf @@ -0,0 +1,2 @@ +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:50m; diff --git a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf index 233abb6e9..b5dacfb57 100644 --- a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf +++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf @@ -1,6 +1,3 @@ -ssl_session_timeout 5m; -ssl_session_cache shared:SSL:50m; - # intermediate configuration. tweak to your needs. ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; From 3dbc70faa6619d3918a2528f9ac9f632116c2450 Mon Sep 17 00:00:00 2001 From: jbowring Date: Sun, 24 Mar 2024 19:01:24 +0000 Subject: [PATCH 04/11] Add SSL tab to stream UI --- frontend/js/app/nginx/stream/form.ejs | 213 +++++++++++++++++++++----- frontend/js/app/nginx/stream/form.js | 167 ++++++++++++++++++-- frontend/js/i18n/messages.json | 3 +- frontend/js/models/stream.js | 5 +- 4 files changed, 336 insertions(+), 52 deletions(-) diff --git a/frontend/js/app/nginx/stream/form.ejs b/frontend/js/app/nginx/stream/form.ejs index 1fc4f1342..800945f36 100644 --- a/frontend/js/app/nginx/stream/form.ejs +++ b/frontend/js/app/nginx/stream/form.ejs @@ -3,48 +3,187 @@
<%- i18n('streams', 'form-title', {id: id}) %>
-
+
+
-
-
-
- - + +
+ +
+
+
+
+ + +
+
+
+
+ + +
+
+
+
+ + +
+
+
+
+ +
+
+
+
+ +
+
+
+
<%- i18n('streams', 'forward-type-error') %>
+
-
-
- - + + +
+
+
+
+ + +
+
+ + +
+
+ + +
+
+ +
+
+
+
+
<%= i18n('ssl', 'certbot-warning') %>
+ + +
+
+
+ + +
+
+
+ + +
+
+
+ + +
+ + <%= i18n('ssl', 'credentials-file-content-info') %> +
+
+ + <%= i18n('ssl', 'stored-as-plaintext-info') %> +
+
+
+
+ + +
+
+
+ + +
+ + <%= i18n('ssl', 'propagation-seconds-info') %> +
+
+
+
+
+
+ + +
+
+ + +
+
+
+
+ +
+
-
-
- - -
-
-
-
- -
-
-
-
- -
-
-
-
<%- i18n('streams', 'forward-type-error') %>
-
diff --git a/frontend/js/app/nginx/stream/form.js b/frontend/js/app/nginx/stream/form.js index be8fc8bc2..cd012f9b0 100644 --- a/frontend/js/app/nginx/stream/form.js +++ b/frontend/js/app/nginx/stream/form.js @@ -1,24 +1,38 @@ -const Mn = require('backbone.marionette'); -const App = require('../../main'); -const StreamModel = require('../../../models/stream'); -const template = require('./form.ejs'); +const Mn = require('backbone.marionette'); +const App = require('../../main'); +const StreamModel = require('../../../models/stream'); +const template = require('./form.ejs'); +const dns_providers = require('../../../../../global/certbot-dns-plugins'); require('jquery-serializejson'); require('jquery-mask-plugin'); require('selectize'); +const Helpers = require("../../../lib/helpers"); +const certListItemTemplate = require("../certificates-list-item.ejs"); +const i18n = require("../../i18n"); module.exports = Mn.View.extend({ template: template, className: 'modal-dialog', ui: { - form: 'form', - forwarding_host: 'input[name="forwarding_host"]', - type_error: '.forward-type-error', - buttons: '.modal-footer button', - switches: '.custom-switch-input', - cancel: 'button.cancel', - save: 'button.save' + form: 'form', + forwarding_host: 'input[name="forwarding_host"]', + type_error: '.forward-type-error', + buttons: '.modal-footer button', + switches: '.custom-switch-input', + cancel: 'button.cancel', + save: 'button.save', + le_error_info: '#le-error-info', + certificate_select: 'select[name="certificate_id"]', + domain_names: 'input[name="domain_names"]', + dns_challenge_switch: 'input[name="meta[dns_challenge]"]', + dns_challenge_content: '.dns-challenge', + dns_provider: 'select[name="meta[dns_provider]"]', + credentials_file_content: '.credentials-file-content', + dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]', + propagation_seconds: 'input[name="meta[propagation_seconds]"]', + letsencrypt: '.letsencrypt' }, events: { @@ -48,6 +62,35 @@ module.exports = Mn.View.extend({ data.tcp_forwarding = !!data.tcp_forwarding; data.udp_forwarding = !!data.udp_forwarding; + if (typeof data.meta === 'undefined') data.meta = {}; + data.meta.letsencrypt_agree = data.meta.letsencrypt_agree == 1; + data.meta.dns_challenge = true; + + if (data.meta.propagation_seconds === '') data.meta.propagation_seconds = undefined; + + if (typeof data.domain_names === 'string' && data.domain_names) { + data.domain_names = data.domain_names.split(','); + } + + // Check for any domain names containing wildcards, which are not allowed with letsencrypt + if (data.certificate_id === 'new') { + let domain_err = false; + if (!data.meta.dns_challenge) { + data.domain_names.map(function (name) { + if (name.match(/\*/im)) { + domain_err = true; + } + }); + } + + if (domain_err) { + alert(i18n('ssl', 'no-wildcard-without-dns')); + return; + } + } else { + data.certificate_id = parseInt(data.certificate_id, 10); + } + let method = App.Api.Nginx.Streams.create; let is_new = true; @@ -70,10 +113,108 @@ module.exports = Mn.View.extend({ }); }) .catch(err => { - alert(err.message); + let more_info = ''; + if (err.code === 500 && err.debug) { + try { + more_info = JSON.parse(err.debug).debug.stack.join("\n"); + } catch (e) { + } + } + this.ui.le_error_info[0].innerHTML = `${err.message}${more_info !== '' ? `
${more_info}
