2014-06-20 01:16:38 +00:00
|
|
|
# Creates an nginx configuration file so we serve HTTP/HTTPS on all
|
|
|
|
# domains for which a mail account has been set up.
|
|
|
|
########################################################################
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
import os.path
|
|
|
|
import re
|
|
|
|
import rtyaml
|
2014-06-20 01:16:38 +00:00
|
|
|
|
|
|
|
from mailconfig import get_mail_domains
|
2015-11-29 13:59:22 +00:00
|
|
|
from dns_update import get_custom_dns_config, get_dns_zones
|
|
|
|
from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
|
2020-07-15 14:28:02 +00:00
|
|
|
from utils import shell, safe_domain_name, sort_domains, get_php_version
|
2014-06-20 01:16:38 +00:00
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
|
|
|
def get_web_domains(env,
|
|
|
|
include_www_redirects=True,
|
|
|
|
include_auto=True,
|
|
|
|
exclude_dns_elsewhere=True):
|
2015-11-29 14:43:12 +00:00
|
|
|
# What domains should we serve HTTP(S) for?
|
2014-06-20 01:16:38 +00:00
|
|
|
domains = set()
|
|
|
|
|
2015-11-29 14:43:12 +00:00
|
|
|
# Serve web for all mail domains so that we might at least
|
2015-02-17 00:08:04 +00:00
|
|
|
# provide auto-discover of email settings, and also a static website
|
2015-11-29 14:43:12 +00:00
|
|
|
# if the user wants to make one.
|
|
|
|
domains |= get_mail_domains(env)
|
|
|
|
|
2021-06-27 21:24:26 +00:00
|
|
|
if include_www_redirects and include_auto:
|
2021-03-30 19:01:46 +00:00
|
|
|
# Add 'www.' subdomains that we want to provide default redirects
|
|
|
|
# to the main domain for. We'll add 'www.' to any DNS zones, i.e.
|
|
|
|
# the topmost of each domain we serve.
|
|
|
|
domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env))
|
2015-11-29 14:43:12 +00:00
|
|
|
|
2021-06-27 21:24:26 +00:00
|
|
|
if include_auto:
|
|
|
|
# Add Autoconfiguration domains for domains that there are user accounts at:
|
|
|
|
# 'autoconfig.' for Mozilla Thunderbird auto setup.
|
|
|
|
# 'autodiscover.' for ActiveSync autodiscovery (Z-Push).
|
2022-02-04 23:26:24 +00:00
|
|
|
domains |= set(
|
|
|
|
'autoconfig.' + maildomain
|
|
|
|
for maildomain in get_mail_domains(env, users_only=True))
|
|
|
|
domains |= set(
|
|
|
|
'autodiscover.' + maildomain
|
|
|
|
for maildomain in get_mail_domains(env, users_only=True))
|
2019-05-09 17:13:24 +00:00
|
|
|
|
2021-06-27 21:24:26 +00:00
|
|
|
# 'mta-sts.' for MTA-STS support for all domains that have email addresses.
|
2022-02-04 23:26:24 +00:00
|
|
|
domains |= set('mta-sts.' + maildomain
|
|
|
|
for maildomain in get_mail_domains(env))
|
2019-05-09 17:13:24 +00:00
|
|
|
|
2021-02-11 23:19:35 +00:00
|
|
|
# 'openpgpkey.' for WKD support
|
2022-02-04 23:26:24 +00:00
|
|
|
domains |= set('openpgpkey.' + maildomain
|
|
|
|
for maildomain in get_mail_domains(env))
|
2021-02-11 23:19:35 +00:00
|
|
|
|
2019-09-10 11:10:58 +00:00
|
|
|
if exclude_dns_elsewhere:
|
|
|
|
# ...Unless the domain has an A/AAAA record that maps it to a different
|
|
|
|
# IP address than this box. Remove those domains from our list.
|
|
|
|
domains -= get_domains_with_a_records(env)
