From ff24879f52ae450712758ce61238977a3e7e266a Mon Sep 17 00:00:00 2001 From: Franck Nijhof Date: Thu, 18 Apr 2019 20:40:22 +0200 Subject: [PATCH] :sparkles: Adds Hassio Ingress support --- motioneye/config.json | 11 ++- motioneye/rootfs/etc/cont-init.d/30-nginx.sh | 25 ----- motioneye/rootfs/etc/cont-init.d/nginx.sh | 34 +++++++ .../rootfs/etc/nginx/includes/mime.types | 96 +++++++++++++++++++ .../etc/nginx/includes/proxy_params.conf | 15 +++ .../rootfs/etc/nginx/includes/resolver.conf | 1 + .../etc/nginx/includes/server_params.conf | 6 ++ .../rootfs/etc/nginx/includes/ssl_params.conf | 9 ++ .../rootfs/etc/nginx/includes/upstream.conf | 3 + motioneye/rootfs/etc/nginx/nginx-ssl.conf | 66 ------------- motioneye/rootfs/etc/nginx/nginx.conf | 77 ++++++++------- .../etc/nginx/servers/direct-ssl.disabled | 15 +++ .../rootfs/etc/nginx/servers/direct.disabled | 10 ++ .../rootfs/etc/nginx/servers/ingress.conf | 13 +++ motioneye/rootfs/etc/services.d/nginx/run | 12 ++- 15 files changed, 264 insertions(+), 129 deletions(-) delete mode 100644 motioneye/rootfs/etc/cont-init.d/30-nginx.sh create mode 100644 motioneye/rootfs/etc/cont-init.d/nginx.sh create mode 100644 motioneye/rootfs/etc/nginx/includes/mime.types create mode 100644 motioneye/rootfs/etc/nginx/includes/proxy_params.conf create mode 100644 motioneye/rootfs/etc/nginx/includes/resolver.conf create mode 100644 motioneye/rootfs/etc/nginx/includes/server_params.conf create mode 100644 motioneye/rootfs/etc/nginx/includes/ssl_params.conf create mode 100644 motioneye/rootfs/etc/nginx/includes/upstream.conf delete mode 100644 motioneye/rootfs/etc/nginx/nginx-ssl.conf create mode 100644 motioneye/rootfs/etc/nginx/servers/direct-ssl.disabled create mode 100644 motioneye/rootfs/etc/nginx/servers/direct.disabled create mode 100644 motioneye/rootfs/etc/nginx/servers/ingress.conf diff --git a/motioneye/config.json b/motioneye/config.json index a72d88e..ab040ef 100755 --- a/motioneye/config.json +++ b/motioneye/config.json @@ -6,12 +6,21 @@ "url": "https://github.com/hassio-addons/addon-motioneye", "webui": "[PROTO:ssl]://[HOST]:[PORT:8765]", "startup": "application", + "ingress": true, + "ingress_port": 0, + "homeassistant": "0.91.4", "arch": [ "aarch64", "amd64", "armhf", "i386" ], + "ports": { + "80/tcp": null + }, + "ports_description": { + "80/tcp": "Web interface (Not required for Hass.io Ingress)" + }, "boot": "auto", "hassio_api": true, "hassio_role": "default", @@ -28,7 +37,6 @@ ], "options": { "motion_webcontrol": false, - "port": 8765, "ssl": true, "certfile": "fullchain.pem", "keyfile": "privkey.pem" @@ -36,7 +44,6 @@ "schema": { "log_level": "match(^(trace|debug|info|notice|warning|error|fatal)$)?", "motion_webcontrol": "bool", - "port": "port", "ssl": "bool", "certfile": "str", "keyfile": "str" diff --git a/motioneye/rootfs/etc/cont-init.d/30-nginx.sh b/motioneye/rootfs/etc/cont-init.d/30-nginx.sh deleted file mode 100644 index fbf8f9f..0000000 --- a/motioneye/rootfs/etc/cont-init.d/30-nginx.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/with-contenv bash -# ============================================================================== -# Community Hass.io Add-ons: motionEye -# Configures NGINX for use with motionEye -# ============================================================================== -# shellcheck disable=SC1091 -source /usr/lib/hassio-addons/base.sh - -declare certfile -declare keyfile -declare port - -if hass.config.true 'ssl'; then - rm /etc/nginx/nginx.conf - mv /etc/nginx/nginx-ssl.conf /etc/nginx/nginx.conf - - certfile=$(hass.config.get 'certfile') - keyfile=$(hass.config.get 'keyfile') - - sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/nginx.conf - sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/nginx.conf -fi - -port=$(hass.config.get 'port') -sed -i "s/%%port%%/${port}/g" /etc/nginx/nginx.conf diff --git a/motioneye/rootfs/etc/cont-init.d/nginx.sh b/motioneye/rootfs/etc/cont-init.d/nginx.sh new file mode 100644 index 0000000..1ce2e0b --- /dev/null +++ b/motioneye/rootfs/etc/cont-init.d/nginx.sh @@ -0,0 +1,34 @@ +#!