` : ''}`; + this.ui.le_error_info.show(); + this.ui.le_error_info[0].scrollIntoView(); this.ui.buttons.prop('disabled', false).removeClass('btn-disabled'); + this.ui.save.removeClass('btn-loading'); }); - } + }, + + 'change @ui.certificate_select': function () { + let id = this.ui.certificate_select.val(); + if (id === 'new') { + this.ui.letsencrypt.show().find('input').prop('disabled', false); + this.ui.domain_names.prop('required', 'required'); + + this.ui.dns_challenge_switch + .prop('disabled', true) + .parents('.form-group') + .css('opacity', 0.5); + + this.ui.dns_provider.prop('required', 'required'); + const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value; + if (selected_provider != '' && dns_providers[selected_provider].credentials !== false) { + this.ui.dns_provider_credentials.prop('required', 'required'); + } + this.ui.dns_challenge_content.show(); + } else { + this.ui.letsencrypt.hide().find('input').prop('disabled', true); + } + }, + + 'change @ui.dns_provider': function () { + const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value; + if (selected_provider != '' && dns_providers[selected_provider].credentials !== false) { + this.ui.dns_provider_credentials.prop('required', 'required'); + this.ui.dns_provider_credentials[0].value = dns_providers[selected_provider].credentials; + this.ui.credentials_file_content.show(); + } else { + this.ui.dns_provider_credentials.prop('required', false); + this.ui.credentials_file_content.hide(); + } + }, + }, + + templateContext: { + getLetsencryptEmail: function () { + return App.Cache.User.get('email'); + }, + getDnsProvider: function () { + return typeof this.meta.dns_provider !== 'undefined' && this.meta.dns_provider != '' ? this.meta.dns_provider : null; + }, + getDnsProviderCredentials: function () { + return typeof this.meta.dns_provider_credentials !== 'undefined' ? this.meta.dns_provider_credentials : ''; + }, + getPropagationSeconds: function () { + return typeof this.meta.propagation_seconds !== 'undefined' ? this.meta.propagation_seconds : ''; + }, + dns_plugins: dns_providers, + }, + + onRender: function () { + let view = this; + + // Certificates + this.ui.le_error_info.hide(); + this.ui.dns_challenge_content.hide(); + this.ui.credentials_file_content.hide(); + this.ui.letsencrypt.hide(); + this.ui.certificate_select.selectize({ + valueField: 'id', + labelField: 'nice_name', + searchField: ['nice_name', 'domain_names'], + create: false, + preload: true, + allowEmptyOption: true, + render: { + option: function (item) { + item.i18n = App.i18n; + item.formatDbDate = Helpers.formatDbDate; + return certListItemTemplate(item); + } + }, + load: function (query, callback) { + App.Api.Nginx.Certificates.getAll() + .then(rows => { + callback(rows); + }) + .catch(err => { + console.error(err); + callback(); + }); + }, + onLoad: function () { + view.ui.certificate_select[0].selectize.setValue(view.model.get('certificate_id')); + } + }); }, initialize: function (options) { diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json index 0bbde4541..5aabbb0ce 100644 --- a/frontend/js/i18n/messages.json +++ b/frontend/js/i18n/messages.json @@ -179,7 +179,8 @@ "delete-confirm": "Are you sure you want to delete this Stream?", "help-title": "What is a Stream?", "help-content": "A relatively new feature for Nginx, a Stream will serve to forward TCP/UDP traffic directly to another computer on the network.\nIf you're running game servers, FTP or SSH servers this can come in handy.", - "search": "Search Incoming Port…" + "search": "Search Incoming Port…", + "ssl-certificate": "SSL Certificate for TCP Forwarding" }, "certificates": { "title": "SSL Certificates", diff --git a/frontend/js/models/stream.js b/frontend/js/models/stream.js index ba035429a..390c4fb05 100644 --- a/frontend/js/models/stream.js +++ b/frontend/js/models/stream.js @@ -15,8 +15,11 @@ const model = Backbone.Model.extend({ udp_forwarding: false, enabled: true, meta: {}, + certificate_id: 0, + domain_names: [], // The following are expansions: - owner: null + owner: null, + certificate: null }; } }); From ee4250d770f7b9792e201107ef96798d4543a0da Mon Sep 17 00:00:00 2001 From: jbowring Date: Sat, 27 Apr 2024 15:49:23 +0100 Subject: [PATCH 05/11] Add SSL column to streams table UI --- frontend/js/app/nginx/stream/list/item.ejs | 8 +++++++- frontend/js/app/nginx/stream/list/main.ejs | 1 + frontend/js/i18n/messages.json | 3 ++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/frontend/js/app/nginx/stream/list/item.ejs b/frontend/js/app/nginx/stream/list/item.ejs index 2b4cb626b..936247ef8 100644 --- a/frontend/js/app/nginx/stream/list/item.ejs +++ b/frontend/js/app/nginx/stream/list/item.ejs @@ -16,7 +16,10 @@
- <% if (tcp_forwarding) { %> + <% if (certificate) { %> + <%- i18n('streams', 'tcp+ssl') %> + <% } + else if (tcp_forwarding) { %> <%- i18n('streams', 'tcp') %> <% } if (udp_forwarding) { %> @@ -24,6 +27,9 @@ <% } %>
+ +
<%- certificate && certificate_id ? i18n('ssl', certificate.provider) : i18n('all-hosts', 'none') %>