|
|
|
|
|
2015-11-29 14:43:12 +00:00
|
|
|
# Ensure the PRIMARY_HOSTNAME is in the list so we can serve webmail
|
|
|
|
# as well as Z-Push for Exchange ActiveSync. This can't be removed
|
|
|
|
# by a custom A/AAAA record and is never a 'www.' redirect.
|
|
|
|
domains.add(env['PRIMARY_HOSTNAME'])
|
2014-06-20 01:16:38 +00:00
|
|
|
|
2015-06-04 11:45:08 +00:00
|
|
|
# Sort the list so the nginx conf gets written in a stable order.
|
2014-06-22 15:34:36 +00:00
|
|
|
domains = sort_domains(domains, env)
|
2014-06-20 01:16:38 +00:00
|
|
|
|
|
|
|
return domains
|
2015-06-04 11:38:48 +00:00
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2015-06-04 11:38:48 +00:00
|
|
|
def get_domains_with_a_records(env):
|
|
|
|
domains = set()
|
|
|
|
dns = get_custom_dns_config(env)
|
2021-09-16 14:35:04 +00:00
|
|
|
for domain, rtype, value, ttl in dns:
|
2022-02-04 23:26:24 +00:00
|
|
|
if rtype == "CNAME" or (rtype in ("A", "AAAA")
|
|
|
|
and value not in ("local", env['PUBLIC_IP'])):
|
2015-06-04 11:38:48 +00:00
|
|
|
domains.add(domain)
|
|
|
|
return domains
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2015-06-04 12:32:00 +00:00
|
|
|
def get_web_domains_with_root_overrides(env):
|
|
|
|
# Load custom settings so we can tell what domains have a redirect or proxy set up on '/',
|
|
|
|
# which means static hosting is not happening.
|
2022-02-04 23:26:24 +00:00
|
|
|
root_overrides = {}
|
2015-06-04 12:32:00 +00:00
|
|
|
nginx_conf_custom_fn = os.path.join(env["STORAGE_ROOT"], "www/custom.yaml")
|
|
|
|
if os.path.exists(nginx_conf_custom_fn):
|
|
|
|
custom_settings = rtyaml.load(open(nginx_conf_custom_fn))
|
|
|
|
for domain, settings in custom_settings.items():
|
2022-02-04 23:26:24 +00:00
|
|
|
for type, value in [('redirect', settings.get('redirects',
|
|
|
|
{}).get('/')),
|
|
|
|
('proxy', settings.get('proxies',
|
|
|
|
{}).get('/'))]:
|
2015-06-04 12:32:00 +00:00
|
|
|
if value:
|
|
|
|
root_overrides[domain] = (type, value)
|
|
|
|
return root_overrides
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2021-02-12 16:23:26 +00:00
|
|
|
DOMAIN_EXTERNAL = -1
|
|
|
|
DOMAIN_PRIMARY = 1
|
|
|
|
DOMAIN_WWW = 2
|
|
|
|
DOMAIN_REDIRECT = 4
|
|
|
|
DOMAIN_WKD = 8
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2021-02-12 16:23:26 +00:00
|
|
|
def get_web_domain_flags(env):
|
|
|
|
flags = dict()
|
|
|
|
zones = get_dns_zones(env)
|
|
|
|
email_domains = get_mail_domains(env)
|
|
|
|
user_domains = get_mail_domains(env, users_only=True)
|
|
|
|
external = get_domains_with_a_records(env)
|
|
|
|
redirects = get_web_domains_with_root_overrides(env)
|
|
|
|
|
|
|
|
for d in email_domains:
|
2021-02-14 00:42:16 +00:00
|
|
|
flags[d] = flags.get(d, 0)
|
2021-02-12 16:23:26 +00:00
|
|
|
flags[f"mta-sts.{d}"] = flags.get(d, 0)
|
|
|
|
flags[f"openpgpkey.{d}"] = flags.get(d, 0) | DOMAIN_WKD
|
|
|
|
|
|
|
|
for d in user_domains:
|
|
|
|
flags[f"autoconfig.{d}"] = flags.get(d, 0)
|
|
|
|
flags[f"autodiscover.{d}"] = flags.get(d, 0)
|
|
|
|
|
2021-02-13 00:53:10 +00:00
|
|
|
for d, _ in zones:
|
2021-02-12 16:23:26 +00:00
|
|
|
flags[f"www.{d}"] = flags.get(d, 0) | DOMAIN_WWW
|
|
|
|
|
|
|
|
for d in redirects:
|
|
|
|
flags[d] = flags.get(d, 0) | DOMAIN_REDIRECT
|
|
|
|
|
|
|
|
flags[env["PRIMARY_HOSTNAME"]] |= DOMAIN_PRIMARY
|
|
|
|
|
|
|
|
# Last check for websites hosted elsewhere
|
|
|
|
for d in flags.keys():
|
|
|
|
if d in external:
|
2022-02-04 23:26:24 +00:00
|
|
|
# -1 = All bits set to 1, assuming twos-complement
|
|
|
|
flags[d] = DOMAIN_EXTERNAL
|
2021-02-12 16:23:26 +00:00
|
|
|
return flags
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2015-05-28 18:45:35 +00:00
|
|
|
def do_web_update(env):
