certificates work

Jamie Curnow · jc21 · commit 3a9fc8e2eaf6 · 2018-08-17T13:52:47.000+10:00
diff --git a/rootfs/etc/nginx/nginx.conf b/rootfs/etc/nginx/nginx.conf
@@ -54,6 +54,7 @@ http {
   include /data/nginx/proxy_host/*.conf;
   include /data/nginx/redirection_host/*.conf;
   include /data/nginx/dead_host/*.conf;
+  include /data/nginx/temp/*.conf;
 }
 
 stream {
diff --git a/rootfs/etc/services.d/nginx/run b/rootfs/etc/services.d/nginx/run
@@ -3,7 +3,7 @@
 mkdir -p /tmp/nginx/body \
   /var/log/nginx \
   /data/{nginx,logs,access} \
-  /data/nginx/{proxy_host,redirection_host,stream,dead_host} \
+  /data/nginx/{proxy_host,redirection_host,stream,dead_host,temp} \
   /var/lib/nginx/cache/{public,private}
 
 touch /var/log/nginx/error.log && chmod 777 /var/log/nginx/error.log
diff --git a/src/backend/internal/certificate.js b/src/backend/internal/certificate.js
diff --git a/src/backend/internal/host.js b/src/backend/internal/host.js
@@ -6,6 +6,57 @@ const deadHostModel        = require('../models/dead_host');
 
 const internalHost = {
 
+    /**
+     * This returns all the host types with any domain listed in the provided domain_names array.
+     * This is used by the certificates to temporarily disable any host that is using the domain
+     *
+     * @param   {Array}  domain_names
+     * @returns {Promise}
+     */
+    getHostsWithDomains: function (domain_names) {
+        let promises = [
+            proxyHostModel
+                .query()
+                .where('is_deleted', 0),
+            redirectionHostModel
+                .query()
+                .where('is_deleted', 0),
+            deadHostModel
+                .query()
+                .where('is_deleted', 0)
+        ];
+
+        return Promise.all(promises)
+            .then(promises_results => {
+                let response_object = {
+                    total_count:       0,
+                    dead_hosts:        [],
+                    proxy_hosts:       [],
+                    redirection_hosts: []
+                };
+
+                if (promises_results[0]) {
+                    // Proxy Hosts
+                    response_object.proxy_hosts = internalHost._getHostsWithDomains(promises_results[0], domain_names);
+                    response_object.total_count += response_object.proxy_hosts.length;
+                }
+
+                if (promises_results[1]) {
+                    // Redirection Hosts
+                    response_object.redirection_hosts = internalHost._getHostsWithDomains(promises_results[1], domain_names);
+                    response_object.total_count += response_object.redirection_hosts.length;
+                }
+
+                if (promises_results[1]) {
+                    // Dead Hosts
+                    response_object.dead_hosts = internalHost._getHostsWithDomains(promises_results[2], domain_names);
+                    response_object.total_count += response_object.dead_hosts.length;
+                }
+
+                return response_object;
+            });
+    },
+
     /**
      * Internal use only, checks to see if the domain is already taken by any other record
      *
@@ -87,6 +138,37 @@ const internalHost = {
         }
 
         return is_taken;
+    },
+
+    /**
+     * Private call only
+     *
+     * @param   {Array}   hosts
+     * @param   {Array}   domain_names
+     * @returns {Array}
+     */
+    _getHostsWithDomains: function (hosts, domain_names) {
+        let response = [];
+
+        if (hosts && hosts.length) {
+            hosts.map(function (host) {
+                let host_matches = false;
+
+                domain_names.map(function (domain_name) {
+                    host.domain_names.map(function (host_domain_name) {
+                        if (domain_name.toLowerCase() === host_domain_name.toLowerCase()) {
+                            host_matches = true;
+                        }
+                    });
+                });
+
+                if (host_matches) {
+                    response.push(host);
+                }
+            });
+        }
+
+        return response;
     }
 
