diff --git a/glances/Dockerfile b/glances/Dockerfile index 4992642..f0f7a42 100755 --- a/glances/Dockerfile +++ b/glances/Dockerfile @@ -29,6 +29,7 @@ RUN \ -exec rm -rf '{}' + \ \ && apk del --purge .build-dependencies \ + && rm -f -r /etc/nginx # Copy root filesystem COPY rootfs / diff --git a/glances/config.json b/glances/config.json index 2efcede..4f98c84 100755 --- a/glances/config.json +++ b/glances/config.json @@ -4,8 +4,11 @@ "slug": "glances", "description": "A cross-platform system monitoring tool", "url": "https://github.com/hassio-addons/addon-glances", - "webui": "[PROTO:ssl]://[HOST]:[PORT:61208]", + "webui": "[PROTO:ssl]://[HOST]:[PORT:80]", + "ingress": true, + "ingress_port": 0, "startup": "services", + "homeassistant": "0.91.4", "arch": [ "aarch64", "amd64", @@ -13,6 +16,12 @@ "armv7", "i386" ], + "ports": { + "80/tcp": null + }, + "ports_description": { + "80/tcp": "Web interface (Not required for Hass.io Ingress)" + }, "map": [ "addons", "backup", diff --git a/glances/rootfs/etc/cont-init.d/70-nginx.sh b/glances/rootfs/etc/cont-init.d/70-nginx.sh deleted file mode 100644 index 770b62f..0000000 --- a/glances/rootfs/etc/cont-init.d/70-nginx.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/with-contenv bashio -# ============================================================================== -# Community Hass.io Add-ons: Glances -# Configure the use of SSL in NGINX -# ============================================================================== -if bashio::config.true 'ssl'; then - certfile=$(bashio::config 'certfile') - keyfile=$(bashio::config 'keyfile') - - sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/nginx-ssl.conf - sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/nginx-ssl.conf -fi diff --git a/glances/rootfs/etc/cont-init.d/nginx.sh b/glances/rootfs/etc/cont-init.d/nginx.sh new file mode 100644 index 0000000..55da91a --- /dev/null +++ b/glances/rootfs/etc/cont-init.d/nginx.sh @@ -0,0 +1,34 @@ +#!/usr/bin/with-contenv bashio +# ============================================================================== +# Community Hass.io Add-ons: SSH & Web Terminal +# Configures NGINX for use with ttyd +# ============================================================================== +declare port +declare certfile +declare ingress_interface +declare ingress_port +declare keyfile + +port=$(bashio::addon.port 80) +if bashio::var.has_value "${port}"; then + bashio::config.require.ssl + + if bashio::config.true 'ssl'; then + certfile=$(bashio::config 'certfile') + keyfile=$(bashio::config 'keyfile') + + mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf + sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/servers/direct.conf + sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/servers/direct.conf + + else + mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf + fi + + sed -i "s/%%port%%/${port}/g" /etc/nginx/servers/direct.conf +fi + +ingress_port=$(bashio::addon.ingress_port) +ingress_interface=$(bashio::addon.ip_address) +sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf +sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf diff --git a/glances/rootfs/etc/nginx/includes/mime.types b/glances/rootfs/etc/nginx/includes/mime.types new file mode 100644 index 0000000..7c7cdef --- /dev/null +++ b/glances/rootfs/etc/nginx/includes/mime.types @@ -0,0 +1,96 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/glances/rootfs/etc/nginx/includes/proxy_params.conf b/glances/rootfs/etc/nginx/includes/proxy_params.conf new file mode 100644 index 0000000..1990d49 --- /dev/null +++ b/glances/rootfs/etc/nginx/includes/proxy_params.conf @@ -0,0 +1,15 @@ +proxy_http_version 1.1; +proxy_ignore_client_abort off; +proxy_read_timeout 86400s; +proxy_redirect off; +proxy_send_timeout 86400s; +proxy_max_temp_file_size 0; + +proxy_set_header Accept-Encoding ""; +proxy_set_header Connection $connection_upgrade; +proxy_set_header Host $http_host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-NginX-Proxy true; +proxy_set_header X-Real-IP $remote_addr; diff --git a/glances/rootfs/etc/nginx/includes/resolver.conf b/glances/rootfs/etc/nginx/includes/resolver.conf new file mode 100644 index 0000000..758ca69 --- /dev/null +++ b/glances/rootfs/etc/nginx/includes/resolver.conf @@ -0,0 +1 @@ +resolver 172.30.32.2; diff --git a/glances/rootfs/etc/nginx/includes/server_params.conf b/glances/rootfs/etc/nginx/includes/server_params.conf new file mode 100644 index 0000000..09c0654 --- /dev/null +++ b/glances/rootfs/etc/nginx/includes/server_params.conf @@ -0,0 +1,6 @@ +root /dev/null; +server_name $hostname; + +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Robots-Tag none; diff --git a/glances/rootfs/etc/nginx/includes/ssl_params.conf b/glances/rootfs/etc/nginx/includes/ssl_params.conf new file mode 100644 index 0000000..6f15005 --- /dev/null +++ b/glances/rootfs/etc/nginx/includes/ssl_params.conf @@ -0,0 +1,9 @@ +ssl_protocols TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA; +ssl_ecdh_curve secp384r1; +ssl_session_timeout 10m; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; diff --git a/glances/rootfs/etc/nginx/includes/upstream.conf b/glances/rootfs/etc/nginx/includes/upstream.conf new file mode 100644 index 0000000..307f583 --- /dev/null +++ b/glances/rootfs/etc/nginx/includes/upstream.conf @@ -0,0 +1,3 @@ +upstream backend { + server 127.0.0.1:61209; +} diff --git a/glances/rootfs/etc/nginx/ha-auth.lua b/glances/rootfs/etc/nginx/lua/ha-auth.lua similarity index 100% rename from glances/rootfs/etc/nginx/ha-auth.lua rename to glances/rootfs/etc/nginx/lua/ha-auth.lua diff --git a/glances/rootfs/etc/nginx/modules/ndk_http.conf b/glances/rootfs/etc/nginx/modules/ndk_http.conf new file mode 100644 index 0000000..2663122 --- /dev/null +++ b/glances/rootfs/etc/nginx/modules/ndk_http.conf @@ -0,0 +1 @@ +load_module "/usr/lib/nginx/modules/ndk_http_module.so"; diff --git a/glances/rootfs/etc/nginx/modules/ngx_http_lua.conf b/glances/rootfs/etc/nginx/modules/ngx_http_lua.conf new file mode 100644 index 0000000..f885ed9 --- /dev/null +++ b/glances/rootfs/etc/nginx/modules/ngx_http_lua.conf @@ -0,0 +1 @@ +load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so"; diff --git a/glances/rootfs/etc/nginx/nginx.conf b/glances/rootfs/etc/nginx/nginx.conf index 6485130..2eb4adf 100644 --- a/glances/rootfs/etc/nginx/nginx.conf +++ b/glances/rootfs/etc/nginx/nginx.conf @@ -1,63 +1,58 @@ -worker_processes 1; -pid /var/run/nginx.pid; -error_log /dev/stdout info; +# Run nginx in foreground. daemon off; + +# This is run inside Docker. +user root; + +# Pid storage location. +pid /var/run/nginx.pid; + +# Set number of worker processes. +worker_processes 1; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Write error log to Hass.io add-on log. +error_log /dev/stdout error; + +# Load allowed environment vars env HASSIO_TOKEN; env DISABLE_HA_AUTHENTICATION; -load_module "/usr/lib/nginx/modules/ndk_http_module.so"; -load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so"; +# Load dynamic modules. +include /etc/nginx/modules/*.conf; + +# Max num of simultaneous connections by a worker process. events { - worker_connections 1024; + worker_connections 512; } http { - include mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - proxy_read_timeout 1200; - gzip