|
2015-09-18 13:03:07 +00:00
|
|
|
# Pre-load what SSL certificates we will use for each domain.
|
|
|
|
ssl_certificates = get_ssl_certificates(env)
|
|
|
|
|
2014-06-20 01:16:38 +00:00
|
|
|
# Build an nginx configuration file.
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf = open(
|
|
|
|
os.path.join(os.path.dirname(__file__),
|
|
|
|
"../conf/nginx-top.conf")).read()
|
2020-07-15 14:28:02 +00:00
|
|
|
nginx_conf = re.sub("{{phpver}}", get_php_version(), nginx_conf)
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2021-11-17 22:41:36 +00:00
|
|
|
# Add upstream additions
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_upstream_include = os.path.join(env["STORAGE_ROOT"], "www",
|
|
|
|
".upstream.conf")
|
2021-11-17 22:41:36 +00:00
|
|
|
if not os.path.exists(nginx_upstream_include):
|
|
|
|
with open(nginx_upstream_include, "a+") as f:
|
|
|
|
f.writelines([
|
|
|
|
f"# Add your nginx-wide configurations here.\n",
|
|
|
|
"# The following names are already defined:\n\n",
|
|
|
|
"# # php-default: The php socket used for apps managed by the box. (Roundcube, Z-Push, Nextcloud, etc.) - DO NOT USE!\n",
|
|
|
|
"# # php-fpm: A php socket not managed by the box. Feel free to use it for your PHP applications\n"
|
|
|
|
])
|
|
|
|
|
|
|
|
nginx_conf += "\ninclude %s;\n" % (nginx_upstream_include)
|
2014-08-12 11:00:54 +00:00
|
|
|
|
2015-06-04 11:45:08 +00:00
|
|
|
# Load the templates.
|
2022-02-04 23:26:24 +00:00
|
|
|
template0 = open(
|
|
|
|
os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read()
|
|
|
|
template1 = open(
|
|
|
|
os.path.join(os.path.dirname(__file__),
|
|
|
|
"../conf/nginx-alldomains.conf")).read()
|
|
|
|
template2 = open(
|
|
|
|
os.path.join(os.path.dirname(__file__),
|
|
|
|
"../conf/nginx-primaryonly.conf")).read()
|
2020-09-27 00:31:51 +00:00
|
|
|
template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n"
|
2022-02-04 23:26:24 +00:00
|
|
|
template4 = open(
|
|
|
|
os.path.join(os.path.dirname(__file__),
|
|
|
|
"../conf/nginx-openpgpkey.conf")).read()