/usr/bin/with-contenv bashio +# ============================================================================== +# Community Hass.io Add-ons: motionEye +# Configures NGINX for use with motionEye +# ============================================================================== +declare port +declare certfile +declare ingress_interface +declare ingress_port +declare keyfile + +port=$(bashio::addon.port 80) +if bashio::var.has_value "${port}"; then + bashio::config.require.ssl + + if bashio::config.true 'ssl'; then + certfile=$(bashio::config 'certfile') + keyfile=$(bashio::config 'keyfile') + + mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf + sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/servers/direct.conf + sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/servers/direct.conf + + else + mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf + fi + + sed -i "s/%%port%%/${port}/g" /etc/nginx/servers/direct.conf +fi + +ingress_port=$(bashio::addon.ingress_port) +ingress_interface=$(bashio::addon.ip_address) +sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf +sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf diff --git a/motioneye/rootfs/etc/nginx/includes/mime.types b/motioneye/rootfs/etc/nginx/includes/mime.types new file mode 100644 index 0000000..7c7cdef --- /dev/null +++ b/motioneye/rootfs/etc/nginx/includes/mime.types @@ -0,0 +1,96 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/motioneye/rootfs/etc/nginx/includes/proxy_params.conf b/motioneye/rootfs/etc/nginx/includes/proxy_params.conf new file mode 100644 index 0000000..1990d49 --- /dev/null +++ b/motioneye/rootfs/etc/nginx/includes/proxy_params.conf @@ -0,0 +1,15 @@ +proxy_http_version 1.1; +proxy_ignore_client_abort off; +proxy_read_timeout 86400s; +proxy_redirect off; +proxy_send_timeout 86400s; +proxy_max_temp_file_size 0; + +proxy_set_header Accept-Encoding ""; +proxy_set_header Connection $connection_upgrade; +proxy_set_header Host $http_host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-NginX-Proxy true; +proxy_set_header X-Real-IP $remote_addr; diff --git a/motioneye/rootfs/etc/nginx/includes/resolver.conf b/motioneye/rootfs/etc/nginx/includes/resolver.conf new file mode 100644 index 0000000..758ca69 --- /dev/null +++ b/motioneye/rootfs/etc/nginx/includes/resolver.conf @@ -0,0 +1 @@ +resolver 172.30.32.2; diff --git a/motioneye/rootfs/etc/nginx/includes/server_params.conf b/motioneye/rootfs/etc/nginx/includes/server_params.conf new file mode 100644 index 0000000..09c0654 --- /dev/null +++ b/motioneye/rootfs/etc/nginx/includes/server_params.conf @@ -0,0 +1,6 @@ +root /dev/null; +server_name $hostname; + +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Robots-Tag none; diff --git a/motioneye/rootfs/etc/nginx/includes/ssl_params.conf b/motioneye/rootfs/etc/nginx/includes/ssl_params.conf new file mode 100644 index 0000000..6f15005 --- /dev/null +++ b/motioneye/rootfs/etc/nginx/includes/ssl_params.conf @@ -0,0 +1,9 @@ +ssl_protocols TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA; +ssl_ecdh_curve secp384r1; +ssl_session_timeout 10m; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; diff --git a/motioneye/rootfs/etc/nginx/includes/upstream.conf b/motioneye/rootfs/etc/nginx/includes/upstream.conf new file mode 100644 index 0000000..1ca54ea --- /dev/null +++ b/motioneye/rootfs/etc/nginx/includes/upstream.conf @@ -0,0 +1,3 @@ +upstream backend { + server 127.0.0.1:28765; +} diff --git a/motioneye/rootfs/etc/nginx/nginx-ssl.conf b/motioneye/rootfs/etc/nginx/nginx-ssl.conf deleted file mode 100644 index 1af00cb..0000000 --- a/motioneye/rootfs/etc/nginx/nginx-ssl.conf +++ /dev/null @@ -1,66 +0,0 @@ -worker_processes 1; -pid /var/run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - - upstream motioneye { - ip_hash; - server 127.0.0.1:28765; - } - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - server { - server_name hassio.local; - listen %%port%% default_server ssl; - root /dev/null; - - ssl_certificate /ssl/%%certfile%%; - ssl_certificate_key /ssl/%%keyfile%%; - ssl_protocols TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA; - ssl_ecdh_curve secp384r1; - ssl_session_timeout 10m; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - - location / { - proxy_redirect off; - proxy_pass http://motioneye; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Authorization ""; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_hide_header X-Frame-Options; - - proxy_connect_timeout 600s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - } - } -} diff --git a/motioneye/rootfs/etc/nginx/nginx.conf b/motioneye/rootfs/etc/nginx/nginx.conf index 27ea8e4..9e9a49c 100644 --- a/motioneye/rootfs/etc/nginx/nginx.conf +++ b/motioneye/rootfs/etc/nginx/nginx.conf @@ -1,50 +1,57 @@ -worker_processes 1; +# Run nginx in foreground. +daemon off; + +# This is run inside Docker. +user root; + +# Pid storage location. pid /var/run/nginx.pid; +# Set number of worker processes. +worker_processes 1; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Write error log to Hass.io add-on log. +error_log /proc/1/fd/1 error; + +# Load allowed environment vars +env HASSIO_TOKEN; +env DISABLE_HA_AUTHENTICATION; + +# Load dynamic modules. +include /etc/nginx/modules/*.conf; + +# Max num of simultaneous connections by a worker process. events { - worker_connections 1024; + worker_connections 512; } http { - include mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; + include /etc/nginx/includes/mime.types; - upstream motioneye { - ip_hash; - server 127.0.0.1:28765; - } + log_format hassio '[$time_local] $status ' + '$http_x_forwarded_for($remote_addr) ' + '$request ($http_user_agent)'; + + access_log /proc/1/fd/1 hassio; + client_max_body_size 4G; + default_type application/octet-stream; + gzip on; + keepalive_timeout 65; + sendfile on; + server_tokens off; + tcp_nodelay on; + tcp_nopush on; map $http_upgrade $connection_upgrade { default upgrade; '' close; } - server { - server_name hassio.local; - listen %%port%% default_server; - root /dev/null; + include /etc/nginx/includes/resolver.conf; + include /etc/nginx/includes/upstream.conf; - location / { - proxy_redirect off; - proxy_pass http://motioneye; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Authorization ""; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_hide_header X-Frame-Options; - - proxy_connect_timeout 600s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - } - } + include /etc/nginx/servers/*.conf; } diff --git a/motioneye/rootfs/etc/nginx/servers/direct-ssl.disabled b/motioneye/rootfs/etc/nginx/servers/direct-ssl.disabled new file mode 100644 index 0000000..c8624b7 --- /dev/null +++ b/motioneye/rootfs/etc/nginx/servers/direct-ssl.disabled @@ -0,0 +1,15 @@ +server { + listen %%port%% default_server ssl http2; + + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/ssl_params.conf; + include /etc/nginx/includes/proxy_params.conf; + + ssl on; + ssl_certificate /ssl/%%certfile%%; + ssl_certificate_key /ssl/%%keyfile%%; + + location / { + proxy_pass http://backend; + } +} diff --git a/motioneye/rootfs/etc/nginx/servers/direct.disabled b/motioneye/rootfs/etc/nginx/servers/direct.disabled new file mode 100644 index 0000000..43a3175 --- /dev/null +++ b/motioneye/rootfs/etc/nginx/servers/direct.disabled @@ -0,0 +1,10 @@ +server { + listen %%port%% default_server; + + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/proxy_params.conf; + + location / { + proxy_pass http://backend; + } +} diff --git a/motioneye/rootfs/etc/nginx/servers/ingress.conf b/motioneye/rootfs/etc/nginx/servers/ingress.conf new file mode 100644 index 0000000..d655706 --- /dev/null +++ b/motioneye/rootfs/etc/nginx/servers/ingress.conf @@ -0,0 +1,13 @@ +server { + listen %%interface%%:%%port%% default_server; + + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/proxy_params.conf; + + location / { + allow 172.30.32.2; + deny all; + + proxy_pass http://backend; + } +} diff --git a/motioneye/rootfs/etc/services.d/nginx/run b/motioneye/rootfs/etc/services.d/nginx/run index 93fbea3..b353110 100644 --- a/motioneye/rootfs/etc/services.d/nginx/run +++ b/motioneye/rootfs/etc/services.d/nginx/run @@ -4,4 +4,14 @@ # Runs the Nginx daemon # ============================================================================== -exec nginx -g "daemon off;" +# Wait for motionEye to be available +bashio::net.wait_for 28765 + +bashio::log.info "Starting NGinx..." + +# Disable HA Authentication if front door is open +if bashio::config.true 'leave_front_door_open'; then + export DISABLE_HA_AUTHENTICATION=true +fi + +exec nginx