[RFC] nginx-util: use UCI for server configuration #13405
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
peter-stadler <notifications@github.com> writes:
There is also a new feature: `add_ssl` resp. `del_ssl` accept a
manager as an optional parameter for adding resp. removing SSL
directives in the configuration without creating resp. removing SSL
certificate and key (it is expected that the manager puts/links resp.
deletes the files at `/etc/nginx/conf.d/$name.{crt,key}`). It could be
used e.g. by (u)acme as `nginx-util add_ssl $name acme`, @tohojo and
@lucize what do you think?
I'm fine with supporting nginx-util from the acme wrapper script, but
why can't it just supply a path to the cert?
|
|
It was easier for me (less code change), but I would change it if it is too difficult (I do not expect a lot of apps to use this option, so I wanted to ask you if this would be used at all) … |
|
peter-stadler <notifications@github.com> writes:
It was easier for me (less code change), but I would change it if it
is too difficult (I do not expect a lot of apps to use this option, so
I wanted to ask you if this would be used at all) …
As long as we don't need too much code to handle it, sure! Right now
we're just doing sed-based replace of the cert path in
/etc/nginx/nginx.conf, so if we could just wrap that in, say, something
like:
which nginx-util && nginx-util add_ssl acme $certfile $keyfile
that would be pretty easy :)
|
|
I change it to create/remove the symlinks (if needed) and will update the PR after some tests. The command line would be something like: |
|
SGTM :)
|
peter-stadler
force-pushed
the
nginx-util-uci
branch
3 times, most recently
from
9bd9e7d
to
e29f5d6
Compare
|
Done. I would mark it ready for review on Tuesday. |
peter-stadler
force-pushed
the
nginx-util-uci
branch
from
e29f5d6
to
72a1f4e
Compare
|
(rebased) |
peter-stadler
force-pushed
the
nginx-util-uci
branch
from
72a1f4e
to
5c72a80
Compare
|
(now the tests that where good before are failing, too, but I did not change any code beside rebasing …) |
|
From a 'using this in acme.sh' PoV, is there a way to discover whether nginx-util manages a particular domain? Can we just blindly call |
|
Yes, it will exit with an error (I will post the output later). |
peter-stadler
force-pushed
the
nginx-util-uci
branch
2 times, most recently
from
e29f5d6
to
ff9cbcf
Compare
|
(rebased the right version) For the output of
Hereby only the SSL directives that will be changed are displayed. Similar it is for |
peter-stadler
force-pushed
the
nginx-util-uci
branch
from
ff9cbcf
to
c02de21
Compare
|
(Renamed |
neheb
reviewed
Oct 23, 2020
neheb
reviewed
Oct 23, 2020
peter-stadler
force-pushed
the
nginx-util-uci
branch
from
c02de21
to
b1d27c9
Compare
|
I made some non-functional changes:
|
|
Please rebase to fix those red checkmarks. |
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
peter-stadler
force-pushed
the
nginx-util-uci
branch
from
b1d27c9
to
f62599d
Compare
|
Done. Thank you :-) |
|
is this ready to go? |
|
Yes, I think so :-) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Maintainer: me, @Ansuel and @heil (for nginx)
Compile tested: x86_64, x86_64 qemu, master
Run tested: x86_64, x86_64 qemu, master, run tests, nginx and luci-nginx
Description: It is based on the discussion in #11456 and described below.
There is also a new feature:
add_sslresp.del_sslaccept a manager as an optional parameter for adding resp. removing SSL directives in the configuration without creating resp. removing SSL certificate and key(it is expected that the manager puts/links resp. deletes the files atedit: nginx-util will create symlinks/etc/nginx/conf.d/$name.{crt,key})./etc/nginx/conf.d/$name.{crt,key}to the provided paths if needed (see below). It could be used e.g. by (u)acme asnginx-util add_ssl $name acme /path/to/crt /path/to/key, @tohojo and @lucize what do you think?tl;dr: The functions
{add,del}_sslmodify a server section of the UCI config if there is no.conffile with the same name in/etc/nginx/conf.d/.Then
init_lancreates/var/lib/nginx/uci.conffiles by copying the/etc/nginx/uci.conf.templateand standard options from the UCI config; additionally the special pathlogdcan be used in{access,error}_log.The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new
check_ssl, which is installed as yearly cron job.Initialization:
Invoking
nginx-util init_lanparses the UCI configuration for packagenginx. It creates a server part in/var/lib/nginx/uci.conffor eachsection server '$name'by copying all UCI options but the following:option uci_manage_sslis skipped. It is set to 'self-signed' bynginx-util add_ssl $name, removed bynginx-util del_ssl $nameand used bynginx-util check_ssl(see below).logdas path inerror_logoraccess_logwrites them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically:option error_log 'logd'becomeserror_log stderr;andoption access_log 'logd openwrt'becomesaccess_log /proc/self/fd/1 openwrt;Other
[option|list] key 'value'entries just becomekey value;directives.The init.d calls internally also
check_sslfor rebuilding self-signed SSL certificates if needed (see below). And it still sets up/var/lib/nginx/lan{,_ssl}.listenfiles as it is doing in the current version (so they stay available).Defaults:
The package installs the file
/etc/nginx/restrict_locallycontaining allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file/etc/config/nginx. Furthermore, the packages installs a/etc/nginx/uci.conf.templatecontaining the current setup and a marker, which will be replaced by the created UCI servers when callinginit_lan.Other:
If there is a file named
/etc/nginx/conf.d/$name.confthe functionsinit_lan,add_ssl $nameanddel_ssl $namewill use that file instead of a UCI server section (this is similar to the current version).Else it selects the UCI
section server $name, or, when there is no such section, it searches for the first one havingoption server_name '… $name …'. For this section:nginx-util add_ssl $namewill add to it:option uci_manage_ssl 'self-signed'option ssl_certificate '/etc/nginx/conf.d/$name.crt'option ssl_certificate_key '/etc/nginx/conf.d/$name.key'option ssl_session_cache 'shared:SSL:32k'option ssl_session_timeout '64m'If these options are already present, they will stay the same; just the first option
uci_manage_sslwill always be changed to 'self-signed'. The command also changes alllistenlist items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no valid certificate and key at the locations given by the optionsssl_certificateandssl_certificate_key.nginx-util del_ssl $namechecks ifuci_manage_sslis set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes alllistenlist items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated byssl_certificate{,_key}.nginx-util check_ssllooks through all server sections of the UCI config foruci_manage_ssl 'self-signed'. On every hit it checks if the SSL certificate-key-pair indicated by the optionsssl_certificate{,_key}is expired. Then it re-creates a self-signed certificate. If there exists at least onesection serverwithuci_manage_ssl 'self-signed', it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible.edit: For installing a ssl certificate and key managed by another app, you can call:
nginx-util add_ssl $name $manager $crtpath $keypathHereby
$nameis as above,$manageris an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use:nginx-util del_ssl $name $manager