mirror of
https://github.com/hassio-addons/addon-glances.git
synced 2025-05-04 19:11:23 +00:00
Refactor NGINX configuration and HA authentication (#97)
* Refactor NGINX configuration and HA authentication * Remove Lua packages
This commit is contained in:
Franck Nijhof
GitHub
parent
edce09a0d1
commit
884fdebb64
13 changed files with 57 additions and 159 deletions
|
|
@ -19,8 +19,6 @@ RUN \
|
|||
python3-dev=3.8.7-r0 \
|
||||
\
|
||||
&& apk add --no-cache \
|
||||
lua-resty-http=0.15-r0 \
|
||||
nginx-mod-http-lua=1.18.0-r13 \
|
||||
nginx=1.18.0-r13 \
|
||||
py3-pip=20.3.3-r0 \
|
||||
python3=3.8.7-r0 \
|
||||
|
|
|
|||
|
|
@ -3,36 +3,25 @@
|
|||
# Home Assistant Community Add-on: SSH & Web Terminal
|
||||
# Configures NGINX for use with ttyd
|
||||
# ==============================================================================
|
||||
declare port
|
||||
declare certfile
|
||||
declare dns_host
|
||||
declare ingress_interface
|
||||
declare ingress_port
|
||||
declare keyfile
|
||||
|
||||
port=$(bashio::addon.port 80)
|
||||
if bashio::var.has_value "${port}"; then
|
||||
# Generate Ingress configuration
|
||||
bashio::var.json \
|
||||
interface "$(bashio::addon.ip_address)" \
|
||||
port "^$(bashio::addon.ingress_port)" \
|
||||
| tempio \
|
||||
-template /etc/nginx/templates/ingress.gtpl \
|
||||
-out /etc/nginx/servers/ingress.conf
|
||||
|
||||
# Generate direct access configuration, if enabled.
|
||||
if bashio::var.has_value "$(bashio::addon.port 80)"; then
|
||||
bashio::config.require.ssl
|
||||
|
||||
if bashio::config.true 'ssl'; then
|
||||
certfile=$(bashio::config 'certfile')
|
||||
keyfile=$(bashio::config 'keyfile')
|
||||
|
||||
mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
|
||||
sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf
|
||||
sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf
|
||||
|
||||
else
|
||||
mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
|
||||
fi
|
||||
|
||||
sed -i "s/%%port%%/${port}/g" /etc/nginx/servers/direct.conf
|
||||
bashio::var.json \
|
||||
certfile "$(bashio::config 'certfile')" \
|
||||
keyfile "$(bashio::config 'keyfile')" \
|
||||
leave_front_door_open "^$(bashio::config 'leave_front_door_open')" \
|
||||
port "^$(bashio::addon.port 80)" \
|
||||
ssl "^$(bashio::config 'ssl')" \
|
||||
| tempio \
|
||||
-template /etc/nginx/templates/direct.gtpl \
|
||||
-out /etc/nginx/servers/direct.conf
|
||||
fi
|
||||
|
||||
ingress_port=$(bashio::addon.ingress_port)
|
||||
ingress_interface=$(bashio::addon.ip_address)
|
||||
sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
|
||||
sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
|
||||
|
||||
dns_host=$(bashio::dns.host)
|
||||
sed -i "s/%%dns_host%%/${dns_host}/g" /etc/nginx/includes/resolver.conf
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
resolver %%dns_host%%;
|
||||
|
|
@ -1,83 +0,0 @@
|
|||
local http = require "resty.http"
|
||||
local auths = ngx.shared.auths
|
||||
|
||||
function authenticate()
|
||||
|
||||
--- Test Authentication header is set and with a value
|
||||
local header = ngx.req.get_headers()['Authorization']
|
||||
if header == nil or header:find(" ") == nil then
|
||||
return false
|
||||
end
|
||||
|
||||
local divider = header:find(' ')
|
||||
if header:sub(0, divider-1) ~= 'Basic' then
|
||||
return false
|
||||
end
|
||||
|
||||
local auth = ngx.decode_base64(header:sub(divider+1))
|
||||
if auth == nil or auth:find(':') == nil then
|
||||
return false
|
||||
end
|
||||
|
||||
divider = auth:find(':')
|
||||
local username = auth:sub(0, divider-1)
|
||||
local password = auth:sub(divider+1)
|
||||
|
||||
--- Check if authentication is cached
|
||||
if auths:get(username) == password then
|
||||
ngx.log(ngx.DEBUG, "Authenticated user against Home Assistant (cache).")
|
||||
return true
|
||||
end
|
||||
|
||||
--- HTTP request against the Supervisor API
|
||||
local httpc = http.new()
|
||||
local res, err = httpc:request_uri("http://supervisor.local.hass.io/auth", {
|
||||
method = "POST",
|
||||
body = ngx.encode_args({["username"]=username, ["password"]=password}),
|
||||
headers = {
|
||||
["Content-Type"] = "application/x-www-form-urlencoded",
|
||||
["X-Supervisor-Token"] = os.getenv("SUPERVISOR_TOKEN"),
|
||||
},
|
||||
keepalive_timeout = 60,
|
||||
keepalive_pool = 10
|
||||
})
|
||||
|
||||
--- Error during API request
|
||||
if err then
|
||||
ngx.log(ngx.WARN, "Error during Home Assistant user authentication.", err)
|
||||
return false
|
||||
end
|
||||
|
||||
--- No result? Something went wrong...
|
||||
if not res then
|
||||
ngx.log(ngx.WARN, "Error during Home Assistant user authentication.")
|
||||
return false
|
||||
end
|
||||
|
||||
--- Valid response, the username/password is valid
|
||||
if res.status == 200 then
|
||||
ngx.log(ngx.INFO, "Authenticated user against Home Assistant.")