on; - gzip_disable "msie6"; - lua_shared_dict auths 16k; - resolver 172.30.32.2; + include /etc/nginx/includes/mime.types; - upstream glances { - ip_hash; - server 127.0.0.1:61209; - } + log_format hassio '[$time_local] $status ' + '$http_x_forwarded_for($remote_addr) ' + '$request ($http_user_agent)'; + + access_log /dev/stdout hassio; + client_max_body_size 4G; + default_type application/octet-stream; + gzip on; + keepalive_timeout 65; + lua_shared_dict auths 16k; + sendfile on; + server_tokens off; + tcp_nodelay on; + tcp_nopush on; map $http_upgrade $connection_upgrade { default upgrade; '' close; } - server { - listen 61208 default_server; + include /etc/nginx/includes/resolver.conf; + include /etc/nginx/includes/upstream.conf; - server_name _; - access_log /dev/stdout combined; - - client_max_body_size 4G; - keepalive_timeout 5; - - root /dev/null; - - location / { - access_by_lua_file /etc/nginx/ha-auth.lua; - - proxy_redirect off; - proxy_pass http://glances; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - } - } + include /etc/nginx/servers/*.conf; } diff --git a/glances/rootfs/etc/nginx/servers/direct-ssl.disabled b/glances/rootfs/etc/nginx/servers/direct-ssl.disabled new file mode 100644 index 0000000..02521ae --- /dev/null +++ b/glances/rootfs/etc/nginx/servers/direct-ssl.disabled @@ -0,0 +1,16 @@ +server { + listen %%port%% default_server ssl http2; + + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/ssl_params.conf; + include /etc/nginx/includes/proxy_params.conf; + + ssl on; + ssl_certificate /ssl/%%certfile%%; + ssl_certificate_key /ssl/%%keyfile%%; + + location / { + access_by_lua_file /etc/nginx/lua/ha-auth.lua; + proxy_pass http://backend; + } +} diff --git a/glances/rootfs/etc/nginx/servers/direct.disabled b/glances/rootfs/etc/nginx/servers/direct.disabled new file mode 100644 index 0000000..a036b7a --- /dev/null +++ b/glances/rootfs/etc/nginx/servers/direct.disabled @@ -0,0 +1,11 @@ +server { + listen %%port%% default_server; + + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/proxy_params.conf; + + location / { + access_by_lua_file /etc/nginx/lua/ha-auth.lua; + proxy_pass http://backend; + } +} diff --git a/glances/rootfs/etc/nginx/servers/ingress.conf b/glances/rootfs/etc/nginx/servers/ingress.conf new file mode 100644 index 0000000..d655706 --- /dev/null +++ b/glances/rootfs/etc/nginx/servers/ingress.conf @@ -0,0 +1,13 @@ +server { + listen %%interface%%:%%port%% default_server; + + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/proxy_params.conf; + + location / { + allow 172.30.32.2; + deny all; + + proxy_pass http://backend; + } +} diff --git a/glances/rootfs/etc/nginx_old/ha-auth.lua b/glances/rootfs/etc/nginx_old/ha-auth.lua new file mode 100644 index 0000000..4c9ca91 --- /dev/null +++ b/glances/rootfs/etc/nginx_old/ha-auth.lua @@ -0,0 +1,83 @@ +local http = require "resty.http" +local auths = ngx.shared.auths + +function authenticate() + + --- Test Authentication header is set and with a value + local header = ngx.req.get_headers()['Authorization'] + if header == nil or header:find(" ") == nil then + return false + end + + local divider = header:find(' ') + if header:sub(0, divider-1) ~= 'Basic' then + return false + end + + local auth = ngx.decode_base64(header:sub(divider+1)) + if auth == nil or auth:find(':') == nil then + return false + end + + divider = auth:find(':') + local username = auth:sub(0, divider-1) + local password = auth:sub(divider+1) + + --- Check if authentication is cached + if auths:get(username) == password then + ngx.log(ngx.DEBUG, "Authenticated user against Home Assistant (cache).") + return true + end + + --- HTTP