diff --git a/README.md b/README.md index 24beda7..888614a 100644 --- a/README.md +++ b/README.md @@ -3,64 +3,56 @@ N.B.: This README was automatically generated by https://github.com/YunoHost/app It shall NOT be edited by hand. --> -# Redirect for YunoHost +# Reverse Proxy for YunoHost -[![Integration level](https://dash.yunohost.org/integration/redirect.svg)](https://dash.yunohost.org/appci/app/redirect) ![Working status](https://ci-apps.yunohost.org/ci/badges/redirect.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/redirect.maintain.svg) -[![Install Redirect with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=redirect) +[![Integration level](https://dash.yunohost.org/integration/reverseproxy.svg)](https://dash.yunohost.org/appci/app/reverseproxy) ![Working status](https://ci-apps.yunohost.org/ci/badges/reverseproxy.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/reverseproxy.maintain.svg) +[![Install Reverse Proxy with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=reverseproxy) *[Lire ce readme en français.](./README_fr.md)* -> *This package allows you to install Redirect quickly and simply on a YunoHost server. +> *This package allows you to install Reverse Proxy quickly and simply on a YunoHost server. If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.* ## Overview -This application allows to integrate a custom tile in YunoHost's user portal. Typical use cases include: -- **visible 301/302 redirect** : having a "virtual" app tile that's just a redirection to another url or external website -- **invisible redirect / reverse-proxy** : creating an app tile for a local app listening on a specific port, or a Docker container, or an app hosted on another machine +This application allows to configure a HTTP(S) reverse proxy to serve another web service, as well as an (optional) static assets directory to serve directly from nginx. The application appears as a tile in the SSOWat panel, unless configured otherwise after install. The access to the application can be made public. -In technical terms: this app only adds a NGINX configuration snippet with either `redirect` or `proxy_pass` rule, and a YunoHost tile + appropriate SSOwat configuration. +The supported backends are: + +- plaintext HTTP to localhost (127.x.x.x) +- HTTPS to any destination +- socket file on local disk + +Please be aware that SSOWat sends user credentials in plaintext to the backend, so do not use this application to reverse-proxy a service you don't trust (for example to mirror a site hosted by someone else). -**Shipped version:** 1.0.2~ynh1 - +**Shipped version:** 0.1~ynh1 ## Disclaimers / important information -## Redirect type +### Backend web path -### Visible redirect +The request is transmitted as-is to the backend server. This usually means that the backend service shoudl be aware of the web path used to access the service. For example, if using the application is installed to `example.com/proxy`, your backend application should produce absolute links starting with `example.com/proxy/` too. -The client will be redirected to another url or external website +To support relative URLs from the backend, accessing the application via `http(s)://example.com/proxy` will permanent redirect (302) to `http(s)://example.com/proxy/` (trailing slash). Otherwise, a relative link like `` would try to load `http(s)://example.com/style.css` which would fail. -- `your-domain.com -> another-domain.net` -- `your-domain.com/foo -> another-domain.net/bar` - -### Invisible redirect (a.k.a "reverse-proxy") - -Visitor's address bar will remain the same. Typically used to integrate into YunoHost a manually-installed app into the portal. - -- `you-domain.com/foo -> http://172.0.0.1:8080/app` - -**IMPORTANT:** you may have to further tweak the `redirect.conf` in the nginx configuration, depending on your needs! - -**IMPORTANT:** Many apps do not support being redirected to a different path due to relative links! This means that some apps being hosted for example on http://127.0.0.1:5050/app/ MUST be redirected to http://domain.tld/app/ and NOT http://domain.tld/someotherapp/. For example : an Odoo Docker container runs on http://127.0.0.1:8069/. You will not be able to redirect it to http://domain.tld/odoo/ ! You have to redirect it to the root, so for example http://odoo.domain.tld/ +It is possible that your backend service does not support setting up a "base URL" (custom web path). In that case, you will have to install the application on a dedicated (sub)domain. ## Documentation and resources -* Official app website: -* YunoHost documentation for this app: -* Report a bug: +* Official app website: +* YunoHost documentation for this app: +* Report a bug: ## Developer info -Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/redirect_ynh/tree/testing). +Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/reverseproxy_ynh/tree/testing). To try the testing branch, please proceed like that. ``` bash -sudo yunohost app install https://github.com/YunoHost-Apps/redirect_ynh/tree/testing --debug +sudo yunohost app install https://github.com/YunoHost-Apps/reverseproxy_ynh/tree/testing --debug or -sudo yunohost app upgrade redirect -u https://github.com/YunoHost-Apps/redirect_ynh/tree/testing --debug +sudo yunohost app upgrade reverseproxy -u https://github.com/YunoHost-Apps/reverseproxy_ynh/tree/testing --debug ``` **More info regarding app packaging:** diff --git a/README_fr.md b/README_fr.md index 9b913cd..b6e3e2f 100644 --- a/README_fr.md +++ b/README_fr.md @@ -3,64 +3,56 @@ N.B.: This README was automatically generated by https://github.com/YunoHost/app It shall NOT be edited by hand. --> -# Redirect pour YunoHost +# Reverse Proxy pour YunoHost -[![Niveau d'intégration](https://dash.yunohost.org/integration/redirect.svg)](https://dash.yunohost.org/appci/app/redirect) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/redirect.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/redirect.maintain.svg) -[![Installer Redirect avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=redirect) +[![Niveau d'intégration](https://dash.yunohost.org/integration/reverseproxy.svg)](https://dash.yunohost.org/appci/app/reverseproxy) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/reverseproxy.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/reverseproxy.maintain.svg) +[![Installer Reverse Proxy avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=reverseproxy) *[Read this readme in english.](./README.md)* -> *Ce package vous permet d'installer Redirect rapidement et simplement sur un serveur YunoHost. +> *Ce package vous permet d'installer Reverse Proxy rapidement et simplement sur un serveur YunoHost. Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.* ## Vue d'ensemble -Cette application permet d'intégrée une tuile personalisée dans le portail utilisateur de YunoHost. Les cas d'usage typiques sont: -- **redirection 301/302 visible** : avoir une tuile d'app "virtuelle" qui se contente de rediriger vers une autre url ou un site externe -- **redirection invisible / reverse-proxy** : créer une tuile pour une application locale écoutant sur un port précis, ou bien un conteneur Docker, ou encore une app hébergée sur une autre machine +Cette application permet de configurer un reverse proxy HTTP(S) pour servir un autre service web, ainsi qu'un dossier (optionnel) pour les assets statiques qui sera servi directement depuis nginx. L'application apparaît comme tuile dans le panel SSOWat, sauf si elle a été configurée autrement après l'installation. L'accès à l'application peut être rendu public. -En terme technique: cette app se contente de rajouter le morceau de configuration NGINX approprié avec soit `redirect` ou `proxy_pass`, et la tuile YunoHost + configuration SSOwat correspondante. +Les backends supportés sont: + +- HTTP en clair (plaintext) vers localhost (127.x.x.x) +- HTTPS vers n'importe quelle destination +- fichier socket sur disque local + +Attention, SSOWat envoie les identifiants des utilisateurices en clair jusqu'au backend, donc n'utilisez pas cette application pour reverse-proxy un service dans lequel vous n'avez pas confiance (par exemple pour mirrorer un site hébergé par une autre personne). -**Version incluse :** 1.0.2~ynh1 - +**Version incluse :** 0.1~ynh1 ## Avertissements / informations importantes -## Types de redirection +### Chemin web du backend -### Redirection visible +La requête est transmise telle-quelle au serveur backend. Cela veut usuellement dire que le service backend doit avoir connaissance du chemin web utilisé pour accéder au service. Par exemple, si l'application est installée sur `example.com/proxy`, votre application backend devrait produire des liens absolus commençant par `example.com/proxy/`. -Le client sera redirigé vers une autre URL ou site externe +Pour supporter les URLs relatives depuis le backend, accéder à l'application via `http(s)://example.com/proxy` produit une redirection permanente (302) vers `http(s)://example.com/proxy/` (avec le slash de fin). Sinon, un lien relatif comme `` essayerait de charger `http(s)://example.com/style.css`, ce qui échouerait. -- `votre-domaine.com -> un-autre-domaine.net` -- `votre-domaine.com/foo -> un-autre-domaine.net/bar` - -### Redirection invisible (a.k.a "reverse-proxy") - -L'adresse du client restera inchangé dans le navigateur. Typiquement utilisé pour intéger dans YunoHost une application installée manuellement. - -- `you-domain.com/foo -> http://172.0.0.1:8080/app` - -**IMPORTANT:** il vous faudra peut-être bricoler manuellement `redirect.conf` dans la configuration nginx, en fonction de vos besoins. - -**IMPORTANT:** Certaines apps ne supportent pas d'être redirigées depuis un chemin différent à cause du fonctionnement des liens relatifs ... Cela signifie que par exemple une app hébergée sur `http://127.0.0.1:5050/app/` DOIT être routé sur `http://domaine.tld/app/` et PAS http://domaine.tld/unautrechemin/. Par exemple: un conteneur Docker Odoo tourne sur `http://127.0.0.1:8069/`. Il ne sera pas capable de fonctionné correctement si il est routé sur `http://domaine.tld/odoo/` ! Il faut forcément l'installer à la racine d'un domaine, par exemple `http://odoo.domaine.tld/` +Il est possible que votre service backend ne supporte pas de configurer une "base URL" (chemin web personnalisé). Dans ce cas, il faudra installer l'application sur un (sous-)domaine dédié. ## Documentations et ressources -* Site officiel de l'app : -* Documentation YunoHost pour cette app : -* Signaler un bug : +* Site officiel de l'app : +* Documentation YunoHost pour cette app : +* Signaler un bug : ## Informations pour les développeurs -Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/redirect_ynh/tree/testing). +Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/reverseproxy_ynh/tree/testing). Pour essayer la branche testing, procédez comme suit. ``` bash -sudo yunohost app install https://github.com/YunoHost-Apps/redirect_ynh/tree/testing --debug +sudo yunohost app install https://github.com/YunoHost-Apps/reverseproxy_ynh/tree/testing --debug ou -sudo yunohost app upgrade redirect -u https://github.com/YunoHost-Apps/redirect_ynh/tree/testing --debug +sudo yunohost app upgrade reverseproxy -u https://github.com/YunoHost-Apps/reverseproxy_ynh/tree/testing --debug ``` **Plus d'infos sur le packaging d'applications :** diff --git a/conf/nginx-visible-301.conf b/conf/nginx-visible-301.conf deleted file mode 100644 index 2b3ffb6..0000000 --- a/conf/nginx-visible-301.conf +++ /dev/null @@ -1,3 +0,0 @@ -location YNH_LOCATION { - return 301 YNH_REDIRECT_PATH$request_uri; -} diff --git a/conf/nginx-visible-302.conf b/conf/nginx-visible-302.conf deleted file mode 100644 index e1ffc66..0000000 --- a/conf/nginx-visible-302.conf +++ /dev/null @@ -1,3 +0,0 @@ -location YNH_LOCATION { - return 302 YNH_REDIRECT_PATH$request_uri; -} diff --git a/conf/nginx-proxy.conf b/conf/nginx.conf similarity index 69% rename from conf/nginx-proxy.conf rename to conf/nginx.conf index 6d3a1ee..fef8e48 100644 --- a/conf/nginx-proxy.conf +++ b/conf/nginx.conf @@ -1,5 +1,5 @@ -location YNH_LOCATION { - proxy_pass YNH_REDIRECT_PATH; +location @YNH_APPNAME__proxy { + proxy_pass YNH_PROXY_PATH; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -16,3 +16,13 @@ location YNH_LOCATION { include conf.d/yunohost_panel.conf.inc; more_clear_input_headers 'Accept-Encoding'; } + +# Support relative URLs +location = YNH_LOCATION { + return 302 YNH_LOCATION/; +} + +location YNH_LOCATION/ { + alias YNH_ASSETS_PATH; + try_files $uri @YNH_APPNAME__proxy; +} diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md index 4f42f68..a280197 100644 --- a/doc/DESCRIPTION.md +++ b/doc/DESCRIPTION.md @@ -1,5 +1,9 @@ -This application allows to integrate a custom tile in YunoHost's user portal. Typical use cases include: -- **visible 301/302 redirect** : having a "virtual" app tile that's just a redirection to another url or external website -- **invisible redirect / reverse-proxy** : creating an app tile for a local app listening on a specific port, or a Docker container, or an app hosted on another machine +This application allows to configure a HTTP(S) reverse proxy to serve another web service, as well as an (optional) static assets directory to serve directly from nginx. The application appears as a tile in the SSOWat panel, unless configured otherwise after install. The access to the application can be made public. -In technical terms: this app only adds a NGINX configuration snippet with either `redirect` or `proxy_pass` rule, and a YunoHost tile + appropriate SSOwat configuration. +The supported backends are: + +- plaintext HTTP to localhost (127.x.x.x) +- HTTPS to any destination +- socket file on local disk + +Please be aware that SSOWat sends user credentials in plaintext to the backend, so do not use this application to reverse-proxy a service you don't trust (for example to mirror a site hosted by someone else). diff --git a/doc/DESCRIPTION_fr.md b/doc/DESCRIPTION_fr.md index 3727eb8..6c6358b 100644 --- a/doc/DESCRIPTION_fr.md +++ b/doc/DESCRIPTION_fr.md @@ -1,5 +1,9 @@ -Cette application permet d'intégrée une tuile personalisée dans le portail utilisateur