+ <% var o = isOnline(); diff --git a/frontend/js/app/nginx/stream/list/main.ejs b/frontend/js/app/nginx/stream/list/main.ejs index 5304f6145..57ab6b2ad 100644 --- a/frontend/js/app/nginx/stream/list/main.ejs +++ b/frontend/js/app/nginx/stream/list/main.ejs @@ -3,6 +3,7 @@ <%- i18n('streams', 'incoming-port') %> <%- i18n('str', 'destination') %> <%- i18n('streams', 'protocol') %> + <%- i18n('str', 'ssl') %> <%- i18n('str', 'status') %> <% if (canManage) { %>   diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json index 5aabbb0ce..aa42cbbd8 100644 --- a/frontend/js/i18n/messages.json +++ b/frontend/js/i18n/messages.json @@ -180,7 +180,8 @@ "help-title": "What is a Stream?", "help-content": "A relatively new feature for Nginx, a Stream will serve to forward TCP/UDP traffic directly to another computer on the network.\nIf you're running game servers, FTP or SSH servers this can come in handy.", "search": "Search Incoming Port…", - "ssl-certificate": "SSL Certificate for TCP Forwarding" + "ssl-certificate": "SSL Certificate for TCP Forwarding", + "tcp+ssl": "TCP+SSL" }, "certificates": { "title": "SSL Certificates", From cd80cc8e4db0edcd482ce8fe99be2c21e589a473 Mon Sep 17 00:00:00 2001 From: jbowring Date: Sun, 2 Jun 2024 20:03:28 +0100 Subject: [PATCH 06/11] Add certificate to streams database model --- backend/internal/stream.js | 99 ++++++++++++++++--- .../migrations/20240427161436_stream_ssl.js | 38 +++++++ backend/models/stream.js | 25 +++-- frontend/js/app/nginx/stream/main.js | 2 +- 4 files changed, 142 insertions(+), 22 deletions(-) create mode 100644 backend/migrations/20240427161436_stream_ssl.js diff --git a/backend/internal/stream.js b/backend/internal/stream.js index 9f76a1def..526ceba82 100644 --- a/backend/internal/stream.js +++ b/backend/internal/stream.js @@ -1,10 +1,12 @@ -const _ = require('lodash'); -const error = require('../lib/error'); -const utils = require('../lib/utils'); -const streamModel = require('../models/stream'); -const internalNginx = require('./nginx'); -const internalAuditLog = require('./audit-log'); -const {castJsonIfNeed} = require('../lib/helpers'); +const _ = require('lodash'); +const error = require('../lib/error'); +const utils = require('../lib/utils'); +const streamModel = require('../models/stream'); +const internalNginx = require('./nginx'); +const internalAuditLog = require('./audit-log'); +const internalCertificate = require('./certificate'); +const internalHost = require('./host'); +const {castJsonIfNeed} = require('../lib/helpers'); function omissions () { return ['is_deleted']; @@ -18,6 +20,12 @@ const internalStream = { * @returns {Promise} */ create: (access, data) => { + let create_certificate = data.certificate_id === 'new'; + + if (create_certificate) { + delete data.certificate_id; + } + return access.can('streams:create', data) .then((/*access_data*/) => { // TODO: At this point the existing ports should have been checked @@ -27,11 +35,40 @@ const internalStream = { data.meta = {}; } + let data_no_domains = structuredClone(data); + + // streams aren't routed by domain name so don't store domain names in the DB + delete data_no_domains.domain_names; + return streamModel .query() - .insertAndFetch(data) + .insertAndFetch(data_no_domains) .then(utils.omitRow(omissions())); }) + .then((row) => { + if (create_certificate) { + return internalCertificate.createQuickCertificate(access, data) + .then((cert) => { + // update host with cert id + return internalStream.update(access, { + id: row.id, + certificate_id: cert.id + }); + }) + .then(() => { + return row; + }); + } else { + return row; + } + }) + .then((row) => { + // re-fetch with cert + return internalStream.get(access, { + id: row.id, + expand: ['certificate', 'owner'] + }); + }) .then((row) => { // Configure nginx return internalNginx.configure(streamModel, 'stream', row) @@ -60,6 +97,12 @@ const internalStream = { * @return {Promise} */ update: (access, data) => { + let create_certificate = data.certificate_id === 'new'; + + if (create_certificate) { + delete data.certificate_id; + } + return access.can('streams:update', data.id) .then((/*access_data*/) => { // TODO: at this point the existing streams should have been checked @@ -71,6 +114,28 @@ const internalStream = { throw new error.InternalValidationError('Stream could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id); } + if (create_certificate) { + return internalCertificate.createQuickCertificate(access, { + domain_names: data.domain_names || row.domain_names, + meta: _.assign({}, row.meta, data.meta) + }) + .then((cert) => { + // update host with cert id + data.certificate_id = cert.id; + }) + .then(() => { + return row; + }); + } else { + return row; + } + }) + .then((row) => { + // Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here. + data = _.assign({}, { + domain_names: row.domain_names + }, data); + return streamModel .query() .patchAndFetchById(row.id, data) @@ -115,7 +180,7 @@ const internalStream = { .query() .where('is_deleted', 0) .andWhere('id', data.id) - .allowGraph('[owner]') + .allowGraph('[owner,certificate]') .first(); if (access_data.permission_visibility !== 'all') { @@ -132,6 +197,7 @@ const internalStream = { if (!row || !row.id) { throw new error.ItemNotFoundError(data.id); } + row = internalHost.cleanRowCertificateMeta(row); // Custom omissions if (typeof data.omit !== 'undefined' && data.omit !== null) { row = _.omit(row, data.omit); @@ -197,14 +263,14 @@ const internalStream = { .then(() => { return internalStream.get(access, { id: data.id, - expand: ['owner'] + expand: ['certificate', 'owner'] }); }) .then((row) => { if (!row || !row.id) { throw new error.ItemNotFoundError(data.id); } else if (row.enabled) { - throw new error.ValidationError('Host is already enabled'); + throw new error.ValidationError('Stream is already enabled'); } row.enabled = 1; @@ -250,7 +316,7 @@ const internalStream = { if (!row || !row.id) { throw new error.ItemNotFoundError(data.id); } else if (!row.enabled) { - throw new error.ValidationError('Host is already disabled'); + throw new error.ValidationError('Stream is already disabled'); } row.enabled = 0; @@ -298,7 +364,7 @@ const internalStream = { .query() .where('is_deleted', 0) .groupBy('id') - .allowGraph('[owner]') + .allowGraph('[owner,certificate]') .orderByRaw('CAST(incoming_port AS INTEGER) ASC'); if (access_data.permission_visibility !