Refactor NGINX configuration and HA authentication

2025-05-04 19:11:23 +00:00 · 2021-01-24 20:52:41 +01:00 · 2021-01-24 20:52:41 +01:00 · bd78b2a5be
commit bd78b2a5be
parent edce09a0d1
12 changed files with 57 additions and 157 deletions
--- a/glances/rootfs/etc/cont-init.d/nginx.sh
+++ b/glances/rootfs/etc/cont-init.d/nginx.sh
@ -3,36 +3,25 @@
 # Home Assistant Community Add-on: SSH & Web Terminal
 # Configures NGINX for use with ttyd
 # ==============================================================================
-declare port
-declare certfile
-declare dns_host
-declare ingress_interface
-declare ingress_port
-declare keyfile

-port=$(bashio::addon.port 80)
-if bashio::var.has_value "${port}"; then
+# Generate Ingress configuration
+bashio::var.json \
+    interface "$(bashio::addon.ip_address)" \
+    port "^$(bashio::addon.ingress_port)" \
+    | tempio \
+        -template /etc/nginx/templates/ingress.gtpl \
+        -out /etc/nginx/servers/ingress.conf
+
+# Generate direct access configuration, if enabled.
+if bashio::var.has_value "$(bashio::addon.port 80)"; then
    bashio::config.require.ssl
-
-    if bashio::config.true 'ssl'; then
-        certfile=$(bashio::config 'certfile')
-        keyfile=$(bashio::config 'keyfile')
-
-        mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
-        sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf
-        sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf
-
-    else
-        mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
-    fi
-
-    sed -i "s/%%port%%/${port}/g" /etc/nginx/servers/direct.conf
+    bashio::var.json \
+        certfile "$(bashio::config 'certfile')" \
+        keyfile "$(bashio::config 'keyfile')" \
+        leave_front_door_open "^$(bashio::config 'leave_front_door_open')" \
+        port "^$(bashio::addon.port 80)" \
+        ssl "^$(bashio::config 'ssl')" \
+        | tempio \
+            -template /etc/nginx/templates/direct.gtpl \
+            -out /etc/nginx/servers/direct.conf
 fi
-
-ingress_port=$(bashio::addon.ingress_port)
-ingress_interface=$(bashio::addon.ip_address)
-sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
-sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
-
-dns_host=$(bashio::dns.host)
-sed -i "s/%%dns_host%%/${dns_host}/g" /etc/nginx/includes/resolver.conf
--- a/glances/rootfs/etc/nginx/includes/resolver.conf
+++ b/glances/rootfs/etc/nginx/includes/resolver.conf
@ -1 +0,0 @@
-resolver %%dns_host%%;
--- a/glances/rootfs/etc/nginx/lua/ha-auth.lua
+++ b/glances/rootfs/etc/nginx/lua/ha-auth.lua
@ -1,83 +0,0 @@
-local http = require "resty.http"
-local auths = ngx.shared.auths
-
-function authenticate()
-
-    --- Test Authentication header is set and with a value
-    local header = ngx.req.get_headers()['Authorization']
-    if header == nil or header:find(" ") == nil then
-        return false
-    end
-
-    local divider = header:find(' ')
-    if header:sub(0, divider-1) ~= 'Basic' then
-       return false
-    end
-
-    local auth = ngx.decode_base64(header:sub(divider+1))
-    if auth == nil or auth:find(':') == nil then
-        return false
-    end
-
-    divider = auth:find(':')
-    local username = auth:sub(0, divider-1)
-    local password = auth:sub(divider+1)
-
-    --- Check if authentication is cached
-    if auths:get(username) == password then
-        ngx.log(ngx.DEBUG, "Authenticated user against Home Assistant (cache).")
-        return true
-    end
-
-    --- HTTP request against the Supervisor API
-    local httpc = http.new()
-    local res, err = httpc:request_uri("http://supervisor.local.hass.io/auth", {
-        method = "POST",
-        body = ngx.encode_args({["username"]=username, ["password"]=password}),
-        headers = {
-            ["Content-Type"] = "application/x-www-form-urlencoded",
-            ["X-Supervisor-Token"] = os.getenv("SUPERVISOR_TOKEN"),
-        },
-        keepalive_timeout = 60,
-        keepalive_pool = 10
-    })
-
-    --- Error during API request
-    if err then
-        ngx.log(ngx.WARN, "Error during Home Assistant user authentication.", err)
-        return false
-    end
-
-    --- No result? Something went wrong...
-    if not res then
-        ngx.log(ngx.WARN, "Error during Home Assistant user authentication.")
-        return false
-    end
-
-    --- Valid response, the username/password is valid
-    if res.status == 200 then
-        ngx.log(ngx.INFO, "Authenticated user against Home Assistant.")
-        auths:set(username, password, 60)
-        return true
-    end
-
-    --- Whatever the response is, it is invalid
-    ngx.log(ngx.WARN, "Authentication against Home Assistant failed!")
-    return false
-end
-
-- Only authenticate if its not disabled
-if not os.getenv('DISABLE_HA_AUTHENTICATION') then
-
-    --- Try to authenticate against HA
-    local authenticated = authenticate()
-
-    --- If authentication failed, throw a basic auth
-    if not authenticated then
-       ngx.header.content_type = 'text/plain'
-       ngx.header.www_authenticate = 'Basic realm="Home Assistant"'
-       ngx.status = ngx.HTTP_UNAUTHORIZED
-       ngx.say('401 Access Denied')
-       ngx.exit(ngx.HTTP_UNAUTHORIZED)
-    end
-end
--- a/glances/rootfs/etc/nginx/modules/ndk_http.conf
+++ b/glances/rootfs/etc/nginx/modules/ndk_http.conf
@ -1 +0,0 @@
-load_module "/usr/lib/nginx/modules/ndk_http_module.so";
--- a/glances/rootfs/etc/nginx/modules/ngx_http_lua.conf
+++ b/glances/rootfs/etc/nginx/modules/ngx_http_lua.conf
@ -1 +0,0 @@
-load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so";
--- a/glances/rootfs/etc/nginx/nginx.conf
+++ b/glances/rootfs/etc/nginx/nginx.conf
@ -18,10 +18,6 @@ error_log /dev/stdout error;