|
2015-06-04 11:45:08 +00:00
|
|
|
|
|
|
|
# Add the PRIMARY_HOST configuration first so it becomes nginx's default server.
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'],
|
|
|
|
[template0, template1, template2],
|
|
|
|
ssl_certificates, env)
|
2015-06-04 11:45:08 +00:00
|
|
|
|
|
|
|
# Add configuration all other web domains.
|
2021-04-13 22:01:18 +00:00
|
|
|
pairs = list(get_web_domain_flags(env).items())
|
|
|
|
|
|
|
|
# Sort the domains in some way to keep ordering consistency. Keep domains and subdomains together.
|
2022-02-04 23:26:24 +00:00
|
|
|
pairs.sort(reverse=False, key=lambda x: x[0][::-1])
|
2021-04-13 22:01:18 +00:00
|
|
|
for domain, flags in pairs:
|
2021-02-13 00:43:13 +00:00
|
|
|
if flags & DOMAIN_PRIMARY == DOMAIN_PRIMARY or flags == DOMAIN_EXTERNAL:
|
2015-11-29 14:43:12 +00:00
|
|
|
# PRIMARY_HOSTNAME is handled above.
|
|
|
|
continue
|
2021-02-13 00:43:13 +00:00
|
|
|
if flags & DOMAIN_WWW == 0:
|
2015-11-29 14:43:12 +00:00
|
|
|
# This is a regular domain.
|
2021-02-13 00:43:13 +00:00
|
|
|
if flags & DOMAIN_WKD == DOMAIN_WKD:
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf += make_domain_config(
|
|
|
|
domain, [template0, template1, template4],
|
|
|
|
ssl_certificates, env)
|
2021-02-13 00:43:13 +00:00
|
|
|
elif flags & DOMAIN_REDIRECT == 0:
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf += make_domain_config(domain,
|
|
|
|
[template0, template1],
|
|
|
|
ssl_certificates, env)
|
2015-11-29 14:43:12 +00:00
|
|
|
else:
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf += make_domain_config(domain, [template0],
|
|
|
|
ssl_certificates, env)
|
2015-06-04 12:32:00 +00:00
|
|
|
else:
|
2015-11-29 14:43:12 +00:00
|
|
|
# Add default 'www.' redirect.
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf += make_domain_config(domain, [template0, template3],
|
|
|
|
ssl_certificates, env)
|
2014-06-20 01:16:38 +00:00
|
|
|
|
2014-07-06 12:16:50 +00:00
|
|
|
# Did the file change? If not, don't bother writing & restarting nginx.
|
|
|
|
nginx_conf_fn = "/etc/nginx/conf.d/local.conf"
|
|
|
|
if os.path.exists(nginx_conf_fn):
|
|
|
|
with open(nginx_conf_fn) as f:
|
|
|
|
if f.read() == nginx_conf:
|
|
|
|
return ""
|
|
|
|
|
2014-06-20 01:16:38 +00:00
|
|
|
# Save the file.
|
2014-07-06 12:16:50 +00:00
|
|
|
with open(nginx_conf_fn, "w") as f:
|
2014-06-20 01:16:38 +00:00
|
|
|
f.write(nginx_conf)
|
|
|
|
|
2014-08-17 22:43:57 +00:00
|
|
|
# Kick nginx. Since this might be called from the web admin
|
|
|
|
# don't do a 'restart'. That would kill the connection before
|
|
|
|
# the API returns its response. A 'reload' should be good
|
|
|
|
# enough and doesn't break any open connections.
|
|
|
|
shell('check_call', ["/usr/sbin/service", "nginx", "reload"])
|
2014-06-20 01:16:38 +00:00
|
|
|
|
2015-05-28 18:45:35 +00:00
|
|
|
return "web updated\n"
|
2014-06-20 01:16:38 +00:00
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2015-09-18 13:03:07 +00:00
|
|
|
def make_domain_config(domain, templates, ssl_certificates, env):
|
2015-06-04 11:45:08 +00:00
|
|
|
# GET SOME VARIABLES
|
2014-06-20 01:16:38 +00:00
|
|
|
|
2014-06-23 10:53:09 +00:00
|
|
|
# Where will its root directory be for static files?
|
|
|
|
root = get_web_root(domain, env)
|
2014-06-20 01:16:38 +00:00
|
|
|
|
2014-06-22 15:34:36 +00:00
|
|
|
# What private key and SSL certificate will we use for this domain?
|
2015-10-10 22:03:55 +00:00
|
|
|
tls_cert = get_domain_ssl_files(domain, ssl_certificates, env)
