Merge pull request #1 from YunoHost-Apps/moredocs

Fix all the tests!

README.md

@@ -37,6 +37,10 @@ To support relative URLs from the backend, accessing the application via `http(s
 
 It is possible that your backend service does not support setting up a "base URL" (custom web path). In that case, you will have to install the application on a dedicated (sub)domain.
 
+### Plaintext localhost backend
+
+Plaintext HTTP backend is only allowed on localhost. For now, only 127.X.X.X is allowed. 10.X.X.X should also be supported.
+
 ## Documentation and resources
 
 * Official app website: <https://en.wikipedia.org/wiki/Reverse_proxy>

README_fr.md

@@ -37,6 +37,10 @@ Pour supporter les URLs relatives depuis le backend, accéder à l'application v
 
 Il est possible que votre service backend ne supporte pas de configurer une "base URL" (chemin web personnalisé). Dans ce cas, il faudra installer l'application sur un (sous-)domaine dédié.
 
+### Backend localhost en clair (plaintext)
+
+Les connexions en clair en HTTP au backend ne sont autorisées qu'en localhost sur les adresses 127.X.X.X. Il faudrait aussi supporter 10.X.X.X.
+
 ## Documentations et ressources
 
 * Site officiel de l'app : <https://en.wikipedia.org/wiki/Reverse_proxy>

check_process

@@ -2,20 +2,19 @@
 	; Manifest
 		domain="domain.tld"
 		path="/path"
-		proxy_path="http://127.0.0.1"
-		assets_path=""
+		proxy_path="http://127.0.0.1:6787"
+		assets_path="/usr/share/yunohost/admin"
 	; Checks
 		pkg_linter=1
 		setup_sub_dir=1
 		setup_root=1
 		setup_nourl=0
-		setup_private=0
 		setup_private=1
 		setup_public=1
 		upgrade=1
 		backup_restore=1
 		multi_instance=1
-		change_url=0
+		change_url=1
 ;;; Options
 Email=
 Notification=none

conf/nginx.conf

@@ -1,4 +1,4 @@
-location @__NAME____proxy {
+location @__NAME__--proxy {
   proxy_pass        __PROXY_PATH__;
   proxy_redirect    off;
   proxy_set_header  Host $host;
@@ -12,17 +12,16 @@ location @__NAME____proxy {
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
 
-  # Include SSOWAT user panel.
-  include conf.d/yunohost_panel.conf.inc;
   more_clear_input_headers 'Accept-Encoding';
 }
 
 # Support relative URLs
-location = __PATH_URL__ {
-    return 302 __PATH_URL__/;
-}
+__REDIRECT_BLOCK__
 
-location __PATH_URL__/ {
-    alias __ASSETS_PATH__;
-    try_files $uri @__NAME____proxy;
+location __PATH_URL_SLASH__ {
+    # Include SSOWAT user panel.
+    include conf.d/yunohost_panel.conf.inc;
+
+    __ASSETS_ALIAS__
+    __TRY_FILES__
 }

doc/DISCLAIMER.md

@@ -5,3 +5,7 @@ The request is transmitted as-is to the backend server. This usually means that
 To support relative URLs from the backend, accessing the application via `http(s)://example.com/proxy` will permanent redirect (302) to `http(s)://example.com/proxy/` (trailing slash). Otherwise, a relative link like `<link rel="stylesheet" href="style.css">` would try to load `http(s)://example.com/style.css` which would fail.
 
 It is possible that your backend service does not support setting up a "base URL" (custom web path). In that case, you will have to install the application on a dedicated (sub)domain.
+
+### Plaintext localhost backend
+
+Plaintext HTTP backend is only allowed on localhost. For now, only 127.X.X.X is allowed. 10.X.X.X should also be supported.

doc/DISCLAIMER_fr.md

@@ -5,3 +5,7 @@ La requête est transmise telle-quelle au serveur backend. Cela veut usuellement
 Pour supporter les URLs relatives depuis le backend, accéder à l'application via `http(s)://example.com/proxy` produit une redirection permanente (302) vers `http(s)://example.com/proxy/` (avec le slash de fin). Sinon, un lien relatif comme `<link rel="stylesheet" href="style.css">` essayerait de charger `http(s)://example.com/style.css`, ce qui échouerait.
 