de YunoHost. Les cas d'usage typiques sont: -- **redirection 301/302 visible** : avoir une tuile d'app "virtuelle" qui se contente de rediriger vers une autre url ou un site externe -- **redirection invisible / reverse-proxy** : créer une tuile pour une application locale écoutant sur un port précis, ou bien un conteneur Docker, ou encore une app hébergée sur une autre machine +Cette application permet de configurer un reverse proxy HTTP(S) pour servir un autre service web, ainsi qu'un dossier (optionnel) pour les assets statiques qui sera servi directement depuis nginx. L'application apparaît comme tuile dans le panel SSOWat, sauf si elle a été configurée autrement après l'installation. L'accès à l'application peut être rendu public. -En terme technique: cette app se contente de rajouter le morceau de configuration NGINX approprié avec soit `redirect` ou `proxy_pass`, et la tuile YunoHost + configuration SSOwat correspondante. +Les backends supportés sont: + +- HTTP en clair (plaintext) vers localhost (127.x.x.x) +- HTTPS vers n'importe quelle destination +- fichier socket sur disque local + +Attention, SSOWat envoie les identifiants des utilisateurices en clair jusqu'au backend, donc n'utilisez pas cette application pour reverse-proxy un service dans lequel vous n'avez pas confiance (par exemple pour mirrorer un site hébergé par une autre personne). diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index 446e514..3f6a3d5 100644 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -1,18 +1,7 @@ -## Redirect type +### Backend web path -### Visible redirect +The request is transmitted as-is to the backend server. This usually means that the backend service shoudl be aware of the web path used to access the service. For example, if using the application is installed to `example.com/proxy`, your backend application should produce absolute links starting with `example.com/proxy/` too. -The client will be redirected to another url or external website +To support relative URLs from the backend, accessing the application via `http(s)://example.com/proxy` will permanent redirect (302) to `http(s)://example.com/proxy/` (trailing slash). Otherwise, a relative link like `` would try to load `http(s)://example.com/style.css` which would fail. -- `your-domain.com -> another-domain.net` -- `your-domain.com/foo -> another-domain.net/bar` - -### Invisible redirect (a.k.a "reverse-proxy") - -Visitor's address bar will remain the same. Typically used to integrate into YunoHost a manually-installed app into the portal. - -- `you-domain.com/foo -> http://172.0.0.1:8080/app` - -**IMPORTANT:** you may have to further tweak the `redirect.conf` in the nginx configuration, depending on your needs! - -**IMPORTANT:** Many apps do not support being redirected to a different path due to relative links! This means that some apps being hosted for example on http://127.0.0.1:5050/app/ MUST be redirected to http://domain.tld/app/ and NOT http://domain.tld/someotherapp/. For example : an Odoo Docker container runs on http://127.0.0.1:8069/. You will not be able to redirect it to http://domain.tld/odoo/ ! You have to redirect it to the root, so for example http://odoo.domain.tld/ +It is possible that your backend service does not support setting up a "base URL" (custom web path). In that case, you will have to install the application on a dedicated (sub)domain. diff --git a/doc/DISCLAIMER_fr.md b/doc/DISCLAIMER_fr.md index e7c511f..1f9af19 100644 --- a/doc/DISCLAIMER_fr.md +++ b/doc/DISCLAIMER_fr.md @@ -1,18 +1,7 @@ -## Types de redirection +### Chemin web du backend -### Redirection visible +La requête est transmise telle-quelle au serveur backend. Cela veut usuellement dire que le service backend doit avoir connaissance du chemin web utilisé pour accéder au service. Par exemple, si l'application est installée sur `example.com/proxy`, votre application backend devrait produire des liens absolus commençant par `example.com/proxy/`. -Le client sera redirigé vers une autre URL ou site externe +Pour supporter les URLs relatives depuis le backend, accéder à l'application via `http(s)://example.com/proxy` produit une redirection permanente (302) vers `http(s)://example.com/proxy/` (avec le slash de fin). Sinon, un lien relatif comme `` essayerait de charger `http(s)://example.com/style.css`, ce qui échouerait. -- `votre-domaine.com -> un-autre-domaine.net` -- `votre-domaine.com/foo -> un-autre-domaine.net/bar` - -### Redirection invisible (a.k.a "reverse-proxy") - -L'adresse du client restera inchangé dans le navigateur. Typiquement utilisé pour intéger dans YunoHost une application installée manuellement. - -- `you-domain.com/foo -> http://172.0.0.1:8080/app` - -**IMPORTANT:** il vous faudra