not create the "haproxy.cfg" each time. replaced the "insecure passwo…

…rd" with "password" Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
cloud-py-api · Jun 11, 2024 · 6f9046f · 6f9046f
1 parent 8f707e4
commit 6f9046f
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 31 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -19,12 +19,13 @@ RUN set -ex; \
         openssl \
         bind-tools \
         nano \
-        vim; \
+        vim \
+        envsubst; \
     chmod -R 777 /tmp
 
 COPY --chmod=775 *.sh /
-COPY --chmod=664 haproxy.cfg /haproxy.cfg
-COPY --chmod=664 haproxy_ex_apps.cfg /haproxy_ex_apps.cfg
+COPY --chmod=664 haproxy.cfg.template /haproxy.cfg.template
+COPY --chmod=664 haproxy_ex_apps.cfg.template /haproxy_ex_apps.cfg.template
 
 WORKDIR /
 ENTRYPOINT ["/bin/bash", "start.sh"]

diff --git a/README.md b/README.md
@@ -75,7 +75,6 @@ You should set `BIND_ADDRESS` to the IP on which server with ExApps can accept r
 > This file should be mounted into the container, and the password will be read from this file.
 > If both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified, the container will exit with an error.
 
-
 #### Only for ExApp installs with TLS:
 
 * `EX_APPS_NET`: determines destination of requests to ExApps for HaProxy. Default:`localhost`
@@ -134,11 +133,11 @@ sudo -u www-data php occ security:certificates:import /shared/cert.pem
 Create HaProxy container:
 
 ```shell
-docker run -e NC_HAPROXY_PASSWORD="some_secure_password" \
+docker run -e NC_HAPROXY_PASSWORD="some secure password" \
   -e BIND_ADDRESS="172.17.0.1" \
   -v /var/run/docker.sock:/var/run/docker.sock \
   -v `pwd`/certs/cert.pem:/certs/cert.pem \
-  --name nextcloud-appapi-dsp -h nextcloud-appapi-dsp --net host \
+  --name nextcloud-appapi-dsp2 -h nextcloud-appapi-dsp2 --net host \
   --privileged -d nextcloud-appapi-dsp:latest
 ```
 

diff --git a/haproxy.cfg → haproxy.cfg.template b/haproxy.cfg → haproxy.cfg.template
@@ -9,12 +9,12 @@ defaults
     log global
     option httplog
     option dontlognull
-    timeout connect TIMEOUT_CONNECT
-    timeout client TIMEOUT_CLIENT
-    timeout server TIMEOUT_SERVER
+    timeout connect ${TIMEOUT_CONNECT}
+    timeout client ${TIMEOUT_CLIENT}
+    timeout server ${TIMEOUT_SERVER}
 
 userlist app_api_credentials
-    user app_api_haproxy_user insecure-password "NC_PASSWORD_PLACEHOLDER"
+    user app_api_haproxy_user password ${NC_HAPROXY_PASSWORD}
 
 frontend docker_engine
     mode http

diff --git a/haproxy_ex_apps.cfg → haproxy_ex_apps.cfg.template b/haproxy_ex_apps.cfg → haproxy_ex_apps.cfg.template
diff --git a/start.sh b/start.sh
@@ -1,29 +1,37 @@
 #!/bin/sh
 
-# Check if both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified
-if [ -n "$NC_HAPROXY_PASSWORD" ] && [ -f "$NC_HAPROXY_PASSWORD_FILE" ]; then
-  echo "Error: Both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified. Please specify only one."
-  exit 1
-fi
+if [ ! -f "/haproxy.cfg" ]; then
+  if [ -n "$NC_HAPROXY_PASSWORD_FILE" ] && [ ! -f "$NC_HAPROXY_PASSWORD_FILE" ]; then
+    echo "Error: NC_HAPROXY_PASSWORD_FILE is specified but the file does not exist."
+    exit 1
+  fi
 
-if [ -f "$NC_HAPROXY_PASSWORD_FILE" ]; then
-  NC_HAPROXY_PASSWORD=$(cat "$NC_HAPROXY_PASSWORD_FILE")
-fi
+  if [ -n "$NC_HAPROXY_PASSWORD" ] && [ -n "$NC_HAPROXY_PASSWORD_FILE" ]; then
+    echo "Error: Only one of NC_HAPROXY_PASSWORD or NC_HAPROXY_PASSWORD_FILE should be specified."
+    exit 1
+  fi
 
-sed -i "s|NC_PASSWORD_PLACEHOLDER|$NC_HAPROXY_PASSWORD|" /haproxy.cfg
-sed -i "s|TIMEOUT_CONNECT|$TIMEOUT_CONNECT|" /haproxy.cfg
-sed -i "s|TIMEOUT_CLIENT|$TIMEOUT_CLIENT|" /haproxy.cfg
-sed -i "s|TIMEOUT_SERVER|$TIMEOUT_SERVER|" /haproxy.cfg
+  if [ -n "$NC_HAPROXY_PASSWORD_FILE" ]; then
+    NC_HAPROXY_PASSWORD=$(mkpasswd -m sha-256 < "$NC_HAPROXY_PASSWORD_FILE")
+  else
+    NC_HAPROXY_PASSWORD=$(echo "$NC_HAPROXY_PASSWORD" | mkpasswd -m sha-256)
+  fi
 
-if [ -f "/certs/cert.pem" ]; then
-    EX_APPS_COUNT_PADDED=$(printf "%03d" "$EX_APPS_COUNT")
-    sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6 ssl crt /certs/cert.pem|" /haproxy.cfg
-    sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:23000-23$EX_APPS_COUNT_PADDED v4v6 ssl crt /certs/cert.pem|" /haproxy_ex_apps.cfg
-    sed -i "s|EX_APPS_NET_PLACEHOLDER|$EX_APPS_NET|" /haproxy_ex_apps.cfg
-    # Chmod certs to be accessible by haproxy
-    chmod 644 /certs/cert.pem
-else
-    sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6|" /haproxy.cfg
+  export NC_HAPROXY_PASSWORD
+
+  envsubst < /haproxy.cfg.template > /haproxy.cfg
+  envsubst < /haproxy_ex_apps.cfg.template > /haproxy_ex_apps.cfg
+
+  if [ -f "/certs/cert.pem" ]; then
+      EX_APPS_COUNT_PADDED=$(printf "%03d" "$EX_APPS_COUNT")
+      sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6 ssl crt /certs/cert.pem|" /haproxy.cfg
+      sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:23000-23$EX_APPS_COUNT_PADDED v4v6 ssl crt /certs/cert.pem|" /haproxy_ex_apps.cfg
+      sed -i "s|EX_APPS_NET_PLACEHOLDER|$EX_APPS_NET|" /haproxy_ex_apps.cfg
+      # Chmod certs to be accessible by haproxy
+      chmod 644 /certs/cert.pem
+  else
+      sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6|" /haproxy.cfg
+  fi
 fi
 
 echo "HaProxy config:"