|
||||
auths:set(username, password, 60)
|
||||
return true
|
||||
end
|
||||
|
||||
--- Whatever the response is, it is invalid
|
||||
ngx.log(ngx.WARN, "Authentication against Home Assistant failed!")
|
||||
return false
|
||||
end
|
||||
|
||||
-- Only authenticate if its not disabled
|
||||
if not os.getenv('DISABLE_HA_AUTHENTICATION') then
|
||||
|
||||
--- Try to authenticate against HA
|
||||
local authenticated = authenticate()
|
||||
|
||||
--- If authentication failed, throw a basic auth
|
||||
if not authenticated then
|
||||
ngx.header.content_type = 'text/plain'
|
||||
ngx.header.www_authenticate = 'Basic realm="Home Assistant"'
|
||||
ngx.status = ngx.HTTP_UNAUTHORIZED
|
||||
ngx.say('401 Access Denied')
|
||||
ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
||||
end
|
||||
end
|
||||
|
|
@ -1 +0,0 @@
|
|||
load_module "/usr/lib/nginx/modules/ndk_http_module.so";
|
||||
|
|
@ -1 +0,0 @@
|
|||
load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so";
|
||||
|
|
@ -18,10 +18,6 @@ error_log /dev/stdout error;
|
|||
|
||||
# Load allowed environment vars
|
||||
env SUPERVISOR_TOKEN;
|
||||
env DISABLE_HA_AUTHENTICATION;
|
||||
|
||||
# Load dynamic modules.
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
# Max num of simultaneous connections by a worker process.
|
||||
events {
|
||||
|
|
@ -40,8 +36,6 @@ http {
|
|||
default_type application/octet-stream;
|
||||
gzip on;
|
||||
keepalive_timeout 65;
|
||||
lua_load_resty_core off;
|
||||
lua_shared_dict auths 16k;
|
||||
sendfile on;
|
||||
server_tokens off;
|
||||
tcp_nodelay on;
|
||||
|
|
@ -52,8 +46,6 @@ http {
|
|||
'' close;
|
||||
}
|
||||
|
||||
include /etc/nginx/includes/resolver.conf;
|
||||
include /etc/nginx/includes/upstream.conf;
|
||||
|
||||
include /etc/nginx/servers/*.conf;
|
||||
}
|
||||
|
|
|
|||
1
glances/rootfs/etc/nginx/servers/.gitkeep
Normal file
1
glances/rootfs/etc/nginx/servers/.gitkeep
Normal file
|
|
@ -0,0 +1 @@
|
|||
Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
server {
|
||||
listen %%port%% default_server ssl http2;
|
||||
|
||||
include /etc/nginx/includes/server_params.conf;
|
||||
include /etc/nginx/includes/ssl_params.conf;
|
||||
include /etc/nginx/includes/proxy_params.conf;
|
||||
|
||||
ssl_certificate /ssl/%%certfile%%;
|
||||
ssl_certificate_key /ssl/%%keyfile%%;
|
||||
|
||||
location / {
|
||||
access_by_lua_file /etc/nginx/lua/ha-auth.lua;
|
||||
proxy_pass http://backend;
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
server {
|
||||
listen %%port%% default_server;
|
||||
|
||||
include /etc/nginx/includes/server_params.conf;
|
||||
include /etc/nginx/includes/proxy_params.conf;
|
||||
|
||||
location / {
|
||||
access_by_lua_file /etc/nginx/lua/ha-auth.lua;
|
||||
proxy_pass http://backend;
|
||||
}
|
||||
}
|
||||
36
glances/rootfs/etc/nginx/templates/direct.gtpl
Normal file
36
glances/rootfs/etc/nginx/templates/direct.gtpl
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
server {
|
||||
{{ if not .ssl }}
|
||||
listen {{ .port }} default_server;
|
||||
{{ else }}
|
||||
listen {{ .port }} default_server ssl http2;
|
||||
{{ end }}
|
||||
|
||||
include /etc/nginx/includes/server_params.conf;
|
||||
include /etc/nginx/includes/proxy_params.conf;
|
||||
|
||||
{{ if .ssl }}
|
||||
include /etc/nginx/includes/ssl_params.conf;
|
||||
|
||||
ssl_certificate /ssl/{{ .certfile }};
|
||||
ssl_certificate_key /ssl/{{ .keyfile }};
|
||||
{{ end }}
|
||||
|
||||
{{ if not .leave_front_door_open }}
|
||||
location = /authentication {
|
||||
internal;
|
||||
proxy_pass http://supervisor/auth;
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header X-Supervisor-Token "{{ env "SUPERVISOR_TOKEN" }}";
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
location / {
|
||||
{{ if not .leave_front_door_open }}
|
||||
auth_request /authentication;
|
||||
auth_request_set $auth_status $upstream_status;
|
||||
{{ end }}
|
||||
|
||||
proxy_pass http://backend;
|
||||
}
|
||||
}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
server {
|
||||
listen %%interface%%:%%port%% default_server;
|
||||
listen {{ .interface }}:{{ .port }} default_server;
|
||||
|
||||
include /etc/nginx/includes/server_params.conf;
|
||||
include /etc/nginx/includes/proxy_params.conf;
|
||||
|
|
@ -8,10 +8,4 @@
|
|||
bashio::net.wait_for 61209
|
||||
|
||||
bashio::log.info "Starting NGinx..."
|
||||
|
||||
# Disable HA Authentication if front door is open
|
||||
if bashio::config.true 'leave_front_door_open'; then
|
||||
export DISABLE_HA_AUTHENTICATION=true
|
||||
fi
|
||||
|
||||
exec nginx
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue