From ee3c78cd3396d07f21ab7493ab61e722ba186486 Mon Sep 17 00:00:00 2001 From: selfhoster1312 Date: Mon, 9 Jan 2023 12:41:21 +0100 Subject: [PATCH 1/7] Add doc about plaintext localhost backend --- doc/DISCLAIMER.md | 4 ++++ doc/DISCLAIMER_fr.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index 3f6a3d5..78a63d1 100644 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -5,3 +5,7 @@ The request is transmitted as-is to the backend server. This usually means that To support relative URLs from the backend, accessing the application via `http(s)://example.com/proxy` will permanent redirect (302) to `http(s)://example.com/proxy/` (trailing slash). Otherwise, a relative link like `` would try to load `http(s)://example.com/style.css` which would fail. It is possible that your backend service does not support setting up a "base URL" (custom web path). In that case, you will have to install the application on a dedicated (sub)domain. + +### Plaintext localhost backend + +Plaintext HTTP backend is only allowed on localhost. For now, only 127.X.X.X is allowed. 10.X.X.X should also be supported. diff --git a/doc/DISCLAIMER_fr.md b/doc/DISCLAIMER_fr.md index 1f9af19..4f4e535 100644 --- a/doc/DISCLAIMER_fr.md +++ b/doc/DISCLAIMER_fr.md @@ -5,3 +5,7 @@ La requête est transmise telle-quelle au serveur backend. Cela veut usuellement Pour supporter les URLs relatives depuis le backend, accéder à l'application via `http(s)://example.com/proxy` produit une redirection permanente (302) vers `http(s)://example.com/proxy/` (avec le slash de fin). Sinon, un lien relatif comme `` essayerait de charger `http(s)://example.com/style.css`, ce qui échouerait. Il est possible que votre service backend ne supporte pas de configurer une "base URL" (chemin web personnalisé). Dans ce cas, il faudra installer l'application sur un (sous-)domaine dédié. + +### Backend localhost en clair (plaintext) + +Les connexions en clair en HTTP au backend ne sont autorisées qu'en localhost sur les adresses 127.X.X.X. Il faudrait aussi supporter 10.X.X.X. From 8d1845cce07e624edc88dd64d9933c33b2712a52 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Mon, 9 Jan 2023 11:41:40 +0000 Subject: [PATCH 2/7] Auto-update README --- README.md | 4 ++++ README_fr.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 888614a..668c518 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,10 @@ To support relative URLs from the backend, accessing the application via `http(s It is possible that your backend service does not support setting up a "base URL" (custom web path). In that case, you will have to install the application on a dedicated (sub)domain. +### Plaintext localhost backend + +Plaintext HTTP backend is only allowed on localhost. For now, only 127.X.X.X is allowed. 10.X.X.X should also be supported. + ## Documentation and resources * Official app website: diff --git a/README_fr.md b/README_fr.md index b6e3e2f..45d8b07 100644 --- a/README_fr.md +++ b/README_fr.md @@ -37,6 +37,10 @@ Pour supporter les URLs relatives depuis le backend, accéder à l'application v Il est possible que votre service backend ne supporte pas de configurer une "base URL" (chemin web personnalisé). Dans ce cas, il faudra installer l'application sur un (sous-)domaine dédié. +### Backend localhost en clair (plaintext) + +Les connexions en clair en HTTP au backend ne sont autorisées qu'en localhost sur les adresses 127.X.X.X. Il faudrait aussi supporter 10.X.X.X. + ## Documentations et ressources * Site officiel de l'app : From c7b5b3dbeedef58b5fca45c52b0a69b35ecb0507 Mon Sep 17 00:00:00 2001 From: selfhoster1312 Date: Tue, 10 Jan 2023 13:09:57 +0100 Subject: [PATCH 3/7] Handle edgecases gracefully Yunohost templating doesn't like @__NAME____proxy because `reverseproxy__2__proxy` will evaluate __2__ to $2 or @__NAME__@proxy because ynh_replace_vars uses @ as sed delimiter and ynh_replace_vars really hates multiline blocks... Using actual newlines in string produces a sed unclosed delimiter error, while using \n gets them double escaped to some weird output that crashed nginx. --- conf/nginx.conf | 10 ++++------ scripts/_common.sh | 32 ++++++++++++++++++++++++++++++-- scripts/change_url | 10 ++++++++++ scripts/install | 9 +++++++-- scripts/upgrade | 8 +++++++- 5 files changed, 58 insertions(+), 11 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index