 };
diff --git a/src/backend/internal/nginx.js b/src/backend/internal/nginx.js
@@ -1,13 +1,12 @@
 'use strict';
 
-const _                   = require('lodash');
-const fs                  = require('fs');
-const Liquid              = require('liquidjs');
-const logger              = require('../logger').nginx;
-const utils               = require('../lib/utils');
-const error               = require('../lib/error');
-const internalCertificate = require('./certificate');
-const debug_mode          = process.env.NODE_ENV !== 'production';
+const _          = require('lodash');
+const fs         = require('fs');
+const Liquid     = require('liquidjs');
+const logger     = require('../logger').nginx;
+const utils      = require('../lib/utils');
+const error      = require('../lib/error');
+const debug_mode = process.env.NODE_ENV !== 'production';
 
 const internalNginx = {
 
@@ -120,7 +119,7 @@ const internalNginx = {
         }
 
         let renderEngine = Liquid({
-            root: __dirname + '/../templates/',
+            root: __dirname + '/../templates/'
         });
 
         return new Promise((resolve, reject) => {
@@ -154,6 +153,85 @@ const internalNginx = {
         });
     },
 
+    /**
+     * This generates a temporary nginx config listening on port 80 for the domain names listed
+     * in the certificate setup. It allows the letsencrypt acme challenge to be requested by letsencrypt
+     * when requesting a certificate without having a hostname set up already.
+     *
+     * @param   {Object}  certificate
+     * @returns {Promise}
+     */
+    generateLetsEncryptRequestConfig: certificate => {
+        if (debug_mode) {
+            logger.info('Generating LetsEncrypt Request Config:', certificate);
+        }
+
+        let renderEngine = Liquid({
+            root: __dirname + '/../templates/'
+        });
+
+        return new Promise((resolve, reject) => {
+            let template = null;
+            let filename = '/data/nginx/temp/letsencrypt_' + certificate.id + '.conf';
+            try {
+                template = fs.readFileSync(__dirname + '/../templates/letsencrypt-request.conf', {encoding: 'utf8'});
+            } catch (err) {
+                reject(new error.ConfigurationError(err.message));
+                return;
+            }
+
+            renderEngine
+                .parseAndRender(template, certificate)
+                .then(config_text => {
+                    fs.writeFileSync(filename, config_text, {encoding: 'utf8'});
+
+                    if (debug_mode) {
+                        logger.success('Wrote config:', filename, config_text);
+                    }
+
+                    resolve(true);
+                })
+                .catch(err => {
+                    if (debug_mode) {
+                        logger.warn('Could not write ' + filename + ':', err.message);
+                    }
+
+                    reject(new error.ConfigurationError(err.message));
+                });
+        });
+    },
+
+    /**
+     * This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig`
+     *
+     * @param   {Object}  certificate
+     * @param   {Boolean} [throw_errors]
+     * @returns {Promise}
+     */
+    deleteLetsEncryptRequestConfig: (certificate, throw_errors) => {
+        return new Promise((resolve, reject) => {
+            try {
+                let config_file = '/data/nginx/temp/letsencrypt_' + certificate.id + '.conf';
+
+                if (debug_mode) {
+                    logger.warn('Deleting nginx config: ' + config_file);
+                }
+
+                fs.unlinkSync(config_file);
+            } catch (err) {
+                if (debug_mode) {
+                    logger.warn('Could not delete config:', err.message);
+                }
+
+                if (throw_errors) {
+                    reject(err);
+                }
+            }
+
+            resolve();
+        });
+    },
+
     /**
      * @param   {String}  host_type
      * @param   {Object}  host
@@ -184,6 +262,35 @@ const internalNginx = {
 