 # Load allowed environment vars
 env SUPERVISOR_TOKEN;
-env DISABLE_HA_AUTHENTICATION;
-
-# Load dynamic modules.
-include /etc/nginx/modules/*.conf;

 # Max num of simultaneous connections by a worker process.
 events {
@ -40,8 +36,6 @@ http {
    default_type            application/octet-stream;
    gzip                    on;
    keepalive_timeout       65;
-    lua_load_resty_core     off;
-    lua_shared_dict         auths 16k;
    sendfile                on;
    server_tokens           off;
    tcp_nodelay             on;
@ -52,8 +46,6 @@ http {
        ''      close;
    }

-    include /etc/nginx/includes/resolver.conf;
    include /etc/nginx/includes/upstream.conf;
-
    include /etc/nginx/servers/*.conf;
 }
--- a/glances/rootfs/etc/nginx/servers/.gitkeep
+++ b/glances/rootfs/etc/nginx/servers/.gitkeep
@ -0,0 +1 @@
+Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)
--- a/glances/rootfs/etc/nginx/servers/direct-ssl.disabled
+++ b/glances/rootfs/etc/nginx/servers/direct-ssl.disabled
@ -1,15 +0,0 @@
-server {
-    listen %%port%% default_server ssl http2;
-
-    include /etc/nginx/includes/server_params.conf;
-    include /etc/nginx/includes/ssl_params.conf;
-    include /etc/nginx/includes/proxy_params.conf;
-
-    ssl_certificate /ssl/%%certfile%%;
-    ssl_certificate_key /ssl/%%keyfile%%;
-
-    location / {
-        access_by_lua_file /etc/nginx/lua/ha-auth.lua;
-        proxy_pass http://backend;
-    }
-}
--- a/glances/rootfs/etc/nginx/servers/direct.disabled
+++ b/glances/rootfs/etc/nginx/servers/direct.disabled
@ -1,11 +0,0 @@
-server {
-    listen %%port%% default_server;
-
-    include /etc/nginx/includes/server_params.conf;
-    include /etc/nginx/includes/proxy_params.conf;
-
-    location / {
-        access_by_lua_file /etc/nginx/lua/ha-auth.lua;
-        proxy_pass http://backend;
-    }
-}
--- a/glances/rootfs/etc/nginx/templates/direct.gtpl
+++ b/glances/rootfs/etc/nginx/templates/direct.gtpl
@ -0,0 +1,36 @@
+server {
+    {{ if not .ssl }}
+    listen {{ .port }} default_server;
+    {{ else }}
+    listen {{ .port }} default_server ssl http2;
+    {{ end }}
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    {{ if .ssl }}
+    include /etc/nginx/includes/ssl_params.conf;
+
+    ssl_certificate /ssl/{{ .certfile }};
+    ssl_certificate_key /ssl/{{ .keyfile }};
+    {{ end }}
+
+    {{ if not .leave_front_door_open }}
+    location = /authentication {
+        internal;
+        proxy_pass              http://supervisor/auth;
+        proxy_pass_request_body off;
+        proxy_set_header        Content-Length "";
+        proxy_set_header        X-Supervisor-Token "{{ env "SUPERVISOR_TOKEN" }}";
+    }
+    {{ end }}
+
+    location / {
+        {{ if not .leave_front_door_open }}
+        auth_request /authentication;
+        auth_request_set $auth_status $upstream_status;
+        {{ end }}
+
+        proxy_pass http://backend;
+    }
+}
--- a/glances/rootfs/etc/nginx/templates/ingress.gtpl
+++ b/glances/rootfs/etc/nginx/templates/ingress.gtpl
@ -1,5 +1,5 @@
 server {
-    listen %%interface%%:%%port%% default_server;
+    listen {{ .interface }}:{{ .port }} default_server;

    include /etc/nginx/includes/server_params.conf;
    include /etc/nginx/includes/proxy_params.conf;
--- a/glances/rootfs/etc/services.d/nginx/run
+++ b/glances/rootfs/etc/services.d/nginx/run
@ -8,10 +8,4 @@
 bashio::net.wait_for 61209

 bashio::log.info "Starting NGinx..."
-
-# Disable HA Authentication if front door is open
-if bashio::config.true 'leave_front_door_open'; then
-    export DISABLE_HA_AUTHENTICATION=true
-fi
-
 exec nginx
				`@ -1 +0,0 @@`
				`load_module "/usr/lib/nginx/modules/ndk_http_module.so";`
				`@ -1 +0,0 @@`
				`load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so";`
				`@ -0,0 +1 @@`
				`Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)`