hassio-addons/addon-glances
1
0
Fork 0
mirror of https://github.com/hassio-addons/addon-glances.git synced 2025-05-05 11:31:31 +00:00
Code Issues Projects Releases Packages Wiki Activity

Refactor NGINX configuration and HA authentication (#97)

Browse source 
* Refactor NGINX configuration and HA authentication

* Remove Lua packages
This commit is contained in:
Franck Nijhof 2021-01-24 21:09:24 +01:00 committed by GitHub
parent edce09a0d1
commit 884fdebb64
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 57 additions and 159 deletions
Download patch file Download diff file Expand all files Collapse all files

2
glances/Dockerfile
View file

@ -19,8 +19,6 @@ RUN \
python3-dev=3.8.7-r0 \ python3-dev=3.8.7-r0 \
\ \
&& apk add --no-cache \ && apk add --no-cache \
lua-resty-http=0.15-r0 \
nginx-mod-http-lua=1.18.0-r13 \
nginx=1.18.0-r13 \ nginx=1.18.0-r13 \
py3-pip=20.3.3-r0 \ py3-pip=20.3.3-r0 \
python3=3.8.7-r0 \ python3=3.8.7-r0 \

49
glances/rootfs/etc/cont-init.d/nginx.sh
View file

@ -3,36 +3,25 @@
# Home Assistant Community Add-on: SSH & Web Terminal # Home Assistant Community Add-on: SSH & Web Terminal
# Configures NGINX for use with ttyd # Configures NGINX for use with ttyd
# ============================================================================== # ==============================================================================
declare port
declare certfile
declare dns_host
declare ingress_interface
declare ingress_port
declare keyfile
port=$(bashio::addon.port 80) # Generate Ingress configuration
if bashio::var.has_value "${port}"; then bashio::var.json \
interface "$(bashio::addon.ip_address)" \
port "^$(bashio::addon.ingress_port)" \
| tempio \
-template /etc/nginx/templates/ingress.gtpl \
-out /etc/nginx/servers/ingress.conf
# Generate direct access configuration, if enabled.
if bashio::var.has_value "$(bashio::addon.port 80)"; then
bashio::config.require.ssl bashio::config.require.ssl
bashio::var.json \
if bashio::config.true 'ssl'; then certfile "$(bashio::config 'certfile')" \
certfile=$(bashio::config 'certfile') keyfile "$(bashio::config 'keyfile')" \
keyfile=$(bashio::config 'keyfile') leave_front_door_open "^$(bashio::config 'leave_front_door_open')" \
port "^$(bashio::addon.port 80)" \
mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf ssl "^$(bashio::config 'ssl')" \
sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf | tempio \
sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf -template /etc/nginx/templates/direct.gtpl \
-out /etc/nginx/servers/direct.conf
else
mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
fi
sed -i "s/%%port%%/${port}/g" /etc/nginx/servers/direct.conf
fi fi
ingress_port=$(bashio::addon.ingress_port)
ingress_interface=$(bashio::addon.ip_address)
sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
dns_host=$(bashio::dns.host)
sed -i "s/%%dns_host%%/${dns_host}/g" /etc/nginx/includes/resolver.conf

1
glances/rootfs/etc/nginx/includes/resolver.conf
View file

@ -1 +0,0 @@
resolver %%dns_host%%;

83
glances/rootfs/etc/nginx/lua/ha-auth.lua
View file

@ -1,83 +0,0 @@
local http = require "resty.http"
local auths = ngx.shared.auths
function authenticate()
--- Test Authentication header is set and with a value
local header = ngx.req.get_headers()['Authorization']
if header == nil or header:find(" ") == nil then
return false
end
local divider = header:find(' ')
if header:sub(0, divider-1) ~= 'Basic' then
return false
end
local auth = ngx.decode_base64(header:sub(divider+1))
if auth == nil or auth:find(':') == nil then
return false
end
divider = auth:find(':')
local username = auth:sub(0, divider-1)
local password = auth:sub(divider+1)
--- Check if authentication is cached
if auths:get(username) == password then
ngx.log(ngx.DEBUG, "Authenticated user against Home Assistant (cache).")
return true
end
--- HTTP request against the Supervisor API
local httpc = http.new()
local res, err = httpc:request_uri("http://supervisor.local.hass.io/auth", {
method = "POST",
body = ngx.encode_args({["username"]=username, ["password"]=password}),
headers = {
["Content-Type"] = "application/x-www-form-urlencoded",
["X-Supervisor-Token"] = os.getenv("SUPERVISOR_TOKEN"),
},
keepalive_timeout = 60,
keepalive_pool = 10
})
--- Error during API request
if err then
ngx.log(ngx.WARN, "Error during Home Assistant user authentication.", err)
return false
end
--- No result? Something went wrong...
if not res then
ngx.log(ngx.WARN, "Error during Home Assistant user authentication.")
return false
end
--- Valid response, the username/password is valid
if res.status == 200 then
ngx.log(ngx.INFO, "Authenticated user against Home Assistant.")
auths:set(username, password, 60)
return true
end
--- Whatever the response is, it is invalid
ngx.log(ngx.WARN, "Authentication against Home Assistant failed!")
return false
end
-- Only authenticate if its not disabled
if not os.getenv('DISABLE_HA_AUTHENTICATION') then
--- Try to authenticate against HA
local authenticated = authenticate()
--- If authentication failed, throw a basic auth
if not authenticated then
ngx.header.content_type = 'text/plain'
ngx.header.www_authenticate = 'Basic realm="Home Assistant"'
ngx.status = ngx.HTTP_UNAUTHORIZED
ngx.say('401 Access Denied')
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
end