== 'all') { @@ -317,6 +383,13 @@ const internalStream = { } return query.then(utils.omitRows(omissions())); + }) + .then((rows) => { + if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) { + return internalHost.cleanAllRowsCertificateMeta(rows); + } + + return rows; }); }, diff --git a/backend/migrations/20240427161436_stream_ssl.js b/backend/migrations/20240427161436_stream_ssl.js new file mode 100644 index 000000000..5f47b18ec --- /dev/null +++ b/backend/migrations/20240427161436_stream_ssl.js @@ -0,0 +1,38 @@ +const migrate_name = 'stream_ssl'; +const logger = require('../logger').migrate; + +/** + * Migrate + * + * @see http://knexjs.org/#Schema + * + * @param {Object} knex + * @returns {Promise} + */ +exports.up = function (knex) { + logger.info('[' + migrate_name + '] Migrating Up...'); + + return knex.schema.table('stream', (table) => { + table.integer('certificate_id').notNull().unsigned().defaultTo(0); + }) + .then(function () { + logger.info('[' + migrate_name + '] stream Table altered'); + }); +}; + +/** + * Undo Migrate + * + * @param {Object} knex + * @returns {Promise} + */ +exports.down = function (knex) { + logger.info('[' + migrate_name + '] Migrating Down...'); + + return knex.schema.table('stream', (table) => { + table.dropColumn('certificate_id'); + }) + .then(function () { + logger.info('[' + migrate_name + '] stream Table altered'); + }); +}; diff --git a/backend/models/stream.js b/backend/models/stream.js index b96ca5a17..40fd601ce 100644 --- a/backend/models/stream.js +++ b/backend/models/stream.js @@ -1,11 +1,9 @@ -// Objection Docs: -// http://vincit.github.io/objection.js/ - -const db = require('../db'); -const helpers = require('../lib/helpers'); -const Model = require('objection').Model; -const User = require('./user'); -const now = require('./now_helper'); +const Model = require('objection').Model; +const db = require('../db'); +const helpers = require('../lib/helpers'); +const User = require('./user'); +const Certificate = require('./certificate'); +const now = require('./now_helper'); Model.knex(db); @@ -64,6 +62,17 @@ class Stream extends Model { modify: function (qb) { qb.where('user.is_deleted', 0); } + }, + certificate: { + relation: Model.HasOneRelation, + modelClass: Certificate, + join: { + from: 'stream.certificate_id', + to: 'certificate.id' + }, + modify: function (qb) { + qb.where('certificate.is_deleted', 0); + } } }; } diff --git a/frontend/js/app/nginx/stream/main.js b/frontend/js/app/nginx/stream/main.js index 8a86e5836..83bdc15e1 100644 --- a/frontend/js/app/nginx/stream/main.js +++ b/frontend/js/app/nginx/stream/main.js @@ -88,7 +88,7 @@ module.exports = Mn.View.extend({ onRender: function () { let view = this; - view.fetch(['owner']) + view.fetch(['owner', 'certificate']) .then(response => { if (!view.isDestroyed()) { if (response && response.length) { From 4452f014b9b0125e2a6cf07d1f46e104355e912d Mon Sep 17 00:00:00 2001 From: jbowring Date: Mon, 22 Jul 2024 20:53:21 +0100 Subject: [PATCH 07/11] Fix whitespace in nginx stream config --- backend/templates/_certificates_stream.conf | 8 ++++---- backend/templates/stream.conf | 20 +++++++------------- 2 files changed, 11 insertions(+), 17 deletions(-) diff --git a/backend/templates/_certificates_stream.conf b/backend/templates/_certificates_stream.conf index b213cf666..ba7812fdd 100644 --- a/backend/templates/_certificates_stream.conf +++ b/backend/templates/_certificates_stream.conf @@ -1,13 +1,13 @@ -{% if certificate and certificate_id > 0 -%} +{% if certificate and certificate_id > 0 %} {% if certificate.provider == "letsencrypt" %} # Let's Encrypt SSL include conf.d/include/ssl-cache-stream.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem; -{% else %} +{%- else %} # Custom SSL ssl_certificate /data/custom_ssl/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem; -{% endif %} -{% endif %} +{%- endif -%} +{%- endif -%} diff --git a/backend/templates/stream.conf b/backend/templates/stream.conf index 8345699c4..7333aaee1 100644 --- a/backend/templates/stream.conf +++ b/backend/templates/stream.conf @@ -5,14 +5,10 @@ {% if enabled %} {% if tcp_forwarding == 1 or tcp_forwarding == true -%} server { - listen {{ incoming_port }}{% if certificate %} ssl{% endif %}; -{% if ipv6 -%} - listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %}; -{% else -%} - #listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %}; -{% endif %} + listen {{ incoming_port }} {%- if certificate %} ssl {%- endif %}; + {% unless ipv6 -%} # {%- endunless -%} listen [::]:{{ incoming_port }} {%- if certificate %} ssl {%- endif %}; -{% include "_certificates_stream.conf" %} + {%- include "_certificates_stream.conf" %} proxy_pass {{ forwarding_host }}:{{ forwarding_port }}; @@ -21,14 +17,12 @@ server { include /data/nginx/custom/server_stream_tcp[.]conf; } {% endif %} -{% if udp_forwarding == 1 or udp_forwarding == true %} + +{% if udp_forwarding == 1 or udp_forwarding == true -%} server { listen {{ incoming_port }} udp; -{% if ipv6 -%} - listen [::]:{{ incoming_port }} udp; -{% else -%} - #listen [::]:{{ incoming_port }} udp; -{% endif %} + {% unless ipv6 -%} # {%- endunless -%} listen [::]:{{ incoming_port }} udp; + proxy_pass {{ forwarding_host }}:{{ forwarding_port }}; # Custom From 2657af97cf1e0ec46fdc4cde43e2a69482993d4c Mon Sep 17 00:00:00 2001 From: jbowring Date: Tue, 23 Jul 2024 08:39:18 +0100 Subject: [PATCH 08/11] Fix stream update not persisting --- backend/internal/stream.js | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/backend/internal/stream.js b/backend/internal/stream.js index 526ceba82..36cb40554 100644 --- a/backend/internal/stream.js +++ b/backend/internal/stream.js @@ -35,9 +35,8 @@ const internalStream = { data.meta = {}; } - let data_no_domains = structuredClone(data); - // streams aren't routed by domain name so don't store domain names in the DB + let data_no_domains = structuredClone(data); delete data_no_domains.domain_names; return streamModel @@ -73,7 +72,7 @@ const internalStream = { // Configure nginx return internalNginx.configure(streamModel, 'stream', row) .then(() => { - return internalStream.get(access, {id: row.id, expand: ['owner']}); + return row; }); }) .then((row) => { @@ -140,12 +139,6 @@ const internalStream = { .query() .patchAndFetchById(row.id, data) .then(utils.omitRow(omissions())) - .then((saved_row) => { - return internalNginx.configure(streamModel, 'stream', saved_row) - .then(() => { - return internalStream.get(access, {id: row.id, expand: ['owner']}); - }); - }) .then((saved_row) => { // Add to audit log return internalAuditLog.add(access, { @@ -158,6 +151,17 @@ const internalStream = { return saved_row; }); }); + }) + .then(() => { + return internalStream.get(access, {id: data.id, expand: ['owner', 'certificate']}) + .then((row) => { + return internalNginx.configure(streamModel, 'stream', row) + .then((new_meta) => { + row.meta = new_meta; + row = internalHost.cleanRowCertificateMeta(row); + return _.omit(row, omissions()); + }); + }); }); }, From 68a78035134395cf9ef4a0739a9e6ccc9ee568cc Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Tue, 4 Feb 2025 17:53:59 +1000 Subject: [PATCH 09/11] Fix api schema after merging latest changes --- backend/internal/stream.js | 4 +- backend/schema/components/stream-object.json | 3 + backend/schema/paths/nginx/streams/get.json | 5 +- backend/schema/paths/nginx/streams/post.json | 6 +- .../paths/nginx/streams/streamID/get.json | 3 +- .../paths/nginx/streams/streamID/put.json | 90 ++++++------------- 6 files changed, 40 insertions(+), 71 deletions(-) diff --git a/backend/internal/stream.js b/backend/internal/stream.js index 36cb40554..f69a5c176 100644 --- a/backend/internal/stream.js +++ b/backend/internal/stream.js @@ -20,7 +20,7 @@ const internalStream = { * @returns {Promise} */ create: (access, data) => { - let create_certificate = data.certificate_id === 'new'; + const create_certificate = data.certificate_id === 'new'; if (create_certificate) { delete data.certificate_id; @@ -96,7 +96,7 @@ const internalStream = { * @return {Promise} */ update: (access, data) => { - let create_certificate = data.certificate_id === 'new'; + const create_certificate = data.certificate_id === 'new'; if (create_certificate) { delete data.certificate_id; diff --git a/backend/schema/components/stream-object.json b/backend/schema/components/stream-object.json index e17749940..0ab8f907a 100644 --- a/backend/schema/components/stream-object.json +++ b/backend/schema/components/stream-object.json @@ -55,6 +55,9 @@ "enabled": { "$ref": "../common.json#/properties/enabled" }, + "certificate_id": { + "$ref": "../common.json#/properties/certificate_id" + }, "meta": { "type": "object" } diff --git a/backend/schema/paths/nginx/streams/get.json b/backend/schema/paths/nginx/streams/get.json index 596afc6e7..17969ee4e 100644 --- a/backend/schema/paths/nginx/streams/get.json +++ b/backend/schema/paths/nginx/streams/get.json @@ -14,7 +14,7 @@ "description": "Expansions", "schema": { "type": "string", - "enum": ["access_list", "owner", "certificate"] + "enum": ["owner", "certificate"] } } ], @@ -40,7 +40,8 @@ "nginx_online": true, "nginx_err": null }, - "enabled": true + "enabled": true, + "certificate_id": 0 } ] } diff --git a/backend/schema/paths/nginx/streams/post.json b/backend/schema/paths/nginx/streams/post.json index 9f3514e0f..d26996b69 100644 --- a/backend/schema/paths/nginx/streams/post.json +++ b/backend/schema/paths/nginx/streams/post.json @@ -32,6 +32,9 @@ "udp_forwarding": { "$ref": "../../../components/stream-object.json#/properties/udp_forwarding" }, + "certificate_id": { + "$ref": "../../../components/stream-object.json#/properties/certificate_id" + }, "meta": { "$ref": "../../../components/stream-object.json#/properties/meta" } @@ -73,7 +76,8 @@ "nickname": "Admin", "avatar": "", "roles": ["admin"] - } + }, + "certificate_id": 0 } } }, diff --git a/backend/schema/paths/nginx/streams/streamID/get.json b/backend/schema/paths/nginx/streams/streamID/get.json index 6547656df..801af13a7 100644 --- a/backend/schema/paths/nginx/streams/streamID/get.json +++ b/backend/schema/paths/nginx/streams/streamID/get.json @@ -40,7 +40,8 @@ "nginx_online": true, "nginx_err": null }, - "enabled": true + "enabled": true, + "certificate_id": 0 } } }, diff --git