b68bbbd..e993460 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,4 +1,4 @@ -location @__NAME____proxy { +location @__NAME__--proxy { proxy_pass __PROXY_PATH__; proxy_redirect off; proxy_set_header Host $host; @@ -18,11 +18,9 @@ location @__NAME____proxy { } # Support relative URLs -location = __PATH_URL__ { - return 302 __PATH_URL__/; -} +__REDIRECT_BLOCK__ -location __PATH_URL__/ { +location __PATH_URL_SLASH__ { alias __ASSETS_PATH__; - try_files $uri @__NAME____proxy; + try_files $uri @__NAME__--proxy; } diff --git a/scripts/_common.sh b/scripts/_common.sh index 373b908..59ddc05 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -3,8 +3,6 @@ # - plaintext http is only allowed to localhost (to avoid leaking credentials on the network) # - http(s) destination is webroot, no additional component allowed (eg. http://localhost:1234/test is invalid) rp_validate_proxy_path() { - proxy_path="$1" - if [[ ! $proxy_path =~ '^unix:/' ]]; then url_regex='^(http://(127\.[0-9]+\.[0-9]+\.[0-9]+|localhost)|https://.*)(:[0-9]+)?(/.*)?$' [[ ! $proxy_path =~ $url_regex ]] && ynh_die \ @@ -24,3 +22,33 @@ rp_validate_proxy_path() { fi fi } + +# Verify that the requested assets path is valid +# - is a local folder +# - ends with a / +rp_validate_assets_path() { + if [[ "$assets_path" = "" ]]; then + assets_path="/dev/null" + else + if [ ! -d "$assets_path" ]; then + ynh_die "Requested assets path "$assets_path" does not exist" 1 + fi + + if [[ ! "$assets_path" =~ /$ ]]; then + # Append missing trailing / + assets_path=""${assets_path}"/" + fi + fi +} + +# When the app is not in the webroot (path_url = /), need to add a redirect block +# to app/ so relative URLs work +rp_handle_webroot() { + if [[ "$path_url" = "/" ]]; then + path_url_slash="/" + redirect_block="# Not needed for webroot" + else + path_url_slash=""$path_url"/" + redirect_block="location = "$path_url" { return 302 "$path_url_slash"; }" + fi +} diff --git a/scripts/change_url b/scripts/change_url index 12acc82..6be7a27 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -39,6 +39,16 @@ path_url="$new_path" domain="$old_domain" proxy_path="$(ynh_app_setting_get --app=$app --key=proxy_path)" assets_path="$(ynh_app_setting_get --app=$app --key=assets_path)" + +# Validate reverse proxy destination +rp_validate_proxy_path + +# Validate assets_path +rp_validate_assets_path + +# Special case for "/" path_url +rp_handle_webroot + ynh_add_nginx_config # Move file to new domain if domain has changed diff --git a/scripts/install b/scripts/install index 6071afd..da62af9 100644 --- a/scripts/install +++ b/scripts/install @@ -26,7 +26,6 @@ domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH proxy_path=$YNH_APP_ARG_PROXY_PATH assets_path=$YNH_APP_ARG_ASSETS_PATH -[[ "$assets_path" = "" ]] && assets_path="/dev/null" is_public=$YNH_APP_ARG_IS_PUBLIC #================================================= @@ -37,7 +36,13 @@ is_public=$YNH_APP_ARG_IS_PUBLIC ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url # Validate reverse proxy destination -rp_validate_proxy_path "$proxy_path" +rp_validate_proxy_path + +# Validate assets_path +rp_validate_assets_path + +# Special case for "/" path_url +rp_handle_webroot # Save extra settings ynh_app_setting_set --app=$app --key=proxy_path --value=$proxy_path diff --git a/scripts/upgrade b/scripts/upgrade index bd2d585..2c21e32 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -39,7 +39,13 @@ ynh_abort_if_errors #================================================= # Validate proxy destination -rp_validate_proxy_path "$proxy_path" +rp_validate_proxy_path + +# Validate assets_path +rp_validate_assets_path + +# Special case for "/" path_url +rp_handle_webroot # Configure nginx ynh_script_progression --message="Configuring NGINX web server..." --weight=1 From d6838b36d3b198e45583dcd87dae05c4d58a229a Mon Sep 17 00:00:00 2001 From: selfhoster1312 Date: Tue, 10 Jan 2023 19:02:18 +0100 Subject: [PATCH 4/7] Don't forget to set domain in backup script --- scripts/backup | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/backup b/scripts/backup index fcf30d3..1b8acfc 100644 --- a/scripts/backup +++ b/scripts/backup @@ -23,6 +23,7 @@ ynh_print_info --message="Loading installation settings..." # Retrieve arguments app=$YNH_APP_INSTANCE_NAME +domain=$(ynh_app_setting_get --app=$app --key=domain) #================================================= # BACKUP THE NGINX CONFIGURATION From a47af1ed63cf4e59313fd4edc09afaa7e757f33b Mon Sep 17 00:00:00 2001 From: selfhoster1312 Date: Tue, 10 Jan 2023 19:03:08 +0100 Subject: [PATCH 5/7] Yunohost panel in parent location block, assets/try_files defined from bash --- conf/nginx.conf | 9 +++++---- scripts/_common.sh | 22 ++++++++++++++-------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index e993460..8b49fab 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -12,8 +12,6 @@ location @__NAME__--proxy { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; more_clear_input_headers 'Accept-Encoding'; } @@ -21,6 +19,9 @@ location @__NAME__--proxy { __REDIRECT_BLOCK__ location __PATH_URL_SLASH__ { - alias __ASSETS_PATH__; - try_files $uri @__NAME__--proxy; + # Include SSOWAT user panel. + include conf.d/yunohost_panel.conf.inc; + + __ASSETS_ALIAS__ + __TRY_FILES__ } diff --git a/scripts/_common.sh b/scripts/_common.sh index 59ddc05..d5b7897 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -26,9 +26,12 @@ rp_validate_proxy_path() { # Verify that the requested assets path is valid # - is a local folder # - ends with a / +# Sets the alias line for serving static files, +# and the try_files line for trying those static files first rp_validate_assets_path() { if [[ "$assets_path" = "" ]]; then - assets_path="/dev/null" + assets_alias="# No static files to serve" + try_files="try_files /dev/null @${app}--proxy;" else if [ ! -d "$assets_path" ]; then ynh_die "Requested assets path "$assets_path" does not exist" 1 @@ -38,17 +41,20 @@ rp_validate_assets_path() { # Append missing trailing / assets_path=""${assets_path}"/" fi + + assets_alias="alias $assets_path;" + try_files="try_files \$uri \$uri/ @${app}--proxy;" fi } # When the app is not in the webroot (path_url = /), need to add a redirect block # to app/ so relative URLs work rp_handle_webroot() { - if [[ "$path_url" = "/" ]]; then - path_url_slash="/" - redirect_block="# Not needed for webroot" - else - path_url_slash=""$path_url"/" - redirect_block="location = "$path_url" { return 302 "$path_url_slash"; }" - fi + if [[ "$path_url" = "/" ]]; then + path_url_slash="/" + redirect_block="# Not needed for webroot" + else + path_url_slash=""$path_url"/" + redirect_block="location = "$path_url" { return 302 "$path_url_slash"; }" + fi } From db2eefa4985ee95a22d7af520a831d7e0f3107af Mon Sep 17 00:00:00 2001 From: selfhoster1312 Date: Tue, 10 Jan 2023 19:03:54 +0100 Subject: [PATCH 6/7] Handle config checksums in change_url scripts --- scripts/change_url | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/change_url b/scripts/change_url index 6be7a27..9f8d871 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -49,10 +49,18 @@ rp_validate_assets_path # Special case for "/" path_url rp_handle_webroot +nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf + +ynh_backup_if_checksum_is_different --file="$nginx_conf_path" ynh_add_nginx_config # Move file to new domain if domain has changed -[[ "$old_domain" != "$new_domain" ]] && mv /etc/nginx/conf.d/$old_domain.d/$app.conf /etc/nginx/conf.d/$new_domain.d/$app.conf +if [[ "$old_domain" != "$new_domain" ]]; then + new_nginx_conf_path=/etc/nginx/conf.d/$new_domain.d/$app.conf + ynh_delete_file_checksum --file="$nginx_conf_path" + mv $nginx_conf_path $new_nginx_conf_path + ynh_store_file_checksum --file="$new_nginx_conf_path" +fi #================================================= From f114e3235e73d5ff599a4ebc3ae370150c29c990 Mon Sep 17 00:00:00 2001 From: selfhoster1312 Date: Tue, 10 Jan 2023 19:05:00 +0100 Subject: [PATCH 7/7] Serve admin assets and reverse proxy API in tests, enable more tests --- check_process | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/check_process b/check_process index 0d67e75..38d1606 100644 --- a/check_process +++ b/check_process @@ -2,20 +2,19 @@ ; Manifest domain="domain.tld" path="/path" - proxy_path="http://127.0.0.1" - assets_path="" + proxy_path="http://127.0.0.1:6787" + assets_path="/usr/share/yunohost/admin" ; Checks pkg_linter=1 setup_sub_dir=1 setup_root=1 setup_nourl=0 - setup_private=0 setup_private=1 setup_public=1 upgrade=1 backup_restore=1 multi_instance=1 - change_url=0 + change_url=1 ;;; Options Email= Notification=none