1
glances/rootfs/etc/nginx/modules/ndk_http.conf
View file

@ -1 +0,0 @@
load_module "/usr/lib/nginx/modules/ndk_http_module.so";

1
glances/rootfs/etc/nginx/modules/ngx_http_lua.conf
View file

@ -1 +0,0 @@
load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so";

8
glances/rootfs/etc/nginx/nginx.conf
View file

@ -18,10 +18,6 @@ error_log /dev/stdout error;
# Load allowed environment vars # Load allowed environment vars
env SUPERVISOR_TOKEN; env SUPERVISOR_TOKEN;
env DISABLE_HA_AUTHENTICATION;
# Load dynamic modules.
include /etc/nginx/modules/*.conf;
# Max num of simultaneous connections by a worker process. # Max num of simultaneous connections by a worker process.
events { events {
@ -40,8 +36,6 @@ http {
default_type application/octet-stream; default_type application/octet-stream;
gzip on; gzip on;
keepalive_timeout 65; keepalive_timeout 65;
lua_load_resty_core off;
lua_shared_dict auths 16k;
sendfile on; sendfile on;
server_tokens off; server_tokens off;
tcp_nodelay on; tcp_nodelay on;
@ -52,8 +46,6 @@ http {
'' close; '' close;
} }
include /etc/nginx/includes/resolver.conf;
include /etc/nginx/includes/upstream.conf; include /etc/nginx/includes/upstream.conf;
include /etc/nginx/servers/*.conf; include /etc/nginx/servers/*.conf;
} }

1
glances/rootfs/etc/nginx/servers/.gitkeep Normal file
View file

@ -0,0 +1 @@
Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)

15
glances/rootfs/etc/nginx/servers/direct-ssl.disabled
View file

@ -1,15 +0,0 @@
server {
listen %%port%% default_server ssl http2;
include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/ssl_params.conf;
include /etc/nginx/includes/proxy_params.conf;
ssl_certificate /ssl/%%certfile%%;
ssl_certificate_key /ssl/%%keyfile%%;
location / {
access_by_lua_file /etc/nginx/lua/ha-auth.lua;
proxy_pass http://backend;
}
}

11
glances/rootfs/etc/nginx/servers/direct.disabled
View file

@ -1,11 +0,0 @@
server {
listen %%port%% default_server;
include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf;
location / {
access_by_lua_file /etc/nginx/lua/ha-auth.lua;
proxy_pass http://backend;
}
}

36
glances/rootfs/etc/nginx/templates/direct.gtpl Normal file
View file

@ -0,0 +1,36 @@
server {
{{ if not .ssl }}
listen {{ .port }} default_server;
{{ else }}
listen {{ .port }} default_server ssl http2;
{{ end }}
include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf;
{{ if .ssl }}
include /etc/nginx/includes/ssl_params.conf;
ssl_certificate /ssl/{{ .certfile }};
ssl_certificate_key /ssl/{{ .keyfile }};
{{ end }}
{{ if not .leave_front_door_open }}
location = /authentication {
internal;
proxy_pass http://supervisor/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Supervisor-Token "{{ env "SUPERVISOR_TOKEN" }}";
}
{{ end }}
location / {
{{ if not .leave_front_door_open }}
auth_request /authentication;
auth_request_set $auth_status $upstream_status;
{{ end }}
proxy_pass http://backend;
}
}

2
glances/rootfs/etc/nginx/servers/ingress.conf → glances/rootfs/etc/nginx/templates/ingress.gtpl
View file

@ -1,5 +1,5 @@
server { server {
listen %%interface%%:%%port%% default_server; listen {{ .interface }}:{{ .port }} default_server;
include /etc/nginx/includes/server_params.conf; include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf; include /etc/nginx/includes/proxy_params.conf;

6
glances/rootfs/etc/services.d/nginx/run
View file

@ -8,10 +8,4 @@
bashio::net.wait_for 61209 bashio::net.wait_for 61209
bashio::log.info "Starting NGinx..." bashio::log.info "Starting NGinx..."
# Disable HA Authentication if front door is open
if bashio::config.true 'leave_front_door_open'; then
export DISABLE_HA_AUTHENTICATION=true
fi
exec nginx exec nginx