a/backend/schema/paths/nginx/streams/streamID/put.json b/backend/schema/paths/nginx/streams/streamID/put.json index fbfdc901b..14adb1631 100644 --- a/backend/schema/paths/nginx/streams/streamID/put.json +++ b/backend/schema/paths/nginx/streams/streamID/put.json @@ -29,56 +29,26 @@ "additionalProperties": false, "minProperties": 1, "properties": { - "domain_names": { - "$ref": "../../../../components/proxy-host-object.json#/properties/domain_names" + "incoming_port": { + "$ref": "../../../../components/stream-object.json#/properties/incoming_port" }, - "forward_scheme": { - "$ref": "../../../../components/proxy-host-object.json#/properties/forward_scheme" + "forwarding_host": { + "$ref": "../../../../components/stream-object.json#/properties/forwarding_host" }, - "forward_host": { - "$ref": "../../../../components/proxy-host-object.json#/properties/forward_host" + "forwarding_port": { + "$ref": "../../../../components/stream-object.json#/properties/forwarding_port" }, - "forward_port": { - "$ref": "../../../../components/proxy-host-object.json#/properties/forward_port" + "tcp_forwarding": { + "$ref": "../../../../components/stream-object.json#/properties/tcp_forwarding" }, - "certificate_id": { - "$ref": "../../../../components/proxy-host-object.json#/properties/certificate_id" - }, - "ssl_forced": { - "$ref": "../../../../components/proxy-host-object.json#/properties/ssl_forced" - }, - "hsts_enabled": { - "$ref": "../../../../components/proxy-host-object.json#/properties/hsts_enabled" - }, - "hsts_subdomains": { - "$ref": "../../../../components/proxy-host-object.json#/properties/hsts_subdomains" - }, - "http2_support": { - "$ref": "../../../../components/proxy-host-object.json#/properties/http2_support" - }, - "block_exploits": { - "$ref": "../../../../components/proxy-host-object.json#/properties/block_exploits" + "udp_forwarding": { + "$ref": "../../../../components/stream-object.json#/properties/udp_forwarding" }, - "caching_enabled": { - "$ref": "../../../../components/proxy-host-object.json#/properties/caching_enabled" - }, - "allow_websocket_upgrade": { - "$ref": "../../../../components/proxy-host-object.json#/properties/allow_websocket_upgrade" - }, - "access_list_id": { - "$ref": "../../../../components/proxy-host-object.json#/properties/access_list_id" - }, - "advanced_config": { - "$ref": "../../../../components/proxy-host-object.json#/properties/advanced_config" - }, - "enabled": { - "$ref": "../../../../components/proxy-host-object.json#/properties/enabled" + "certificate_id": { + "$ref": "../../../../components/stream-object.json#/properties/certificate_id" }, "meta": { - "$ref": "../../../../components/proxy-host-object.json#/properties/meta" - }, - "locations": { - "$ref": "../../../../components/proxy-host-object.json#/properties/locations" + "$ref": "../../../../components/stream-object.json#/properties/meta" } } } @@ -94,42 +64,32 @@ "default": { "value": { "id": 1, - "created_on": "2024-10-08T23:23:03.000Z", - "modified_on": "2024-10-08T23:26:37.000Z", + "created_on": "2024-10-09T02:33:45.000Z", + "modified_on": "2024-10-09T02:33:45.000Z", "owner_user_id": 1, - "domain_names": ["test.example.com"], - "forward_host": "192.168.0.10", - "forward_port": 8989, - "access_list_id": 0, - "certificate_id": 0, - "ssl_forced": false, - "caching_enabled": false, - "block_exploits": false, - "advanced_config": "", + "incoming_port": 9090, + "forwarding_host": "router.internal", + "forwarding_port": 80, + "tcp_forwarding": true, + "udp_forwarding": false, "meta": { "nginx_online": true, "nginx_err": null }, - "allow_websocket_upgrade": false, - "http2_support": false, - "forward_scheme": "http", "enabled": true, - "hsts_enabled": false, - "hsts_subdomains": false, "owner": { "id": 1, - "created_on": "2024-10-07T22:43:55.000Z", - "modified_on": "2024-10-08T12:52:54.000Z", + "created_on": "2024-10-09T02:33:16.000Z", + "modified_on": "2024-10-09T02:33:16.000Z", "is_deleted": false, "is_disabled": false, "email": "admin@example.com", "name": "Administrator", - "nickname": "some guy", - "avatar": "//www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?default=mm", + "nickname": "Admin", + "avatar": "", "roles": ["admin"] }, - "certificate": null, - "access_list": null + "certificate_id": 0 } } }, From b4793d3c162561f7a4d13dc61947334eeea618d9 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Wed, 5 Feb 2025 08:10:11 +1000 Subject: [PATCH 10/11] Adds testssl.sh and mkcert to cypress stack --- test/cypress/Dockerfile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/cypress/Dockerfile b/test/cypress/Dockerfile index 6de4c2454..c0bc0ba8b 100644 --- a/test/cypress/Dockerfile +++ b/test/cypress/Dockerfile @@ -6,6 +6,18 @@ COPY --chown=1000 ./test /test ENV FORCE_COLOR=0 ENV NO_COLOR=1 +# testssl.sh and mkcert +RUN wget "https://github.com/testssl/testssl.sh/archive/refs/tags/v3.2rc4.tar.gz" -O /tmp/testssl.tgz -q \ + && tar -xzf /tmp/testssl.tgz -C /tmp \ + && mv /tmp/testssl.sh-3.2rc4 /testssl \ + && rm /tmp/testssl.tgz \ + && apt-get update \ + && apt-get install -y bsdmainutils \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ + && wget "https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64" -O /bin/mkcert \ + && chmod +x /bin/mkcert + WORKDIR /test RUN yarn install && yarn cache clean ENTRYPOINT [] From 6a606278339f87cd6ed5769d375e706359a8c61c Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Wed, 