             resolve();
         });
+    },
+
+    /**
+     * @param   {String}  host_type
+     * @param   {Array}   hosts
+     * @returns {Promise}
+     */
+    bulkGenerateConfigs: (host_type, hosts) => {
+        let promises = [];
+        hosts.map(function (host) {
+            promises.push(internalNginx.generateConfig(host_type, host));
+        });
+
+        return Promise.all(promises);
+    },
+
+    /**
+     * @param   {String}  host_type
+     * @param   {Array}   hosts
+     * @param   {Boolean} [throw_errors]
+     * @returns {Promise}
+     */
+    bulkDeleteConfigs: (host_type, hosts, throw_errors) => {
+        let promises = [];
+        hosts.map(function (host) {
+            promises.push(internalNginx.deleteConfig(host_type, host, throw_errors));
+        });
+
+        return Promise.all(promises);
     }
 };
 
diff --git a/src/backend/templates/_assets.conf b/src/backend/templates/_assets.conf
@@ -1,4 +1,4 @@
 {% if caching_enabled == 1 or caching_enabled == true -%}
   # Asset Caching
   include conf.d/include/assets.conf;
-{%- endif %}
+{% endif %}
diff --git a/src/backend/templates/_certificates.conf b/src/backend/templates/_certificates.conf
@@ -1,12 +1,10 @@
-{%- if certificate and certificate_id > 0 -%}
-{%- if certificate.provider == "letsencrypt" %}
+{% if certificate and certificate_id > 0 -%}
+{% if certificate.provider == "letsencrypt" %}
   # Let's Encrypt SSL
   include conf.d/include/letsencrypt-acme-challenge.conf;
   include conf.d/include/ssl-ciphers.conf;
-  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate.id }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate.id }}/privkey.pem;
-{%- endif -%}
-
+  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
+{% endif %}
   # TODO: Custom SSL paths
-
-{%- endif %}
+{% endif %}
diff --git a/src/backend/templates/_exploits.conf b/src/backend/templates/_exploits.conf
@@ -1,4 +1,4 @@
-{% if block_exploits == 1 or block_exploits == true -%}
+{% if block_exploits == 1 or block_exploits == true %}
   # Block Exploits
   include conf.d/include/block-exploits.conf;
-{%- endif -%}
+{% endif %}
diff --git a/src/backend/templates/_forced_ssl.conf b/src/backend/templates/_forced_ssl.conf
@@ -1,6 +1,6 @@
-{%- if certificate and certificate_id > 0 -%}
-{%- if ssl_forced == 1 or ssl_forced == true -%}
+{% if certificate and certificate_id > 0 -%}
+{% if ssl_forced == 1 or ssl_forced == true %}
     # Force SSL
     include conf.d/include/force-ssl.conf;
-{%- endif -%}
-{%- endif %}
+{% endif %}
+{% endif %}
diff --git a/src/backend/templates/_header_comment.conf b/src/backend/templates/_header_comment.conf
@@ -1,3 +1,3 @@
 # ------------------------------------------------------------
 # {{ domain_names | join: ", " }}
-# ------------------------------------------------------------
+# ------------------------------------------------------------
diff --git a/src/backend/templates/_listen.conf b/src/backend/templates/_listen.conf
@@ -1,5 +1,5 @@
   listen 80;
-{%- if certificate -%}
+{% if certificate -%}
   listen 443 ssl;
-{%- endif %}
-  server_name {{ domain_names | join: " " }};
+{% endif %}
+  server_name {{ domain_names | join: " " }};
diff --git a/src/backend/templates/letsencrypt-request.conf b/src/backend/templates/letsencrypt-request.conf
@@ -0,0 +1,14 @@
+{% include "_header_comment.conf" %}
+
+server {
+  listen 80;
+  server_name {{ domain_names | join: " " }};
+
+  access_log /data/logs/letsencrypt-requests.log proxy;
+
+  include conf.d/include/letsencrypt-acme-challenge.conf;
+
+  location / {
+    return 404;
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ http {`
`54`	`54`	`include /data/nginx/proxy_host/*.conf;`
`55`	`55`	`include /data/nginx/redirection_host/*.conf;`
`56`	`56`	`include /data/nginx/dead_host/*.conf;`
	`57`	`+ include /data/nginx/temp/*.conf;`
`57`	`58`	`}`
`58`	`59`
`59`	`60`	`stream {`