2023-01-08 14:33:31 +01:00
|
|
|
# Verify that the requested reverse proxy destination is valid:
|
|
|
|
|
# - protocol is http(s):// or unix: for socket file
|
|
|
|
|
# - plaintext http is only allowed to localhost (to avoid leaking credentials on the network)
|
|
|
|
|
# - http(s) destination is webroot, no additional component allowed (eg. http://localhost:1234/test is invalid)
|
|
|
|
|
rp_validate_proxy_path() {
|
2024-08-05 17:31:52 +02:00
|
|
|
if [[ "$proxy_path" == unix:/* ]]; then
|
|
|
|
|
# Final nginx config is http://unix:/path/to.socket
|
|
|
|
|
proxy_path="http://$proxy_path"
|
|
|
|
|
elif [[ ! "$proxy_path" == http://unix:/* ]]; then
|
|
|
|
|
# Not unix domain socket... check URL is localhost
|
2023-01-08 14:33:31 +01:00
|
|
|
url_regex='^(http://(127\.[0-9]+\.[0-9]+\.[0-9]+|localhost)|https://.*)(:[0-9]+)?(/.*)?$'
|
2024-08-05 17:31:52 +02:00
|
|
|
[[ ! "$proxy_path" =~ $url_regex ]] && ynh_die \
|
2023-01-08 14:33:31 +01:00
|
|
|
"For secure reason, you can't use an unencrypted http remote destination couple with ssowat for your reverse proxy: $proxy_path" 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Don't allow trailing slash or additional URI components in proxy_path
|
|
|
|
|
if [[ "$proxy_path" =~ ^https?:// ]]; then
|
|
|
|
|
res="${proxy_path//[^\/]}"
|
|
|
|
|
if [[ "${#res}" != "2" ]]; then
|
|
|
|
|
if [[ "${#res}" = "3" ]] && [[ "$proxy_path" =~ /$ ]]; then
|
|
|
|
|
# If it's only one trailing slash (no more components), just remove it
|
|
|
|
|
proxy_path="${proxy_path::-1}"
|
|
|
|
|
else
|
|
|
|
|
ynh_die "Reverse proxy URL cannot contain additional slashes or components: $proxy_path" 1
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
}
|
2023-01-10 13:09:57 +01:00
|
|
|
|
|
|
|
|
# Verify that the requested assets path is valid
|
|
|
|
|
# - is a local folder
|
|
|
|
|
# - ends with a /
|
2023-01-10 19:03:08 +01:00
|
|
|
# Sets the alias line for serving static files,
|
|
|
|
|
# and the try_files line for trying those static files first
|
2023-01-10 13:09:57 +01:00
|
|
|
rp_validate_assets_path() {
|
|
|
|
|
if [[ "$assets_path" = "" ]]; then
|
2023-01-10 19:03:08 +01:00
|
|
|
assets_alias="# No static files to serve"
|
|
|
|
|
try_files="try_files /dev/null @${app}--proxy;"
|
2023-01-10 13:09:57 +01:00
|
|
|
else
|
|
|
|
|
if [ ! -d "$assets_path" ]; then
|
|
|
|
|
ynh_die "Requested assets path "$assets_path" does not exist" 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [[ ! "$assets_path" =~ /$ ]]; then
|
|
|
|
|
# Append missing trailing /
|
|
|
|
|
assets_path=""${assets_path}"/"
|
|
|
|
|
fi
|
2023-01-10 19:03:08 +01:00
|
|
|
|
|
|
|
|
assets_alias="alias $assets_path;"
|
|
|
|
|
try_files="try_files \$uri \$uri/ @${app}--proxy;"
|
2023-01-10 13:09:57 +01:00
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-25 19:16:11 +01:00
|
|
|
# When the app is not in the webroot (path = /), need to add a redirect block
|
2023-01-10 13:09:57 +01:00
|
|
|
# to app/ so relative URLs work
|
|
|
|
|
rp_handle_webroot() {
|
2023-11-25 19:16:11 +01:00
|
|
|
if [[ "$path" = "/" ]]; then
|
|
|
|
|
path_slash="/"
|
2023-01-10 19:03:08 +01:00
|
|
|
redirect_block="# Not needed for webroot"
|
|
|
|
|
else
|
2023-11-25 19:16:11 +01:00
|
|
|
path_slash=""$path"/"
|
|
|
|
|
redirect_block="location = "$path" { return 302 "$path_slash"; }"
|
2023-01-10 19:03:08 +01:00
|
|
|
fi
|
2023-01-10 13:09:57 +01:00
|
|
|
}
|