|
2014-06-22 15:34:36 +00:00
|
|
|
|
2015-06-04 11:45:08 +00:00
|
|
|
# ADDITIONAL DIRECTIVES.
|
2014-08-16 12:33:10 +00:00
|
|
|
|
2015-06-04 11:45:08 +00:00
|
|
|
nginx_conf_extra = ""
|
2014-07-09 12:31:32 +00:00
|
|
|
|
2014-10-10 15:49:14 +00:00
|
|
|
# Because the certificate may change, we should recognize this so we
|
|
|
|
# can trigger an nginx update.
|
|
|
|
def hashfile(filepath):
|
|
|
|
import hashlib
|
|
|
|
sha1 = hashlib.sha1()
|
|
|
|
f = open(filepath, 'rb')
|
|
|
|
try:
|
|
|
|
sha1.update(f.read())
|
|
|
|
finally:
|
|
|
|
f.close()
|
|
|
|
return sha1.hexdigest()
|
2022-02-04 23:26:24 +00:00
|
|
|
|
|
|
|
nginx_conf_extra += "\t# ssl files sha1: %s / %s\n" % (hashfile(
|
|
|
|
tls_cert["private-key"]), hashfile(tls_cert["certificate"]))
|
2014-10-10 15:49:14 +00:00
|
|
|
|
2014-08-24 21:34:15 +00:00
|
|
|
# Add in any user customizations in YAML format.
|
2015-09-08 21:20:13 +00:00
|
|
|
hsts = "yes"
|
2014-07-09 12:31:32 +00:00
|
|
|
nginx_conf_custom_fn = os.path.join(env["STORAGE_ROOT"], "www/custom.yaml")
|
|
|
|
if os.path.exists(nginx_conf_custom_fn):
|
|
|
|
yaml = rtyaml.load(open(nginx_conf_custom_fn))
|
|
|
|
if domain in yaml:
|
|
|
|
yaml = yaml[domain]
|
2015-09-08 21:20:13 +00:00
|
|
|
|
|
|
|
# any proxy or redirect here?
|
2014-08-16 17:43:55 +00:00
|
|
|
for path, url in yaml.get("proxies", {}).items():
|
2020-06-07 13:45:04 +00:00
|
|
|
# Parse some flags in the fragment of the URL.
|
|
|
|
pass_http_host_header = False
|
2021-06-27 21:24:26 +00:00
|
|
|
proxy_redirect_off = False
|
|
|
|
frame_options_header_sameorigin = False
|
2020-06-07 13:45:04 +00:00
|
|
|
m = re.search("#(.*)$", url)
|
|
|
|
if m:
|
|
|
|
for flag in m.group(1).split(","):
|
|
|
|
if flag == "pass-http-host":
|
|
|
|
pass_http_host_header = True
|
2021-06-27 21:24:26 +00:00
|
|
|
elif flag == "no-proxy-redirect":
|
|
|
|
proxy_redirect_off = True
|
|
|
|
elif flag == "frame-options-sameorigin":
|
|
|
|
frame_options_header_sameorigin = True
|
2020-06-07 13:45:04 +00:00
|
|
|
url = re.sub("#(.*)$", "", url)
|
|
|
|
|
2018-02-24 12:54:32 +00:00
|
|
|
nginx_conf_extra += "\tlocation %s {" % path
|
|
|
|
nginx_conf_extra += "\n\t\tproxy_pass %s;" % url
|
2021-06-27 21:24:26 +00:00
|
|
|
if proxy_redirect_off:
|
|
|
|
nginx_conf_extra += "\n\t\tproxy_redirect off;"
|
2020-06-07 13:45:04 +00:00
|
|
|
if pass_http_host_header:
|
|
|
|
nginx_conf_extra += "\n\t\tproxy_set_header Host $http_host;"
|
2021-06-27 21:24:26 +00:00
|
|
|
if frame_options_header_sameorigin:
|
|
|
|
nginx_conf_extra += "\n\t\tproxy_set_header X-Frame-Options SAMEORIGIN;"
|
2018-02-24 12:54:32 +00:00
|
|
|
nginx_conf_extra += "\n\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
|
2020-06-07 13:45:04 +00:00
|
|
|
nginx_conf_extra += "\n\t\tproxy_set_header X-Forwarded-Host $http_host;"
|
|
|
|
nginx_conf_extra += "\n\t\tproxy_set_header X-Forwarded-Proto $scheme;"
|
|
|
|
nginx_conf_extra += "\n\t\tproxy_set_header X-Real-IP $remote_addr;"
|
2018-02-24 12:54:32 +00:00
|
|
|
nginx_conf_extra += "\n\t}\n"
|
2020-04-11 18:17:46 +00:00
|
|
|
for path, alias in yaml.get("aliases", {}).items():
|
|
|
|
nginx_conf_extra += "\tlocation %s {" % path
|
|
|
|
nginx_conf_extra += "\n\t\talias %s;" % alias
|
|
|
|
nginx_conf_extra += "\n\t}\n"
|
2014-12-05 16:57:26 +00:00
|
|
|
for path, url in yaml.get("redirects", {}).items():
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf_extra += "\trewrite %s %s permanent;\n" % (path,
|
|
|
|
url)
|
2014-07-09 12:31:32 +00:00
|
|
|
|
2015-09-08 21:20:13 +00:00
|
|
|
# override the HSTS directive type
|
|
|
|
hsts = yaml.get("hsts", hsts)