 Il est possible que votre service backend ne supporte pas de configurer une "base URL" (chemin web personnalisé). Dans ce cas, il faudra installer l'application sur un (sous-)domaine dédié.
+
+### Backend localhost en clair (plaintext)
+
+Les connexions en clair en HTTP au backend ne sont autorisées qu'en localhost sur les adresses 127.X.X.X. Il faudrait aussi supporter 10.X.X.X.

scripts/_common.sh

@@ -3,8 +3,6 @@
 #   - plaintext http is only allowed to localhost (to avoid leaking credentials on the network)
 #   - http(s) destination is webroot, no additional component allowed (eg. http://localhost:1234/test is invalid)
 rp_validate_proxy_path() {
-    proxy_path="$1"
-
     if [[ ! $proxy_path =~ '^unix:/' ]]; then
         url_regex='^(http://(127\.[0-9]+\.[0-9]+\.[0-9]+|localhost)|https://.*)(:[0-9]+)?(/.*)?$'
         [[ ! $proxy_path =~ $url_regex ]] && ynh_die \
@@ -24,3 +22,39 @@ rp_validate_proxy_path() {
         fi
     fi
 }
+
+# Verify that the requested assets path is valid
+#   - is a local folder
+#   - ends with a /
+# Sets the alias line for serving static files,
+# and the try_files line for trying those static files first
+rp_validate_assets_path() {
+    if [[ "$assets_path" = "" ]]; then
+        assets_alias="# No static files to serve"
+        try_files="try_files /dev/null @${app}--proxy;"
+    else
+        if [ ! -d "$assets_path" ]; then
+            ynh_die "Requested assets path "$assets_path" does not exist" 1
+        fi
+
+        if [[ ! "$assets_path" =~ /$ ]]; then
+            # Append missing trailing /
+            assets_path=""${assets_path}"/"
+        fi
+
+        assets_alias="alias $assets_path;"
+        try_files="try_files \$uri \$uri/ @${app}--proxy;"
+    fi
+}
+
+# When the app is not in the webroot (path_url = /), need to add a redirect block
+# to app/ so relative URLs work
+rp_handle_webroot() {
+    if [[ "$path_url" = "/" ]]; then
+        path_url_slash="/"
+        redirect_block="# Not needed for webroot"
+    else
+        path_url_slash=""$path_url"/"
+        redirect_block="location = "$path_url" { return 302 "$path_url_slash"; }"
+    fi
+}

scripts/backup

@@ -23,6 +23,7 @@ ynh_print_info --message="Loading installation settings..."
 
 # Retrieve arguments
 app=$YNH_APP_INSTANCE_NAME
+domain=$(ynh_app_setting_get --app=$app --key=domain)
 
 #=================================================
 # BACKUP THE NGINX CONFIGURATION

scripts/change_url

@@ -39,10 +39,28 @@ path_url="$new_path"
 domain="$old_domain"
 proxy_path="$(ynh_app_setting_get --app=$app --key=proxy_path)"
 assets_path="$(ynh_app_setting_get --app=$app --key=assets_path)"
+
+# Validate reverse proxy destination
+rp_validate_proxy_path
+
+# Validate assets_path
+rp_validate_assets_path
+
+# Special case for "/" path_url
+rp_handle_webroot
+
+nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
+
+ynh_backup_if_checksum_is_different --file="$nginx_conf_path"
 ynh_add_nginx_config
 
 # Move file to new domain if domain has changed
-[[ "$old_domain" != "$new_domain" ]] && mv /etc/nginx/conf.d/$old_domain.d/$app.conf /etc/nginx/conf.d/$new_domain.d/$app.conf
+if [[ "$old_domain" != "$new_domain" ]]; then
+    new_nginx_conf_path=/etc/nginx/conf.d/$new_domain.d/$app.conf
+    ynh_delete_file_checksum --file="$nginx_conf_path"
+    mv $nginx_conf_path $new_nginx_conf_path
+    ynh_store_file_checksum --file="$new_nginx_conf_path"
+fi
 
 
 #=================================================

scripts/install

@@ -26,7 +26,6 @@ domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
 proxy_path=$YNH_APP_ARG_PROXY_PATH
 assets_path=$YNH_APP_ARG_ASSETS_PATH
-[[ "$assets_path" = "" ]] && assets_path="/dev/null"
 is_public=$YNH_APP_ARG_IS_PUBLIC
 
 #=================================================
@@ -37,7 +36,13 @@ is_public=$YNH_APP_ARG_IS_PUBLIC
 ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
 
 # Validate reverse proxy destination
-rp_validate_proxy_path "$proxy_path"
+rp_validate_proxy_path
+
+# Validate assets_path
+rp_validate_assets_path
+
+# Special case for "/" path_url
+rp_handle_webroot
 
 # Save extra settings
 ynh_app_setting_set --app=$app --key=proxy_path --value=$proxy_path

scripts/upgrade

@@ -39,7 +39,13 @@ ynh_abort_if_errors
 #=================================================
 
 # Validate proxy destination
-rp_validate_proxy_path "$proxy_path"
+rp_validate_proxy_path
+
+# Validate assets_path
+rp_validate_assets_path
+
+# Special case for "/" path_url
+rp_handle_webroot
 
 # Configure nginx
 ynh_script_progression --message="Configuring NGINX web server..." --weight=1