5 Feb 2025 09:00:31 +1000 Subject: [PATCH 11/11] Cypress test for Streams and updated cypress + packages --- backend/internal/stream.js | 2 +- backend/models/stream.js | 1 + backend/schema/components/stream-object.json | 17 +- docker/docker-compose.ci.yml | 6 +- docker/scripts/install-s6 | 2 +- test/cypress/Dockerfile | 7 +- test/cypress/e2e/api/Streams.cy.js | 213 +++++++++++++++++++ test/package.json | 14 +- 8 files changed, 245 insertions(+), 17 deletions(-) create mode 100644 test/cypress/e2e/api/Streams.cy.js diff --git a/backend/internal/stream.js b/backend/internal/stream.js index f69a5c176..4d49bc3aa 100644 --- a/backend/internal/stream.js +++ b/backend/internal/stream.js @@ -9,7 +9,7 @@ const internalHost = require('./host'); const {castJsonIfNeed} = require('../lib/helpers'); function omissions () { - return ['is_deleted']; + return ['is_deleted', 'owner.is_deleted', 'certificate.is_deleted']; } const internalStream = { diff --git a/backend/models/stream.js b/backend/models/stream.js index 40fd601ce..dbec2dcb7 100644 --- a/backend/models/stream.js +++ b/backend/models/stream.js @@ -8,6 +8,7 @@ const now = require('./now_helper'); Model.knex(db); const boolFields = [ + 'enabled', 'is_deleted', 'tcp_forwarding', 'udp_forwarding', diff --git a/backend/schema/components/stream-object.json b/backend/schema/components/stream-object.json index 0ab8f907a..848c30e6e 100644 --- a/backend/schema/components/stream-object.json +++ b/backend/schema/components/stream-object.json @@ -19,9 +19,7 @@ "incoming_port": { "type": "integer", "minimum": 1, - "maximum": 65535, - "if": {"properties": {"tcp_forwarding": {"const": true}}}, - "then": {"not": {"oneOf": [{"const": 80}, {"const": 443}]}} + "maximum": 65535 }, "forwarding_host": { "anyOf": [ @@ -60,6 +58,19 @@ }, "meta": { "type": "object" + }, + "owner": { + "$ref": "./user-object.json" + }, + "certificate": { + "oneOf": [ + { + "type": "null" + }, + { + "$ref": "./certificate-object.json" + } + ] } } } diff --git a/docker/docker-compose.ci.yml b/docker/docker-compose.ci.yml index 022f28131..280a05465 100644 --- a/docker/docker-compose.ci.yml +++ b/docker/docker-compose.ci.yml @@ -22,6 +22,10 @@ services: test: ["CMD", "/usr/bin/check-health"] interval: 10s timeout: 3s + expose: + - '80-81/tcp' + - '443/tcp' + - '1500-1503/tcp' networks: fulltest: aliases: @@ -97,7 +101,7 @@ services: HTTP_PROXY: 'squid:3128' HTTPS_PROXY: 'squid:3128' volumes: - - 'cypress_logs:/results' + - 'cypress_logs:/test/results' - './dev/resolv.conf:/etc/resolv.conf:ro' - '/etc/localtime:/etc/localtime:ro' command: cypress run --browser chrome --config-file=cypress/config/ci.js diff --git a/docker/scripts/install-s6 b/docker/scripts/install-s6 index 2922735b2..5f3b73ec5 100755 --- a/docker/scripts/install-s6 +++ b/docker/scripts/install-s6 @@ -8,7 +8,7 @@ BLUE='\E[1;34m' GREEN='\E[1;32m' RESET='\E[0m' -S6_OVERLAY_VERSION=3.1.5.0 +S6_OVERLAY_VERSION=3.2.0.2 TARGETPLATFORM=${1:-linux/amd64} # Determine the correct binary file for the architecture given diff --git a/test/cypress/Dockerfile b/test/cypress/Dockerfile index c0bc0ba8b..9b835fe0e 100644 --- a/test/cypress/Dockerfile +++ b/test/cypress/Dockerfile @@ -1,6 +1,4 @@ -FROM cypress/included:13.9.0 - -COPY --chown=1000 ./test /test +FROM cypress/included:14.0.1 # Disable Cypress CLI colors ENV FORCE_COLOR=0 @@ -12,12 +10,13 @@ RUN wget "https://github.com/testssl/testssl.sh/archive/refs/tags/v3.2rc4.tar.gz && mv /tmp/testssl.sh-3.2rc4 /testssl \ && rm /tmp/testssl.tgz \ && apt-get update \ - && apt-get install -y bsdmainutils \ + && apt-get install -y bsdmainutils curl dnsutils \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ && wget "https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64" -O /bin/mkcert \ && chmod +x /bin/mkcert +COPY --chown=1000 ./test /test WORKDIR /test RUN yarn install && yarn cache clean ENTRYPOINT [] diff --git a/test/cypress/e2e/api/Streams.cy.js b/test/cypress/e2e/api/Streams.cy.js new file mode 100644 index 000000000..9de43157e --- /dev/null +++ b/test/cypress/e2e/api/Streams.cy.js @@ -0,0 +1,213 @@ +/// + +describe('Streams', () => { + let token; + + before(() => { + cy.getToken().then((tok) => { + token = tok; + // Set default site content + cy.task('backendApiPut', { + token: token, + path: '/api/settings/default-site', + data: { + value: 'html', + meta: { + html: '

yay it works

' + }, + }, + }).then((data) => { + cy.validateSwaggerSchema('put', 200, '/settings/{settingID}', data); + }); + }); + + // Create a custom cert pair + cy.exec('mkcert -cert-file=/test/cypress/fixtures/website1.pem -key-file=/test/cypress/fixtures/website1.key.pem website1.example.com').then((result) => { + expect(result.code).to.eq(0); + // Install CA + cy.exec('mkcert -install').then((result) => { + expect(result.code).to.eq(0); + }); + }); + + cy.exec('rm -f /test/results/testssl.json'); + }); + + it('Should be able to create TCP Stream', function() { + cy.task('backendApiPost', { + token: token, + path: '/api/nginx/streams', + data: { + incoming_port: 1500, + forwarding_host: '127.0.0.1', + forwarding_port: 80, + certificate_id: 0, + meta: { + dns_provider_credentials: "", + letsencrypt_agree: false, + dns_challenge: true + }, + tcp_forwarding: true, + udp_forwarding: false + } + }).then((data) => { + cy.validateSwaggerSchema('post', 