|
|
|
|
|
|
|
|
# Add the HSTS header.
|
|
|
|
if hsts == "yes":
|
2020-09-27 11:13:33 +00:00
|
|
|
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=15768000\" always;\n"
|
2015-09-08 21:20:13 +00:00
|
|
|
elif hsts == "preload":
|
2020-09-27 11:13:33 +00:00
|
|
|
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\" always;\n"
|
2015-09-08 21:20:13 +00:00
|
|
|
|
2014-08-26 16:16:20 +00:00
|
|
|
# Add in any user customizations in the includes/ folder.
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf_custom_include = os.path.join(
|
|
|
|
env["STORAGE_ROOT"], "www",
|
|
|
|
safe_domain_name(domain) + ".conf")
|
2020-09-27 01:01:17 +00:00
|
|
|
if not os.path.exists(nginx_conf_custom_include):
|
|
|
|
with open(nginx_conf_custom_include, "a+") as f:
|
|
|
|
f.writelines([
|
2020-09-27 01:17:49 +00:00
|
|
|
f"# Custom configurations for {domain} go here\n",
|
|
|
|
"# To use php: use the \"php-fpm\" alias\n\n",
|
|
|
|
"index index.html index.htm;\n"
|
2020-09-27 01:01:17 +00:00
|
|
|
])
|
2021-02-11 23:19:35 +00:00
|
|
|
|
2020-09-27 01:01:17 +00:00
|
|
|
nginx_conf_extra += "\tinclude %s;\n" % (nginx_conf_custom_include)
|
|
|
|
|
2015-06-04 11:45:08 +00:00
|
|
|
# PUT IT ALL TOGETHER
|
|
|
|
|
|
|
|
# Combine the pieces. Iteratively place each template into the "# ADDITIONAL DIRECTIVES HERE" placeholder
|
|
|
|
# of the previous template.
|
|
|
|
nginx_conf = "# ADDITIONAL DIRECTIVES HERE\n"
|
|
|
|
for t in templates + [nginx_conf_extra]:
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf = re.sub("[ \t]*# ADDITIONAL DIRECTIVES HERE *\n", t,
|
|
|
|
nginx_conf)
|
2014-08-24 21:34:15 +00:00
|
|
|
|
2015-06-04 11:45:08 +00:00
|
|
|
# Replace substitution strings in the template & return.
|
|
|
|
nginx_conf = nginx_conf.replace("$STORAGE_ROOT", env['STORAGE_ROOT'])
|
|
|
|
nginx_conf = nginx_conf.replace("$HOSTNAME", domain)
|
2020-09-27 01:17:49 +00:00
|
|
|
nginx_conf = nginx_conf.replace("$ROOT", root)
|
2015-10-10 22:03:55 +00:00
|
|
|
nginx_conf = nginx_conf.replace("$SSL_KEY", tls_cert["private-key"])
|
2022-02-04 23:26:24 +00:00
|
|
|
nginx_conf = nginx_conf.replace("$SSL_CERTIFICATE",
|
|
|
|
tls_cert["certificate"])
|
|
|
|
nginx_conf = nginx_conf.replace(
|
|
|
|
"$REDIRECT_DOMAIN",
|
|
|
|
re.sub(r"^www\.", "",
|
|
|
|
domain)) # for default www redirects to parent domain
|
2014-07-09 12:31:32 +00:00
|
|
|
|
2014-06-22 15:34:36 +00:00
|
|
|
return nginx_conf
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2014-10-07 16:05:38 +00:00
|
|
|
def get_web_root(domain, env, test_exists=True):