peut-être bricoler manuellement `redirect.conf` dans la configuration nginx, en fonction de vos besoins. - -**IMPORTANT:** Certaines apps ne supportent pas d'être redirigées depuis un chemin différent à cause du fonctionnement des liens relatifs ... Cela signifie que par exemple une app hébergée sur `http://127.0.0.1:5050/app/` DOIT être routé sur `http://domaine.tld/app/` et PAS http://domaine.tld/unautrechemin/. Par exemple: un conteneur Docker Odoo tourne sur `http://127.0.0.1:8069/`. Il ne sera pas capable de fonctionné correctement si il est routé sur `http://domaine.tld/odoo/` ! Il faut forcément l'installer à la racine d'un domaine, par exemple `http://odoo.domaine.tld/` +Il est possible que votre service backend ne supporte pas de configurer une "base URL" (chemin web personnalisé). Dans ce cas, il faudra installer l'application sur un (sous-)domaine dédié. diff --git a/manifest.json b/manifest.json index c36681d..bbc6ef0 100644 --- a/manifest.json +++ b/manifest.json @@ -1,21 +1,20 @@ { - "name": "Redirect", - "id": "redirect", + "name": "Reverse Proxy", + "id": "reverseproxy", "packaging_format": 1, "description": { - "en": "Create a redirection or a proxy to another path", - "fr": "Créer une redirection ou un proxy vers un autre emplacement" + "en": "Create a reverse proxy to a socket/port, optionally serve static files from folder", + "fr": "Créer un reverse proxy vers un socket/port, optionnellement servir des fichiers statiques depuis un dossier" }, - "version": "1.0.2~ynh1", + "version": "0.1~ynh1", "license": "AGPL-3.0-or-later", - "url": "https://github.com/YunoHost-Apps/redirect_ynh", + "url": "https://en.wikipedia.org/wiki/Reverse_proxy", "upstream": { - "license": "AGPL-3.0-or-later", - "website": "https://github.com/YunoHost-Apps/redirect_ynh" + "website": "https://en.wikipedia.org/wiki/Reverse_proxy" }, "maintainer": { - "name": "alexAubin", - "email": "alex.aubin@mailoo.org" + "name": "selfhoster1312", + "email": "selfhoster1312@kl.netlib.re" }, "requirements": { "yunohost": ">= 4.2.0" @@ -26,42 +25,39 @@ ], "arguments": { "install" : [ - { - "name": "domain", - "type": "domain", - "example": "domain.org" + { + "name": "domain", + "type": "domain" + }, + { + "name": "path", + "type": "path", + "example": "/proxy" + }, + { + "name": "proxy_path", + "type": "string", + "ask": { + "en": "Redirect destination path (unix:/file for socket)", + "fr": "Emplacement de destination (unix:/fichier pour socket)" }, - { - "name": "path", - "type": "path", - "example": "/redirect", - "default": "/redirect" + "example": "http://127.0.0.1:8080/app/" + }, + { + "name": "is_public", + "type": "boolean", + "default": false + }, + { + "name": "assets_path", + "type": "string", + "ask": { + "en": "Static assets folder", + "fr": "Dossier pour les fichiers statiques" }, - { - "name": "redirect_path", - "type": "string", - "ask": { - "en": "Redirect destination path", - "fr": "Emplacement de destination" - }, - "example": "http://127.0.0.1:8080/app/", - "default": "http://127.0.0.1" - }, - { - "name": "redirect_type", - "type": "string", - "ask": { - "en": "Redirect type", - "fr": "Type de redirection" - }, - "choices": { - "public_302": "Visible redirect (302, temporary). Everybody will be able to access it.", - "public_301": "Visible redirect (301, permanent). Everybody will be able to access it.", - "public_proxy": "Proxy, invisible (NGINX proxy_pass). Everybody will be able to access it.", - "private_proxy": "Proxy, invisible (NGINX proxy_pass). Only accessible for allowed users." - }, - "default": "public_302" - } + "optional": true, + "example": "/opt/foo/www/" + } ] } } diff --git a/scripts/_common.sh b/scripts/_common.sh new file mode 100644 index 0000000..396ba5b --- /dev/null +++ b/scripts/_common.sh @@ -0,0 +1,53 @@ +# Verify that the requested reverse proxy destination is valid: +# - protocol is http(s):// or unix: for socket file +# - plaintext http is only allowed to localhost (to avoid leaking credentials on the network) +# - http(s) destination is webroot, no additional component allowed (eg. http://localhost:1234/test is invalid) +rp_validate_proxy_path() { + proxy_path="$1" + + if [[ ! $proxy_path =~ '^unix:/' ]]; then + url_regex='^(http://(127\.[0-9]+\.[0-9]+\.[0-9]+|localhost)|https://.*)(:[0-9]+)?(/.*)?