201, '/nginx/streams', data); + expect(data).to.have.property('id'); + expect(data.id).to.be.greaterThan(0); + expect(data).to.have.property('enabled', true); + expect(data).to.have.property('tcp_forwarding', true); + expect(data).to.have.property('udp_forwarding', false); + + cy.exec('curl --noproxy -- http://website1.example.com:1500').then((result) => { + expect(result.code).to.eq(0); + expect(result.stdout).to.contain('yay it works'); + }); + }); + }); + + it('Should be able to create UDP Stream', function() { + cy.task('backendApiPost', { + token: token, + path: '/api/nginx/streams', + data: { + incoming_port: 1501, + forwarding_host: '127.0.0.1', + forwarding_port: 80, + certificate_id: 0, + meta: { + dns_provider_credentials: "", + letsencrypt_agree: false, + dns_challenge: true + }, + tcp_forwarding: false, + udp_forwarding: true + } + }).then((data) => { + cy.validateSwaggerSchema('post', 201, '/nginx/streams', data); + expect(data).to.have.property('id'); + expect(data.id).to.be.greaterThan(0); + expect(data).to.have.property('enabled', true); + expect(data).to.have.property('tcp_forwarding', false); + expect(data).to.have.property('udp_forwarding', true); + }); + }); + + it('Should be able to create TCP/UDP Stream', function() { + cy.task('backendApiPost', { + token: token, + path: '/api/nginx/streams', + data: { + incoming_port: 1502, + forwarding_host: '127.0.0.1', + forwarding_port: 80, + certificate_id: 0, + meta: { + dns_provider_credentials: "", + letsencrypt_agree: false, + dns_challenge: true + }, + tcp_forwarding: true, + udp_forwarding: true + } + }).then((data) => { + cy.validateSwaggerSchema('post', 201, '/nginx/streams', data); + expect(data).to.have.property('id'); + expect(data.id).to.be.greaterThan(0); + expect(data).to.have.property('enabled', true); + expect(data).to.have.property('tcp_forwarding', true); + expect(data).to.have.property('udp_forwarding', true); + + cy.exec('curl --noproxy -- http://website1.example.com:1502').then((result) => { + expect(result.code).to.eq(0); + expect(result.stdout).to.contain('yay it works'); + }); + }); + }); + + it('Should be able to create SSL TCP Stream', function() { + let certID = 0; + + // Create custom cert + cy.task('backendApiPost', { + token: token, + path: '/api/nginx/certificates', + data: { + provider: "other", + nice_name: "Custom Certificate for SSL Stream", + }, + }).then((data) => { + cy.validateSwaggerSchema('post', 201, '/nginx/certificates', data); + expect(data).to.have.property('id'); + certID = data.id; + + // Upload files + cy.task('backendApiPostFiles', { + token: token, + path: `/api/nginx/certificates/${certID}/upload`, + files: { + certificate: 'website1.pem', + certificate_key: 'website1.key.pem', + }, + }).then((data) => { + cy.validateSwaggerSchema('post', 200, '/nginx/certificates/{certID}/upload', data); + expect(data).to.have.property('certificate'); + expect(data).to.have.property('certificate_key'); + + // Create the stream + cy.task('backendApiPost', { + token: token, + path: '/api/nginx/streams', + data: { + incoming_port: 1503, + forwarding_host: '127.0.0.1', + forwarding_port: 80, + certificate_id: certID, + meta: { + dns_provider_credentials: "", + letsencrypt_agree: false, + dns_challenge: true + }, + tcp_forwarding: true, + udp_forwarding: false + } + }).then((data) => { + cy.validateSwaggerSchema('post', 201, '/nginx/streams', data); + expect(data).to.have.property('id'); + expect(data.id).to.be.greaterThan(0); + expect(data).to.have.property("enabled", true); + expect(data).to.have.property('tcp_forwarding', true); + expect(data).to.have.property('udp_forwarding', false); + expect(data).to.have.property('certificate_id', certID); + + // Check the ssl termination + cy.task('log', '[testssl.sh] Running ...'); + cy.exec('/testssl/testssl.sh --quiet --add-ca="$(/bin/mkcert -CAROOT)/rootCA.pem" --jsonfile=/test/results/testssl.json website1.example.com:1503', { + timeout: 120000, // 2 minutes + }).then((result) => { + cy.task('log', '[testssl.sh] ' + result.stdout); + + const allowedSeverities = ["INFO", "OK", "LOW", "MEDIUM"]; + const ignoredIDs = [ + 'cert_chain_of_trust', + 'cert_extlifeSpan', + 'cert_revocation', + 'overall_grade', + ]; + + cy.readFile('/test/results/testssl.json').then((data) => { + // Parse each array item + for (let i = 0; i < data.length; i++) { + const item = data[i]; + if (ignoredIDs.includes(item.id)) { + continue; + } + expect(item.severity).to.be.oneOf(allowedSeverities); + } + }); + }); + }); + }); + }); + }); + +}); diff --git a/test/package.json b/test/package.json index b52ecfbd7..a3a3cad6d 100644 --- a/test/package.json +++ b/test/package.json @@ -4,18 +4,18 @@ "description": "", "main": "index.js", "dependencies": { - "@jc21/cypress-swagger-validation": "^0.3.1", - "axios": "^1.7.7", - "cypress": "^13.15.0", - "cypress-multi-reporters": "^1.6.4", + "@jc21/cypress-swagger-validation": "^0.3.2", + "axios": "^1.7.9", + "cypress": "^14.0.1", + "cypress-multi-reporters": "^2.0.5", "cypress-wait-until": "^3.0.2", - "eslint": "^9.12.0", + "eslint": "^9.19.0", "eslint-plugin-align-assignments": "^1.1.2", "eslint-plugin-chai-friendly": "^1.0.1", - "eslint-plugin-cypress": "^3.5.0", + "eslint-plugin-cypress": "^4.1.0", "form-data": "^4.0.1", "lodash": "^4.17.21", - "mocha": "^10.7.3", + "mocha": "^11.1.0", "mocha-junit-reporter": "^2.2.1" }, "scripts": {