|
2014-06-23 10:53:09 +00:00
|
|
|
# Try STORAGE_ROOT/web/domain_name if it exists, but fall back to STORAGE_ROOT/web/default.
|
|
|
|
for test_domain in (domain, 'default'):
|
2022-02-04 23:26:24 +00:00
|
|
|
root = os.path.join(env["STORAGE_ROOT"], "www",
|
|
|
|
safe_domain_name(test_domain))
|
|
|
|
if os.path.exists(root) or not test_exists:
|
|
|
|
break
|
2014-06-23 10:53:09 +00:00
|
|
|
return root
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2020-04-24 16:03:13 +00:00
|
|
|
def is_default_web_root(domain, env):
|
|
|
|
root = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain))
|
|
|
|
return not os.path.exists(root)
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
|
2014-10-07 16:05:38 +00:00
|
|
|
def get_web_domains_info(env):
|
2022-02-04 23:26:24 +00:00
|
|
|
www_redirects = set(get_web_domains(env)) - \
|
|
|
|
set(get_web_domains(env, include_www_redirects=False))
|
2015-11-29 14:43:12 +00:00
|
|
|
has_root_proxy_or_redirect = set(get_web_domains_with_root_overrides(env))
|
2015-10-10 22:03:55 +00:00
|
|
|
ssl_certificates = get_ssl_certificates(env)
|
2015-02-05 13:55:57 +00:00
|
|
|
|
|
|
|
# for the SSL config panel, get cert status
|
2014-10-10 15:49:14 +00:00
|
|
|
def check_cert(domain):
|
2018-05-13 00:02:25 +00:00
|
|
|
try:
|
2022-02-04 23:26:24 +00:00
|
|
|
tls_cert = get_domain_ssl_files(domain,
|
|
|
|
ssl_certificates,
|
|
|
|
env,
|
|
|
|
allow_missing_cert=True)
|
|
|
|
except OSError: # PRIMARY_HOSTNAME cert is missing
|
2018-05-13 00:02:25 +00:00
|
|
|
tls_cert = None
|
2022-02-04 23:26:24 +00:00
|
|
|
if tls_cert is None:
|
|
|
|
return ("danger", "No certificate installed.")
|
|
|
|
cert_status, cert_status_details = check_certificate(
|
|
|
|
domain, tls_cert["certificate"], tls_cert["private-key"])
|
2014-10-10 15:49:14 +00:00
|
|
|
if cert_status == "OK":
|
2015-10-10 22:03:55 +00:00
|
|
|
return ("success", "Signed & valid. " + cert_status_details)
|
2014-10-10 15:49:14 +00:00
|
|
|
elif cert_status == "SELF-SIGNED":
|
2022-02-04 23:26:24 +00:00
|
|
|
return ("warning",
|
|
|
|
"Self-signed. Get a signed certificate to stop warnings.")
|
2014-10-10 15:49:14 +00:00
|
|
|
else:
|
|
|
|
return ("danger", "Certificate has a problem: " + cert_status)
|
|
|
|
|
2022-02-04 23:26:24 +00:00
|
|
|
return [{
|
|
|
|
"domain":
|
|
|
|
domain,
|
|
|
|
"root":
|
|
|
|
get_web_root(domain, env),
|
|
|
|
"custom_root":
|
|
|
|
get_web_root(domain, env, test_exists=False),
|
|
|
|
"ssl_certificate":
|
|
|
|
check_cert(domain),
|
|
|
|
"static_enabled":
|
|
|
|
domain not in (www_redirects | has_root_proxy_or_redirect),
|
|
|
|
} for domain in get_web_domains(env)]
|