$' + [[ ! $proxy_path =~ $url_regex ]] && ynh_die \ + "For secure reason, you can't use an unencrypted http remote destination couple with ssowat for your reverse proxy: $proxy_path" 1 + fi + + # Don't allow trailing slash or additional URI components in proxy_path + if [[ "$proxy_path" =~ ^https?:// ]]; then + res="${proxy_path//[^\/]}" + if [[ "${#res}" != "2" ]]; then + if [[ "${#res}" = "3" ]] && [[ "$proxy_path" =~ /$ ]]; then + # If it's only one trailing slash (no more components), just remove it + proxy_path="${proxy_path::-1}" + else + ynh_die "Reverse proxy URL cannot contain additional slashes or components: $proxy_path" 1 + fi + fi + fi +} + +# Make reverse proxy public if $1 is 1 +# Yunohost boolean params are 1 if true +rp_make_permissions() { + #ynh_script_progression --message="Configuring permissions..." --weight=2 + + if [ $1 = 1 ]; then + ynh_permission_update --permission="main" --add="visitors" + fi +} + +# (re)generate nginx config +rp_make_webconfig() { + #ynh_script_progression --message="Configuring NGINX web server..." --weight=1 + + # Nginx configuration + ynh_replace_string "YNH_LOCATION" "$path_url" ../conf/nginx.conf + ynh_replace_string "YNH_PROXY_PATH" "$proxy_path" ../conf/nginx.conf + ynh_replace_string "YNH_APPNAME" "$app" ../conf/nginx.conf + ynh_replace_string "YNH_ASSETS_PATH" "$assets_path" ../conf/nginx.conf + cp ../conf/nginx.conf /etc/nginx/conf.d/$domain.d/$app.conf +} + +rp_reload_web() { + #ynh_script_progression --message="Reloading NGINX web server..." --weight=1 + ynh_systemd_action --service_name=nginx --action=reload +} diff --git a/scripts/backup b/scripts/backup index 01b1bbe..fcf30d3 100644 --- a/scripts/backup +++ b/scripts/backup @@ -6,6 +6,7 @@ # IMPORT GENERIC HELPERS #================================================= +source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= @@ -22,7 +23,6 @@ ynh_print_info --message="Loading installation settings..." # Retrieve arguments app=$YNH_APP_INSTANCE_NAME -domain=$(ynh_app_setting_get --app=$app --key=domain) #================================================= # BACKUP THE NGINX CONFIGURATION diff --git a/scripts/change_url b/scripts/change_url new file mode 100644 index 0000000..5df118d --- /dev/null +++ b/scripts/change_url @@ -0,0 +1,52 @@ +#!/bin/bash + +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source /usr/share/yunohost/helpers +source _common.sh + +#================================================= +# MANAGE SCRIPT FAILURE +#================================================= + +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# RETRIEVE ARGUMENTS FROM THE MANIFEST +#================================================= + +app=$YNH_APP_INSTANCE_NAME +old_domain=$YNH_APP_OLD_DOMAIN +new_domain=$YNH_APP_NEW_DOMAIN +old_path=$YNH_APP_OLD_PATH +new_path=$YNH_APP_NEW_PATH + +# Path availability is already checked for + +#================================================= +# CONFIGURE NGINX +#================================================= +ynh_script_progression --message="Configuring NGINX web server..." --weight=1 + +# Nginx configuration +ynh_replace_string "$old_path {" "$new_path {" /etc/nginx/conf.d/$old_domain.d/$app.conf +ynh_replace_string "${old_path}/ {" "${new_path}/ {" /etc/nginx/conf.d/$old_domain.d/$app.conf +ynh_replace_string "302 ${old_path}/" "302 ${new_path}/" /etc/nginx/conf.d/$old_domain.d/$app.conf + +# Maybe only path part has changed... only move file if domain has changed +[[ "$old_domain" != "$new_domain" ]] && mv /etc/nginx/conf.d/$old_domain.d/$app.conf /etc/nginx/conf.d/$new_domain.d/$app.conf + +# Reload nginx +ynh_script_progression --message="Reloading NGINX web server..." --weight=1 +rp_reload_web + +#================================================= +# END OF SCRIPT +#================================================= + +ynh_script_progression --message="Changing URL of $app completed" --last diff --git a/scripts/install b/scripts/install index 77acee9..35f993e 100644 --- a/scripts/install +++ b/scripts/install @@ -6,6 +6,7 @@ # IMPORT GENERIC HELPERS #================================================= +source _common.sh source /usr/share/yunohost/helpers #================================================= @@ -23,68 +24,36 @@ ynh_abort_if_errors app=$YNH_APP_INSTANCE_NAME domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -redirect_type=$YNH_APP_ARG_REDIRECT_TYPE -redirect_path=$YNH_APP_ARG_REDIRECT_PATH +proxy_path=$YNH_APP_ARG_PROXY_PATH +assets_path=$YNH_APP_ARG_ASSETS_PATH +[[ "$assets_path" = "" ]] && assets_path="/dev/null" +is_public=$YNH_APP_ARG_IS_PUBLIC + +#================================================= +# REVERSE PROXY LOGIC +#================================================= # Check domain/path availability ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url -# Validate redirect path -url_regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]' -[[ ! $redirect_path =~ $url_regex ]] && ynh_die "Invalid destination: $redirect_path" 1 +# Validate reverse proxy destination +rp_validate_proxy_path "$proxy_path" -# Avoid uncrypted remote destination with reverse proxy mode -# Indeed the SSO send the password in all requests in HTTP headers -url_regex='^(http://(127\.