request against Hassio API + local httpc = http.new() + local res, err = httpc:request_uri("http://hassio/auth", { + method = "POST", + body = ngx.encode_args({["username"]=username, ["password"]=password}), + headers = { + ["Content-Type"] = "application/x-www-form-urlencoded", + ["X-HASSIO-KEY"] = os.getenv("HASSIO_TOKEN"), + }, + keepalive_timeout = 60, + keepalive_pool = 10 + }) + + --- Error during API request + if err then + ngx.log(ngx.WARN, "Error during Hassio user authentication.", err) + return false + end + + --- No result? Something went wrong... + if not res then + ngx.log(ngx.WARN, "Error during Hassio user authentication.") + return false + end + + --- Valid response, the username/password is valid + if res.status == 200 then + ngx.log(ngx.INFO, "Authenticated user against Home Assistant.") + auths:set(username, password, 60) + return true + end + + --- Whatever the response is, it is invalid + ngx.log(ngx.WARN, "Authentication against Home Assistant failed!") + return false +end + +-- Only authenticate if its not disabled +if not os.getenv('DISABLE_HA_AUTHENTICATION') then + + --- Try to authenticate against HA + local authenticated = authenticate() + + --- If authentication failed, throw a basic auth + if not authenticated then + ngx.header.content_type = 'text/plain' + ngx.header.www_authenticate = 'Basic realm="Home Assistant"' + ngx.status = ngx.HTTP_UNAUTHORIZED + ngx.say('401 Access Denied') + ngx.exit(ngx.HTTP_UNAUTHORIZED) + end +end diff --git a/glances/rootfs/etc/nginx/nginx-ssl.conf b/glances/rootfs/etc/nginx_old/nginx-ssl.conf similarity index 100% rename from glances/rootfs/etc/nginx/nginx-ssl.conf rename to glances/rootfs/etc/nginx_old/nginx-ssl.conf diff --git a/glances/rootfs/etc/nginx_old/nginx.conf b/glances/rootfs/etc/nginx_old/nginx.conf new file mode 100644 index 0000000..6485130 --- /dev/null +++ b/glances/rootfs/etc/nginx_old/nginx.conf @@ -0,0 +1,63 @@ +worker_processes 1; +pid /var/run/nginx.pid; +error_log /dev/stdout info; +daemon off; +env HASSIO_TOKEN; +env DISABLE_HA_AUTHENTICATION; +load_module "/usr/lib/nginx/modules/ndk_http_module.so"; +load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so"; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + proxy_read_timeout 1200; + gzip on; + gzip_disable "msie6"; + lua_shared_dict auths 16k; + resolver 172.30.32.2; + + upstream glances { + ip_hash; + server 127.0.0.1:61209; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 61208 default_server; + + server_name _; + access_log /dev/stdout combined; + + client_max_body_size 4G; + keepalive_timeout 5; + + root /dev/null; + + location / { + access_by_lua_file /etc/nginx/ha-auth.lua; + + proxy_redirect off; + proxy_pass http://glances; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + } + } +} diff --git a/glances/rootfs/etc/services.d/nginx/run b/glances/rootfs/etc/services.d/nginx/run index deef0ab..4304b88 100644 --- a/glances/rootfs/etc/services.d/nginx/run +++ b/glances/rootfs/etc/services.d/nginx/run @@ -3,18 +3,15 @@ # Community Hass.io Add-ons: Glances # Runs the nginx daemon # ============================================================================== -bashio::log.info 'Starting the NGINX daemon...' # Wait for Glances to become available -s6-svwait -u -t 5000 /var/run/s6/services/glances +bashio::net.wait_for 61209 + +bashio::log.info "Starting NGinx..." # Disable HA Authentication if front door is open if bashio::config.true 'leave_front_door_open'; then export DISABLE_HA_AUTHENTICATION=true fi -if bashio::config.true 'ssl'; then - exec nginx -c /etc/nginx/nginx-ssl.conf -else - exec nginx -c /etc/nginx/nginx.conf -fi +exec nginx