[0-9]+\.[0-9]+\.[0-9]+|localhost)|https://.*)(:[0-9]+)?(/.*)?$' -[[ "$redirect_type" = "proxy" ]] && [[ ! $redirect_path =~ $url_regex ]] && ynh_die \ -"For secure reason, you can't use an unencrypted http remote destination couple with ssowat for your reverse proxy: $redirect_path" 1 +# Save extra settings +ynh_app_setting_set --app=$app --key=proxy_path --value=$proxy_path +ynh_app_setting_set --app=$app --key=assets_path --value=$assets_path -# Save extra settings -ynh_app_setting_set --app=$app --key=redirect_type --value=$redirect_type -ynh_app_setting_set --app=$app --key=redirect_path --value=$redirect_path - -#================================================= -# CONFIGURE NGINX -#================================================= +# Configure nginx ynh_script_progression --message="Configuring NGINX web server..." --weight=1 - -# Nginx configuration -for FILE in $(ls ../conf/nginx-*.conf) -do - ynh_replace_string "YNH_LOCATION" "$path_url" $FILE -done -if [ "$redirect_type" = "public_302" ]; -then - ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-visible-302.conf - cp ../conf/nginx-visible-302.conf /etc/nginx/conf.d/$domain.d/$app.conf -elif [ "$redirect_type" = "public_301" ]; -then - ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-visible-301.conf - cp ../conf/nginx-visible-301.conf /etc/nginx/conf.d/$domain.d/$app.conf -elif [ "$redirect_type" = "public_proxy" ] || [ "$redirect_type" = "private_proxy" ]; -then - ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-proxy.conf - cp ../conf/nginx-proxy.conf /etc/nginx/conf.d/$domain.d/$app.conf -fi - -#================================================= -# CONFIGURE SSOWAT -#================================================= -ynh_script_progression --message="Configuring permissions..." --weight=2 +rp_make_webconfig # Make app public if necessary -if [ "$redirect_type" != "private_proxy" ] -then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_permission_update --permission="main" --add="visitors" -fi +ynh_script_progression --message="Configuring permissions..." --weight=2 +rp_make_permissions $is_public -#================================================= -# RELOAD NGINX -#================================================= +# Reload nginx ynh_script_progression --message="Reloading NGINX web server..." --weight=1 - -ynh_systemd_action --service_name=nginx --action=reload +rp_reload_web #================================================= # END OF SCRIPT diff --git a/scripts/remove b/scripts/remove index 304eab7..1ed7388 100644 --- a/scripts/remove +++ b/scripts/remove @@ -6,6 +6,7 @@ # IMPORT GENERIC HELPERS #================================================= +source _common.sh source /usr/share/yunohost/helpers #================================================= @@ -24,12 +25,9 @@ domain=$(ynh_app_setting_get --app=$app --key=domain) # Remove configuration files ynh_secure_remove /etc/nginx/conf.d/$domain.d/$app.conf -#================================================= -# RELOAD NGINX AND PHP-FPM -#================================================= +# Reload nginx ynh_script_progression --message="Reloading NGINX web server..." --weight=1 - -ynh_systemd_action --service_name=nginx --action=reload +rp_reload_web #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index 1cade86..1b87580 100644 --- a/scripts/restore +++ b/scripts/restore @@ -6,6 +6,7 @@ # IMPORT GENERIC HELPERS #================================================= +source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= @@ -23,12 +24,11 @@ ynh_abort_if_errors app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) -redirect_type=$(ynh_app_setting_get --app=$app --key=redirect_type) -redirect_path=$(ynh_app_setting_get --app=$app --key=redirect_path) +proxy_path=$(ynh_app_setting_get --app=$app --key=proxy_path) +assets_path=$(ynh_app_setting_get --app=$app --key=assets_path) -# Validate redirect path -url_regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]' -[[ ! $redirect_path =~ $url_regex ]] && ynh_die "Invalid destination: $redirect_path" 1 +# Revalidate destination path +rp_validate_proxy_path "$proxy_path" # Check configuration files NGINX_CONF="/etc/nginx/conf.d/${domain}.d/${app}.conf" @@ -37,23 +37,8 @@ NGINX_CONF="/etc/nginx/conf.d/${domain}.d/${app}.conf" # Restore configuration files ynh_restore_file "$NGINX_CONF" -#================================================= -# SETUP SSOWAT -#================================================= - -# Make app public if necessary -if [ "$redirect_type" != "private_proxy" ] -then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_permission_update --permission="main" --add="visitors" -fi - -#================================================= -# RELOAD NGINX AND PHP-FPM -#================================================= -ynh_script_progression --message="Reloading NGINX web server..." --weight=1 - -ynh_systemd_action --service_name=nginx --action=reload +# Reload nginx +rp_reload_web #================================================= # END OF SCRIPT diff --git a/scripts/upgrade b/scripts/upgrade index 93caed4..c360cd6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -7,6 +7,7 @@ # IMPORT GENERIC HELPERS #================================================= +source _common.sh source /usr/share/yunohost/helpers #================================================= @@ -17,60 +18,8 @@ source /usr/share/yunohost/helpers app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) -redirect_type=$(ynh_app_setting_get --app=$app --key=redirect_type) -redirect_path=$(ynh_app_setting_get --app=$app --key=redirect_path) - -#================================================= -# ENSURE DOWNWARD COMPATIBILITY -#================================================= - -# Fix is_public as a boolean value -# Default value for redirect_type if upgrading from https://github.com/scith/redirect_ynh -if [ -z "$redirect_type" ]; -then - redirect_type="proxy" - ynh_app_setting_set $app 'redirect_type' $redirect_type -fi - -# Migrate away from old stuff with 'is_public' and old redirect type names -is_public=$(ynh_app_setting_get "$app" is_public) -if [ -n "$is_public" ] -then - if [ "$is_public" = "Yes" ]; then - is_public=1 - elif [ "$is_public" = "No" ]; then - is_public=0 - fi - - if [ "$is_public" = "0" ] && [ "$redirect_type" != "proxy" ]; then - echo "WARNING: You previously had a 'supposedly' private 301 or 302 redirection... but it was found that it was public all along and it is not easy to create such a private redirection. Your 301 or 302 redirection will be re-flagged as public..." >&2 - is_public=1 - fi - - if [ "$redirect_type" == "proxy" ] && [ "$is_public" = "1" ] - then - redirect_type="public_proxy" - elif [ "$redirect_type" == "proxy" ] && [ "$is_public" = "0" ] - then - redirect_type="private_proxy" - elif [ "$redirect_type" == "visible_302" ] - then - redirect_type="public_302" - elif [ "$redirect_type" == "visible_301" ] - then - redirect_type="public_301" - fi - - ynh_app_setting_set $app 'redirect_type' $redirect_type -fi - -# Migrate legacy permissions to new system -if ynh_legacy_permissions_exists -then - ynh_legacy_permissions_delete_all - - ynh_app_setting_delete --app=$app --key=is_public -fi +proxy_path=$(ynh_app_setting_get --app=$app --key=proxy_path) +assets_path=$(ynh_app_setting_get --app=$app --key=assets_path) #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP @@ -85,50 +34,20 @@ ynh_clean_setup () { # Exit if an error occurs during the execution of the script ynh_abort_if_errors -# Validate redirect path -url_regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]' -[[ ! $redirect_path =~ $url_regex ]] && ynh_die "Invalid destination: $redirect_path" 1 - #================================================= -# CONFIGURE NGINX +# REVERSE PROXY LOGIC #================================================= -# Nginx configuration -for FILE in $(ls ../conf/nginx-*.conf) -do - ynh_replace_string "YNH_LOCATION" "$path_url" $FILE -done -if [ "$redirect_type" = "public_302" ]; -then - ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-visible-302.conf - cp ../conf/nginx-visible-302.conf /etc/nginx/conf.d/$domain.d/$app.conf -elif [ "$redirect_type" = "public_301" ]; -then - ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-visible-301.conf - cp ../conf/nginx-visible-301.conf /etc/nginx/conf.d/$domain.d/$app.conf -elif [ "$redirect_type" = "public_proxy" ] || [ "$redirect_type" = "private_proxy" ]; -then - ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-proxy.conf - cp ../conf/nginx-proxy.conf /etc/nginx/conf.d/$domain.d/$app.conf -fi +# Validate proxy destination +rp_validate_proxy_path "$proxy_path" -#================================================= -# CONFIGURE SSOWAT -#================================================= +# Configure nginx +ynh_script_progression --message="Configuring NGINX web server..." --weight=1 +rp_make_webconfig -# Make app public if necessary -if [ "$redirect_type" != "private_proxy" ] -then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_permission_update --permission="main" --add="visitors" -fi - -#================================================= -# RELOAD NGINX -#================================================= +# Reload nginx ynh_script_progression --message="Reloading NGINX web server..." --weight=1 - -ynh_systemd_action --service_name=nginx --action=reload +rp_reload_web #================================================= # END OF SCRIPT